• Home
  • Bitcoin
  • Ethereum
  • Blockchain
  • Cryptocurrency Hackers
  • Ripple
  • Litecoin
  • Contact Us
Newsletter
Crypto Hoarding
  • Home
  • Bitcoin
  • Ethereum
  • Blockchain
  • Cryptocurrency Hackers
  • Ripple
  • Litecoin
  • Contact Us
No Result
View All Result
  • Home
  • Bitcoin
  • Ethereum
  • Blockchain
  • Cryptocurrency Hackers
  • Ripple
  • Litecoin
  • Contact Us
No Result
View All Result
Crypto Hoarding
No Result
View All Result
Home Cryptocurrency Hackers

No, I Did Not Hack Your MS Exchange Server — Krebs on Security – Krebs on Security

Admin by Admin
March 28, 2021
in Cryptocurrency Hackers
0
No, I Did Not Hack Your MS Exchange Server — Krebs on Security – Krebs on Security
190
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name.

Related articles

Chainalysis introduces its Web3 based blockchain analysis tool: Blog – The Financial Express

Chainalysis introduces its Web3 based blockchain analysis tool: Blog – The Financial Express

May 21, 2022

After Luna Collapse, Terra Looks to New Blockchain. This Week’s Top Bitcoin and Crypto News – CNET

May 21, 2022

Let’s just get this out of the way right now: It wasn’t me.

The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling).

Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and “honeypots” — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

David Watson, a longtime member and director of the Shadowserver Foundation Europe, says his group has been keeping a close eye on hundreds of unique variants of backdoors (a.k.a. “web shells”) that various cybercrime groups worldwide have been using to commandeer any unpatched Exchange servers. These backdoors give an attacker complete, remote control over the Exchange server (including any of the server’s emails).

On Mar. 26, Shadowserver saw an attempt to install a new type of backdoor in compromised Exchange Servers, and with each hacked host it installed the backdoor in the same place: “/owa/auth/babydraco.aspx.”

“The web shell path that was dropped was new to us,” said Watson said. “We have been testing 367 known web shell paths via scanning of Exchange servers.”

OWA refers to Outlook Web Access, the Web-facing portion of on-premises Exchange servers. Shadowserver’s honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file “krebsonsecurity.exe” from the Internet address 159.65.136[.]128. Oddly, none of the several dozen antivirus tools available to scan the file at Virustotal.com currently detect it as malicious.

The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file. Watson said the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute.

Shadowserver found more than 21,000 Exchange Server systems that had the Babydraco backdoor installed. But Watson said they don’t know how many of those systems also ran the secondary download from the rogue Krebsonsecurity domain.

“Despite the abuse, this is potentially a good opportunity to highlight how vulnerable/compromised MS Exchange servers are being exploited in the wild right now, and hopefully help get the message out to victims that they need to sign up our free daily network reports,” Watson said.

There are hundreds of thousands of Exchange Server systems worldwide that were vulnerable to attack (Microsoft suggests the number is about 400,000), and most of those have been patched over the last few weeks. However, there are still tens of thousands of vulnerable Exchange servers exposed online. On Mar. 25, Shadowserver tweeted that it was tracking 73,927 unique active webshell paths across 13,803 IP addresses.

Image: Shadowserver.org

Exchange Server users that haven’t yet patched against the four flaws Microsoft fixed earlier this month can get immediate protection by deploying Microsoft’s “One-Click On-Premises Mitigation Tool.”

The motivations of the cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has a recent association with other cybercrime activity — and with harassing this author. I first heard about the domain in December 2020, when a reader told me how his entire network had been hijacked by a cryptocurrency mining botnet that called home to it.

“This morning, I noticed a fan making excessive noise on a server in my homelab,” the reader said. “I didn’t think much of it at the time, but after a thorough cleaning and test, it still was noisy. After I was done with some work-related things, I checked up on it – and found that a cryptominer had been dropped on my box, pointing to XXX-XX-XXX.krebsonsecurity.top’. In all, this has infected all three linux boxes on my network.”

What was the subdomain I X’d out of his message? Just my Social Security number. I’d been doxed via DNS.

This is hardly the first time malware or malcontents have abused my name, likeness and website trademarks as a cybercrime meme, for harassment, or just to besmirch my reputation. Here are a few of the more notable examples, although all of those events are almost a decade old. That same list today would be pages long.

