Vulnerable Microsoft Exchange Servers Affected by Babuk Ransomware

An emerging threat actor called Tortilla exploits known vulnerabilities in Microsoft Exchange servers to infect victims with Babuk ransomware.

The campaign illustrates how new attackers are manipulating and deploying Babuk after the malware’s source code and binary constructor leaked in September. The actor behind the attack, named Tortilla because of the payload filenames used in the campaign, has only been operational since early July, making the group somewhat newbie with less experience.

“The actor displays low to medium skills with a decent understanding of security concepts and the ability to create minor modifications to existing malware and offensive security tools,” according to Chetan Raghuprasad and Vanja Svajcer, researchers at Cisco Talos, in a study published Wednesday.

The campaign, first discovered by researchers on October 12, primarily affected users in the United States, with a smaller number of infections in the United Kingdom, Germany, Ukraine, Finland, Brazil, Honduras and Thailand.

The researchers assessed with “moderate confidence” that the attackers were targeting vulnerable Exchange servers and attempting to exploit the ProxyShell flaw in order to deploy Babuk. ProxyShell is a collection of Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that can be chained to bypass authentication and execute code as a privileged user. Attackers would use a DLL or .NET executable, which would then run as a child process of w3wp.exe and invoke the command shell to execute an obscured PowerShell command. The researchers said they also observed China Chopper installed on infected systems, which they said executed the initial download command. China Chopper, which dates from 2010, is a webshell that allows attackers to retain access to infected systems.

“The actor is experimenting with different approaches to attacking organizations.”

The PowerShell command then downloaded a payload loader module, which in turn downloaded an intermediate decompression step from a PasteBin clone site called This is a “somewhat unusual chain of infection technique” that sets the variant apart, the researchers said.

“The intermediate unpack step is downloaded and decoded into memory before the final payload embedded in the original sample is decrypted and executed,” they said.

This payload was then used to encrypt files on the victim’s server and mounted drives, the researchers said.

Tortilla is leading Internet-wide scanning efforts to exploit vulnerable hosts for several popular applications, including Microsoft Exchange, the researchers said. They also observed Tortilla experimenting with other payloads, including a PowerShell-based netcat clone called Powercat, in an attempt to gain remote access to infected systems.

“The actor is experimenting with different approaches to attacking organizations,” said Vanja Svajcer, head of threat research at Cisco Talos.

The researchers said Babuk “is harmful in nature” – the ransomware encrypts the victim’s machine, interrupts the system backup process, and removes shadow volume copies. While a Babuk decryptor was released recently, researchers said that it could not be used to decrypt files encrypted by this specific variant because the decryptor is only effective with a certain number of leaked keys. To protect against this threat, the researchers said organizations should regularly patch their servers and applications.

“Organizations and advocates must remain vigilant against such threats and must implement layered defense security with behavioral protection enabled so that endpoints and servers detect threats early in the infection chain.” , they said.

Source link

Previous Questions & Answers: Kristen Gamboa, Senior Business Developer at Los Lunas
Next Helion Energy to use $ 500 million from Series E to fuel fusion energy efforts - TechCrunch

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *