Threat actors behind BlackByte ransomware are exploiting Microsoft Exchange ProxyShell vulnerabilities to gain initial access to corporate networks and drop web shells on the vulnerable Microsoft Exchange servers.

That’s according to a new report from the cybersecurity firm Red Canary. While investigating a recent security incident involving one of the company’s customers, the researchers discovered that the attackers gained initial access by exploiting the ProxyShell vulnerabilities present on the customer’s Microsoft Exchange server.

The three ProxyShell vulnerabilities are CVE-2021-34473 (Pre-auth Path Confusion leads to ACL Bypass), CVE-2021-34523 (Elevation of Privilege on Exchange PowerShell Backend) and CVE-2021-31207 (Post-auth Arbitrary-File-Write leads to RCE). CVE-2021-34473 and CVE-2021-34523 were disclosed in July, but these problems were fixed earlier, in April's Microsoft Exchange KB5001779 cumulative upd ate.

Once compromising the Microsoft Exchange server, BlackByte operators planted a web shell, which then was used to install a Cobalt Strike beacon on the server, injected into the Windows Update Agent process.

The attackers used Cobalt Strike to dump credentials for a service account on the compromised system. Once hackers gained access to a service account, they installed the remote desktop application AnyDesk to access multiple systems for lateral movement, and created additional Cobalt Strike beacons within the Admin$ share folders on compromised domain controllers.

“Once executed, BlackByte deletes Task Manager (taskmgr) and Resource Monitor (resmon), and issues an obfuscated PowerShell command to stop the Windows Defender service (WinDefend). This is likely done to avoid detection and keep Windows Defender at bay while BlackByte continues execution. BlackByte also creates a TMP copy of itself, which we assess may have been used during its worming phase,” Red Canary says.

In the observed attack, BlackByte se t three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. Before encryption, the ransomware deleted the "Raccine Rules Updater" scheduled task to prevent last-minute interceptions.

Lastly, the adversary compressed stolen data using the WinRAR archiving tool and uploaded it to the anonymous file-sharing sites anonymfiles[.]com and file[.]io. The attackers then attempted to extort the customer by threatening to release this data publicly through the BlackByte Tor leak site.

“Not that anyone needs to be reminded of the prevalence of both Cobalt Strike and ransomware, but hopefully this intrusion gives some insight into an ever-evolving ransomware threat landscape,” the researchers noted. “The best way to prevent a widespread ransomware infection after an adversary has already entered your environment is to identify precursor activity, such as shadow copy deletion, suspicious registry modification, or unusual process behavior.”