Further reading:

A Basic Timeline of the Exchange Mass-Hack

Warning the World of a Ticking Timebomb

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails



Tags: Babydraco backdoor, Babydraco shell, David Watson, Shadowserver, Windows Defender

This entry was posted on Sunday, March 28th, 2021 at 1:40 pm and is filed under A Little Sunshine. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

Share76Tweet48

Related Posts

Chainalysis introduces its Web3 based blockchain analysis tool: Blog – The Financial Express

Chainalysis introduces its Web3 based blockchain analysis tool: Blog – The Financial Express

by Admin
May 21, 2022
0

Chainalysis has introduced its new, Web3-native blockchain analysis tool called the Chainalysis Storyline, aiming to visualise smart contract extensions, as...

After Luna Collapse, Terra Looks to New Blockchain. This Week’s Top Bitcoin and Crypto News – CNET

by Admin
May 21, 2022
0

After two linked cryptocurrencies collapsed and became almost worthless, a plan emerged to create a new blockchain for the luna...

Avoiding Risks by Using Secure Online Crypto Platform – HackRead

Avoiding Risks by Using Secure Online Crypto Platform – HackRead

by Admin
May 20, 2022
0

Cryptocurrency theft has become a common issue in the online trading space, thus making most investors take a step back...

Has your Instagram account been hacked? Here’s how to protect yourself on social media – The Globe and Mail

Has your Instagram account been hacked? Here’s how to protect yourself on social media – The Globe and Mail

by Admin
May 20, 2022
0

Instagram users are reporting an influx of hackers getting access to personal accounts via their networks.Dado Ruvic/ReutersInstagram users are reporting...

Crypto is making New York winemakers angry – POLITICO

Crypto is making New York winemakers angry – POLITICO

by Admin
May 19, 2022
0

With help from Sam Sabin and Derek Robertson Rick Rainey, managing partner of Forge Cellars near Seneca Lake, gets wine...

Load More
  • Trending
  • Comments
  • Latest

SteveWillDoIt reveals hacker stole his crypto wallet: “I lost a lot of money” – Dexerto

July 26, 2021
Major Changes Coming to XRP Ledger As Ripple-Backed Startup Launches Key Amendment in Beta Testnet – The Daily Hodl

Major Changes Coming to XRP Ledger As Ripple-Backed Startup Launches Key Amendment in Beta Testnet – The Daily Hodl

April 21, 2021
Forte’s PTI gets financial transaction licenses for blockchain games – VentureBeat

Forte’s PTI gets financial transaction licenses for blockchain games – VentureBeat

February 11, 2022
DOGE passes Uniswap and Litecoin to become 8th largest cryptocurrency by market cap – Cointelegraph

DOGE passes Uniswap and Litecoin to become 8th largest cryptocurrency by market cap – Cointelegraph

April 15, 2021
Chainalysis introduces its Web3 based blockchain analysis tool: Blog – The Financial Express

Chainalysis introduces its Web3 based blockchain analysis tool: Blog – The Financial Express

0

Rivals Ripple and R3 partner up | PaymentsSource – American Banker

0
Ripple seeks shelter in D.C. from Libra’s political storm – American Banker

Ripple seeks shelter in D.C. from Libra’s political storm – American Banker

0

Litecoin Gets Bullish Speculation, at Last, as Upgrade Approaches – Coindesk

0
Chainalysis introduces its Web3 based blockchain analysis tool: Blog – The Financial Express

Chainalysis introduces its Web3 based blockchain analysis tool: Blog – The Financial Express

May 21, 2022
Can Litecoin’s [LTC] long-awaited MWEB update shine a light to end this darkness – AMBCrypto News

Can Litecoin’s [LTC] long-awaited MWEB update shine a light to end this darkness – AMBCrypto News

May 21, 2022

After Luna Collapse, Terra Looks to New Blockchain. This Week’s Top Bitcoin and Crypto News – CNET

May 21, 2022
Solving the No. 1 Issue of Our Time: Using Blockchain Technology to Scale Climate Action – Entrepreneur

Solving the No. 1 Issue of Our Time: Using Blockchain Technology to Scale Climate Action – Entrepreneur

May 21, 2022
Crypto Hoarding

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

Categories tes

  • Bitcoin
  • Blockchain
  • Cryptocurrency Hackers
  • Ethereum
  • Litecoin
  • Ripple

Newsletter

[mc4wp_form]

  • Home
  • Bitcoin
  • Ethereum
  • Blockchain
  • Cryptocurrency Hackers
  • Ripple
  • Litecoin
  • Contact Us

© 2017 JNews - Crafted with love by Jegtheme.

No Result
View All Result
  • Home
  • Bitcoin
  • Ethereum
  • Blockchain
  • Cryptocurrency Hackers
  • Ripple
  • Litecoin
  • Contact Us

Copyright (c) 2021 - Crypto Hoarding - All Rights Reserved - web design by TechyRack