The KrebsOnSecurity Name Is, Once Again, Being Abused By Cyberattackers
The KrebsOnSecurity name has been invoked in a string of cyberattacks linked to critical Microsoft Exchange Server vulnerabilities.
Security expert Brian Krebs from KrebsOnSecurity is no stranger to figures in the criminal space who appear to delight in everything from turning him into a meme, launching denial-of-service (DoS) attacks against his website, and SWATing -- hoax calls made to law enforcement that not only waste police time but can also be dangerous.
Now, a domain similar to the legitimate KrebsOnSecurity security resource has been connected to threat actors exploiting a set of critical bugs in Microsoft Exchange Server.
According to a new report released by the Shadowserver Foundation, 21,248 Microsoft Exchange servers have recently been compromised that are communicating with brian[.]krebsonsecurity[.]top.
Krebs says that the compromised systems appear to have been hijacked and Babydraco backdoors are facilitating communication to the malicious domain. Web shells, used for remote access and control, are being deployed to a previously-undetected address in each case, /owa/auth/babydraco.aspx.
In addition, a malicious file named "krebsonsecurity.exe" is fetched via PowerShell to facilitate data transfers between the victim server and domain.
"The motivations of the cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has a recent association with other cybercrime activity -- and with harassing this author," Krebs commented.
Microsoft released emergency patches to tackle four zero-day vulnerabilities in Exchange Server 2013, 2016, and 2019 on March 2. The security flaws can be exploited to launch remote code execution attacks and server hijacking.
A selection of mitigation tools have also been released for IT administrators who cannot immediately patch their deployments, and at last count, the Redmond giant says that roughly 92% of internet-facing Exchange servers have been either patched or mitigated. (ZDNet)
0 Response to "The KrebsOnSecurity Name Is, Once Again, Being Abused By Cyberattackers"
Post a Comment