Experts have identified 21,248 hacked Microsoft Exchange servers with a backdoor connecting to the brian[.]krebsonsecurity[.]top domain.
In the case of mass hacks of Microsoft Exchange servers, new data has emerged indicating the possible involvement of a well-known journalist Brian Krebs, who specializes in the topic of information security. However, Krebs hastened to assure that he had nothing to do with the attacks, and the hackers deliberately used his name in order to annoy him once again.
Specialists of the non-profit information security organization Shadowserver Foundation fix one wave of attacks on Microsoft Exchange after another after it became known about the ProxyLogon vulnerabilities. To track attacks, they not only scan the Internet, but also set traps (hanipots) - vulnerable servers that are "bitten" by attackers, thereby allowing researchers to study their tools and tactics.
In attacks on Microsoft Exchange, cybercriminal groups around the world use hundreds of unique web-shells (backdoors) that give them full control over hacked servers. Interestingly, the Shadowserver Foundation specialists identified 21,248 compromised Microsoft Exchange servers that had a backdoor installed that connects to the brian[.]krebsonsecurity[.]top domain.
On March 26 of this year, experts recorded an attempt to install a new backdoor on the hacked server. On each attacked host, the web shell was installed in the same place – /owa/auth/babydraco. aspx. For the researchers, who by that time had already recorded 367 known paths where backdoors were installed on hacked servers, this path was new.
OWA stands for Outlook Web Access – the Internet-connected portion of local Microsoft Exchange installations. Shadowserver honeypots have fixed a lot of hosts with the Babydraco backdoor running a Microsoft Powershell script to extract the file “krebsonsecurity.exe " at the IP address 159.65.136 [.] 128. Currently, none of the ones presented on the Virustotal.com several dozen antivirus tools for scanning files do not detect this file as malicious.
The Krebsonsecurity file installs the root certificate, modifies the system registry, and instructs Windows Defender not to scan it. The file also attempts to establish an encrypted connection between the server and the IP address mentioned above and send a small amount of traffic to it every minute.
The researchers found more than 21 thousand installations of Microsoft Exchange with the Babydraco backdoor, but it is not known how many of them also run a secondary file from the fake Krebsonsecurity domain.
For what purpose the Krebonsecurity domain was forged, it is also unclear. However, the forgery is directly linked to recent cybercrime activity aimed at annoying Krebs.
The journalist first learned about the fake domain in December 2020 from one of his readers, whose computer network of the home laboratory was hacked by a botnet for mining cryptocurrency. The cryptominer pointed to the domain XXX-XX-XXX.krebsonsecurity. top, where the social security number of Brian Krebs was used instead of XXX-XX-XXX.
As the journalist himself explained, this is not the first time that cybercriminals use his name, trademark or sites similar to Krebonsecurity in their malware or other content in order to annoy the journalist or spoil his reputation.
In the case of mass hacks of Microsoft Exchange servers, new data has emerged indicating the possible involvement of a well-known journalist Brian Krebs, who specializes in the topic of information security. However, Krebs hastened to assure that he had nothing to do with the attacks, and the hackers deliberately used his name in order to annoy him once again.
Specialists of the non-profit information security organization Shadowserver Foundation fix one wave of attacks on Microsoft Exchange after another after it became known about the ProxyLogon vulnerabilities. To track attacks, they not only scan the Internet, but also set traps (hanipots) - vulnerable servers that are "bitten" by attackers, thereby allowing researchers to study their tools and tactics.
In attacks on Microsoft Exchange, cybercriminal groups around the world use hundreds of unique web-shells (backdoors) that give them full control over hacked servers. Interestingly, the Shadowserver Foundation specialists identified 21,248 compromised Microsoft Exchange servers that had a backdoor installed that connects to the brian[.]krebsonsecurity[.]top domain.
On March 26 of this year, experts recorded an attempt to install a new backdoor on the hacked server. On each attacked host, the web shell was installed in the same place – /owa/auth/babydraco. aspx. For the researchers, who by that time had already recorded 367 known paths where backdoors were installed on hacked servers, this path was new.
OWA stands for Outlook Web Access – the Internet-connected portion of local Microsoft Exchange installations. Shadowserver honeypots have fixed a lot of hosts with the Babydraco backdoor running a Microsoft Powershell script to extract the file “krebsonsecurity.exe " at the IP address 159.65.136 [.] 128. Currently, none of the ones presented on the Virustotal.com several dozen antivirus tools for scanning files do not detect this file as malicious.
The Krebsonsecurity file installs the root certificate, modifies the system registry, and instructs Windows Defender not to scan it. The file also attempts to establish an encrypted connection between the server and the IP address mentioned above and send a small amount of traffic to it every minute.
The researchers found more than 21 thousand installations of Microsoft Exchange with the Babydraco backdoor, but it is not known how many of them also run a secondary file from the fake Krebsonsecurity domain.
For what purpose the Krebonsecurity domain was forged, it is also unclear. However, the forgery is directly linked to recent cybercrime activity aimed at annoying Krebs.
The journalist first learned about the fake domain in December 2020 from one of his readers, whose computer network of the home laboratory was hacked by a botnet for mining cryptocurrency. The cryptominer pointed to the domain XXX-XX-XXX.krebsonsecurity. top, where the social security number of Brian Krebs was used instead of XXX-XX-XXX.
As the journalist himself explained, this is not the first time that cybercriminals use his name, trademark or sites similar to Krebonsecurity in their malware or other content in order to annoy the journalist or spoil his reputation.