New data suggests that someone has compromised with more than 21,000 Microsoft Exchange Server Email systems around the world and infect them with malware that insists on both Crabon Security and your truth by name.
Let’s just figure this out: it wasn’t me.
The ShadowSarver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different exchange servers that seem to compromise and communicate with it through backdoor. Brian[.]Krebsnuccity[.]Top (Not a secure domain, so habb billing).
The shadowzorver is looking for a wave after targeting waves of attack on the exchange that MicroSFT addressed in an emergency patch release earlier this month. The group looks for attacks on exchange systems using a combination of active internet scans and “honeypots” – the systems remain vulnerable to attack so defenders can study what attackers do to devices and how.
David Watson, A longtime member and director of the Shadowzar Foundation Europe says his group is monitoring hundreds of unique types of backdoor (aka “web shells”) used by various cybercrime groups around the world to command any unbiased exchange servers. This bandwidth gives an attacker full, remote control over the Exchange server (including any emails from the server).
On March 26, Shadowzar saw an attempt to install a new type of backdoor in compromised exchange servers, and with each hack host installed that backdoor in the same place: “/owa/auth/babydraco.aspx.”
“The web shell path we left behind was new to us,” Watson said. “We are investigating 367 known web shell paths by scanning exchange servers.”
Refers to OWA Outlook Web .Access, premises The web-facing part of non-premises Exchange Servers. Shadowserver’s Honeypots found many hosts doing the same thing as BabyDracko Backdoor: Running a microsoft Microsoft Ft PowerShell script that retrieves the file “KrebsonSecurity.XC” from an Internet address 159.65.136[.]Is 128. Oddly, not even one of the few dozen antivirus tools available to scan a file Virusotal.com Find out now.
Krebson Security also installs the file root certificate, modifies the system registry, and tells Windows Defender not to scan the file. Watson said KrebsonSecurity will try to open an encrypted connection between the file exchange server and the IP address above, and send some traffic to it every minute.
ShadowServer found more than 21,000 Exchange Server systems with BabyDracko backdoor installed. But Watson said he did not know how many of those systems executed secondary downloads from the rogue KrabsonSecurity domain.
“Despite the abuse, there is a good chance of highlighting how weak / compromising MS Exchange servers are currently being exploited in the wild, and hopefully helping victims get the message out that they need to sign up for our free daily network reports. Is, ”Watts said.
There are tens of thousands of Exchange Server systems around the world that were vulnerable to attack (micro .ft indicates that number is around 400,000), and most of them have been digested in the last few weeks. However, there are still thousands of vulnerable exchange servers exposed online. March 25, Shadowserver Tweeted That it was looking for 73,927 unique active webshell paths at 13,803 IP addresses.
Exchange server users who have not yet taken action against the four bugs identified earlier this month can get immediate protection through the deployment of MicroStft’s “One-Click Prem Non-Premises Mitigation Tool”.
The motive behind the cybercrimes behind the Crabon Security dot top domain is unclear, but the domain itself is linked to other cybercrime activity – and to the harassment of this author. I first heard about the domain in December 2020, when a reader told me how his entire network had been hijacked by a cryptocurrency mining botnet that called it home.
“This morning, I noticed a fan in my homelab making more noise on the server,” the reader said. “I didn’t think much of it at the time, but even after thorough cleaning and testing it was noisy. After I was done with some things related to work, I checked on it – and found out that an Explominer was left on my BX, he pointed to XXX-XX-XXX.krebsonsecurity.top ‘. Overall, this has infected all three Linux boxes on my network. “
From his message I was X’d sub-domain? Just my social security number. I was docked by DNS.
This is hardly the first time that malware or malware has taken my name, likeness and website’s trademarks as a cybercrime meme, to harass or just to enhance my reputation. Here are some more notable examples, although all of those events are almost a decade old. The same list will be of pages today.
Further reading:
Basic timeline of Exchange Mass-Hack
Warning the world of ticking timebombs
At least 30,000 US organizations have hacked into Microsoft .ft’s email software software via new hacks via holes.
Microsoft .ft: Chinese cyberspace used 4 Exchange server errors to rob emails
Tags: BabyDraco Backdoor, BabyDraco Shell, David Watson, ShadowSaver, Windows Defender
This entry was posted on Sunday, March 28th, 2021 at 1:40 am and is filed under Little Sunshine. You can follow any comments for this login via the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.