Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Conti Ransomware Now Hacking Exchange servers with ProxyShell Exploits\

Conti Ransomware Now Hacking Exchange servers with ProxyShell Exploits

The Conti ransomware gang is hacking into Microsoft Exchange servers and breaching corporate networks using recently disclosed ProxyShell vulnerability exploits.

ProxyShell is the name of an exploit utilizing three chained Microsoft Exchange vulnerabilities (CVE-2021-34473CVE-2021-34523CVE-2021-31207) that allow unauthenticated, remote code execution on unpatched vulnerable servers.

These three vulnerabilities were discovered by Devcore’s Orange Tsai, who used them as part of the Pwn2Own 2021 hacking contest.

While Microsoft fully patched these vulnerabilities in May 2021, technical details regarding exploiting the vulnerabilities were recently released, allowing threat actors to start using them in attacks.

So far, we have seen threat actors using the ProxyShell vulnerabilities to drop webshells, backdoors, and to deploy the LockFile ransomware.

Also Read: 12 Benefits of Data Protection for Business Success

Conti is now using ProxyShell to breach networks

Last week, Sophos was involved in an incident response case where the Conti ransomware gang encrypted a customer.

After analyzing the attack, Sophos discovered that the threat actors initially compromised the network using the recently disclosed Microsoft Exchange ProxyShell vulnerabilities.

Like most recent Microsoft Exchange attacks, the threat actors first drop web shells used to execute commands, download software, and further compromise the server.

Once the threat actors gain complete control of the server, Sophos observed them quickly falling into their standard tactics as outlined in the recently leaked Conti training material.

This routine includes getting lists of domain admins and computers, dumping LSASS to gain access to administrator credentials, and spreading laterally throughout the network to other servers.

As the threat actors compromised various servers, they would install multiple tools to provide remote access to the devices, such as AnyDesk and Cobalt Strike beacons.

Tools that Conti used in the observed attack
Tools that Conti used in the observed attack

After gaining a foothold on the network, the threat actors stole unencrypted data and uploaded it to the MEGA file sharing server. After five days, they began encrypting devices on the network from a server with no antivirus protection using the observed command:

start C:\x64.exe -m -net -size 10 -nomutex -p \\[computer Active Directory name]\C$

What made this particular case stand out was the speed and precision the group conducted the attack, where it only took 48 hours from the initial breach to stealing 1 TB of data.

“Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer,” explained Sophos in their report.

“Over the course of the intrusion, the Conti affiliates installed no fewer than seven back doors on the network: two web shells, Cobalt Strike, and four commercial remote access tools  (AnyDesk, Atera, Splashtop and Remote Utilities).”

“The web shells, installed early on, were used mainly for initial access; Cobalt Strike and Any Desk were the primary tools they used for the remainder of the attack”

Also Read: Privacy policy template important tips for your business

Patch your Exchange servers now!

When conducting attacks using ProxyShell, the threat actors target the autodiscover service by making requests like the following:

https://Exchange-server/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]

To check if your Exchange Server has been targeted, you can examine IIS logs for requests to “/autodiscover/autodiscover.json” with strange or unknown emails.

In the Conti case observed by the Sophos, the threat actors utilized an email from @evil.corp, which should easily make the exploit attempts stand out.

ProxyShell exploit activity from Conti ransomware attack
ProxyShell exploit activity from Conti ransomware attack

Without a doubt, the ProxyShell vulnerabilities are being used by a wide range of threat actors at this time, and all Microsoft Exchange server admins need to apply the most recent cumulative updates to stay protected.

Unfortunately, this will mean mail downtime as the updates are installed. However, this is far better than the downtime and expenses that a successful ransom attack will incur.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us