Brian Krebs: No, I didn’t hack your Microsoft Exchange server
The KrebsOnSecurity name has been invoked in a string of cyberattacks linked to critical Microsoft Exchange Server vulnerabilities.
Security expert Brian Krebs from KrebsOnSecurity is no stranger to figures in the criminal space who appear to delight in everything from turning him into a meme, launching denial-of-service (DoS) attacks against his website, and SWATing — hoax calls made to law enforcement that not only waste police time but can also be dangerous.
Now, a domain similar to the legitimate KrebsOnSecurity security resource has been connected to threat actors exploiting a set of critical bugs in Microsoft Exchange Server.
Krebs says that the compromised systems appear to have been hijacked and Babydraco backdoors are facilitating communication to the malicious domain. Web shells, used for remote access and control, are being deployed to a previously-undetected address in each case, /owa/auth/babydraco.aspx.
In addition, a malicious file named “krebsonsecurity.exe” is fetched via PowerShell to facilitate data transfers between the victim server and domain.
“The motivations of the cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has a recent association with other cybercrime activity — and with harassing this author,” Krebs commented.
Microsoft released emergency patches to tackle four zero-day vulnerabilities in Exchange Server 2013, 2016, and 2019 on March 2. The security flaws can be exploited to launch remote code execution attacks and server hijacking.
A selection of mitigation tools have also been released for IT administrators who cannot immediately patch their deployments, and at last count, the Redmond giant says that roughly 92% of internet-facing Exchange servers have been either patched or mitigated.
However, just because a fix has been applied does not mean that a server has not already been targeted by threat actors and so security checks and audits also have to be conducted.
Last week, Microsoft warned of subsequent attacks following widespread Exchange server hijacking, including reconnaissance, cryptocurrency mining operations, and ransomware deployment.
“Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions,” the company said.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert warning organizations of webshell deployment post-exploit in Exchange servers.
Microsoft has provided Indicators of Compromise (IoC) which can be found here.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0