In early December, a Canadian healthcare provider was attacked by two different hacker groups using the same attack tactic. The first ransomware group, named “Karma,” stole data but didn’t encrypt the target’s systems.
The second attack group, identified as Conti, later entered the network without leaving a ransom note. Conti’s attackers used the same ransomware to launch their attack less than a day after the Karma group sent the ransom note. In several of these cases, ransomware affiliates used ProxyShell to infiltrate a target’s network, including Conti’s affiliate, and multiple attackers exploited the same vulnerability to gain access to the target. However, few of these cases involved two ransomware groups at the same time.
Both attackers got in through the “ProxyShell” vulnerability targeting CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on the Microsoft Exchange Server platform. According to IIS access logs, the first attack using this vulnerability occurred on August 10, 2021:
The next command creates an administrative account “Administrator” using the Exchange Management shell and retrieves scripts from three remote servers (one in Hong Kong, another in Iran, and the last in Russia).
The “Administrator” account would later be used by one of the attackers for lateral movement. While unable to confirm from available data, it is likely that the first exploit was engineered by an access agent who later sold access to a ransomware operator (or two).
The second attack group using the ProxyShell attack chain took place on November 11. This attack installs a web shell on the IIS web server instance of Exchange Server.
Efforts to really penetrate deeply into the network officially began in a few weeks. Between November 29th and 30th, the Syslog shows over 20 failed attempts and attempts to connect to other servers (including domain controllers), as well as successful connections from the mail server to another web application server through the account “Administrator”. At some point on November 30, the Administrator account was used to access an RDP session on a virtual machine or workstation, which was used to make a login attempt. This activity appears to be linked to the Karma group.
Meanwhile, another compromised account connected to other servers via a series of remote desktop protocols and executed PowerShell commands to download Cobalt Strike beacons from the same host used for the script on November 30.
On November 30, after several attempts on other systems, the attackers successfully connected to another system (104[.] 168.44.130) using an administrator account, initiating the installation of Cobalt Strike “beacons” as a service batch script. Cobalt Strike was deployed to email servers, domain controllers, and a few other systems, with more systems, targeted the next day.
The collection also began on December 1, creating a compressed archive on multiple systems.
On December 1 and 2, the Karma organization completed the data collection and submitted it to the Mega cloud storage service, resulting in a 52 GB data breach. The Karma malware was then deployed, using the same compromised administrator account.
When work began on December 3, the group’s employees discovered that the “Karma” ransom note appeared as wallpaper on about 20 workstations and servers. The ransom note claims that the data was simply leaked, not encrypted because the Karma gang had targeted medical institutions.
Monitoring by the attacked group revealed that within hours of the attack, a second ransomware group launched the attack.
On December 3, two compromised accounts were active – an administrator account and a second account with administrative privileges. One of the accounts has a Chrome browser installed on the main file server.
Then, through the compromised administrator account, the malware was deployed to one of the organization’s servers. Example64.dll is recognized as Conti by SophosLabs. It is loaded using regsvr.exe. During execution, a batch file def.bat is launched that contains commands to disable Windows Defender on the target server.
This happened when Karma was sending ransom notes to other systems. At the same time, the target organization’s cyber defense systems detected and blocked Cobalt Strike activity from one of the organization’s mail servers (rather than the server serving as the entry point). The detected Cobalt Strike C2 traffic was destined for a server in a Dutch data center operated by a Bulgarian hosting company. The second compromised account was used to download Cobalt Strike beacons to other systems on the network.
Shortly after, a second stolen account was used to drop a script into the domain server’s local folder, a PowerShell script named Get-DataInfo.ps1 that collects network data via a Windows Management Instrumentation query and sends it back to a remote command and control server. Part of the script, which has been recovered from system logs, searches computers on the network for software of interest, including anti-malware and backup software, as well as other software that could interfere with ransomware encryption.
Later on December 3rd, more data (10.7 GB worth) was leaked to Mega via the Chrome browser that had been placed on a file server earlier in the day; this appears to be an exodus from the Conti group. Shortly after, the Conti ransomware attack officially began, deploying a def.bat file to suppress detection by Windows Defender. The ransomware encrypted files on the C: drive of the affected system and sent a ransom note from Conti.
These double ransomware attacks highlight the risks associated with well-known Internet-facing software vulnerabilities—at least, those well-known to attackers but perhaps not to the organizations running the affected software. Organizations of all sizes can fall behind when it comes to vulnerability management, which is why it’s important to have multiple layers of defense against malicious activity. VM Backup solutions prevent ransomware operators from launching attacks using unprotected servers, including oVirt Backup, Xenserver Backup, VMware Backup, etc.