New data suggests that some have compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name.
Let’s just get this out of the way right now: It was not me.
The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21
Shadowserver has tracked down wave after wave of bugs in Exchange that Microsoft addressed earlier this month in an emergency release. The group looks for attacks on Exchange systems using a combination of active Internet scans and attack-honeypots systems so that defenders can study what attackers are doing to the devices and how.
David Watson, a longtime member and director of Shadowserver Foundation Europe, says his group has followed hundreds of unique variants of backdoors (also called “cyber shells”) that various cybercrime groups around the world have used to command any unpatched Exchange servers. These backdoors give an attacker complete remote control over the Exchange server (including any of the server’s emails).
On March 26, Shadowserver saw an attempt to install a new type of backdoor in compromised Exchange servers, and with each hacked host, it installed the backdoor in the same location: “/owa/auth/babydraco.aspx.”
“The track shell that was dropped was new to us,” Watson said. “We have tested 367 known web shell paths via scanning Exchange servers.”
OWA refers to Outlook Web Access, the web-facing part of local Exchange servers. Shadowserver’s honeypots saw several Babydraco backdoor hosts doing the same thing: Running a Microsoft Powershell script that retrieves the “krebsonsecurity.exe” file from the Internet address. 159.65.136[.]128. Oddly enough, none of the dozens of antivirus tools available to scan the file Virustotal.com currently detecting it as harmful.
The Krebsonsecurity file also installs a root certificate, modifies the system registry, and prompts Windows Defender not to scan the file. Watson said that the Krebsonsecurity file will try to open an encrypted connection between the Exchange server and the above IP address, and send a small amount of traffic to it every minute.
Shadowserver found more than 21,000 Exchange Server systems that had Babydraco backdoor installed. But Watson said they do not know how many of these systems also ran secondary downloads from the junk Krebsonsecurity domain.
“Despite the abuse, this is potentially a good opportunity to highlight how vulnerable / compromised MS Exchange servers are being exploited in the wild right now, and hopefully help get the message to victims that they need to register our free daily network reports. In Watson.
There are hundreds of thousands of Exchange Server systems worldwide that were vulnerable to attack (Microsoft suggests that number is around 400,000), and most of them have been patched in recent weeks. However, there are still tens of thousands of vulnerable Exchange servers exposed online. On March 25, Shadowserver tweeted that it tracked 73,927 unique active webshell paths across 13,803 IP addresses.
Exchange Server users who have not yet patched the four bugs Microsoft fixed earlier this month can get instant protection by deploying Microsoft’s One-Click On-Premises Mitigation Tool. ‘
The motivations of cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has recently been associated with other cybercrime activity – and to harass this author. I first heard about the domain in December 2020, when a reader told me how his entire network was hijacked by a cryptocurrency miner who called home to it.
“This morning I noticed a fan making too much noise on a server in my home,” the reader said. “I did not think much about it at the time, but after thorough cleaning and testing it was still noisy. After I finished some work-related stuff, I checked it – and found that a cryptominer had been dropped on my box, pointing to XXX-XX-XXX.krebsonsecurity.top ‘. All in all, this has infected all three linux boxes on my network. ”
What was the subdomain I X had out of his message? Just my social security number. I had been doxed via DNS.
This is hardly the first time malware or bad content is abusing my name, likeness, and trademark as a cybercrime, for harassment, or just to tarnish my reputation. Here are some of the more remarkable examples, although all of these events are almost a decade old. The same list today will be pages long.
A basic timeline for Exchange Mass-Hack
Warning the World of a Ticking Timebomb
At least 30,000 US organizations were recently hacked through holes in Microsoft’s email software
Microsoft: Chinese cyberspies used 4 Exchange Server errors to plunder email
Tags: Babydraco rear door, Babydraco shell, David Watson, Shadowserver, Windows Defender
This entry was posted on Sunday, March 28th, 2021 at 1:40 pm and is filed under A Little Sunshine. You can follow any comments on this post through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.