"Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware"

The BlackByte ransomware gang is breaching corporate networks through the exploitation of Microsoft Exchange ProxyShell vulnerabilities. The ProxyShell vulnerabilities can be chained together to enable unauthenticated, remote code execution, thus allowing an attacker to take over an Exchange server. Security updates were released in April and May 2021 to fix the vulnerabilities. However, malicious actors have still been exploiting them to breach servers, install web shells, deliver ransomware, and more. Researchers at the security firm Red Canary analyzed a BlackByte ransomware attack, finding that the group exploited ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server. Web shells are small scripts uploaded to web servers that allow attackers to gain persistent access to a device, remotely execute commands, or upload more files to the server. The BlackByte ransomware executable handles both privilege escalation and the ability to perform lateral movement in the compromised environment. The malware sets three registry values: one for local privilege elevation, one for enabling network connection sharing between privilege levels, and one to allow long path values for file paths, names, and namespaces. It deletes the "Raccine Rules Updater" scheduled task before encryption to prevent last-minute interceptions. The malware also wipes shadow copies through WMI objects using an obfuscated PowerShell command. WinRAR and anonymous file-sharing platforms are used to exfiltrate stolen files. Trustwave released a decryptor for BlackByte ransomware in October, but it is unlikely that the group is still using the same tactics that enabled victims to recover their files for free. This article continues to discuss the exploitation of ProxyShell flaws in BlackByte ransomware attacks. 

Bleeping Computer reports "Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware"