The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.
According to a Red Canary report, BlackByte ransomeware gang breached corporate networks by getting into the shortcomings of Mircosoft Exchange using ProxyShell
ProxyShell is a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together.
In a detailed report by Red Canary, researchers analysed a BlackByte ransomware attack where they saw them exploiting the ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server.
Web Shells, small scripts uploaded to web servers, allow a threat actor to gain persistence to a device and remotely execute commands or upload additional files to the server.
When researchers disclosed the vulnerabilities, it is noted that threat actors have begun to exploit them to breach servers and install web shells, coin miners, and ransomware.
The planted web shell is then utilized to drop a Cobalt Strike beacon on the server, injected into the Windows Update Agent process.
The widely abused penetration testing tool is then used for dumping credentials for a service account on the compromised system. Finally, after taking over the account, the adversaries install the AnyDesk remote access tool and then proceed to the lateral movement stage.
It is observed that when conducting ransomware attacks, threat actors commonly use third-party tools to gain elevated privileges or deploy the ransomware on a network.
Although Trustwave released a decryptor for BlackByte ransomware in October 2021, it is unlikely that the operators are still using the same encryption tactics that allowed victims to restore their files for free.