Brian Krebs (KrebsonSecurity)
Cyber security expert Brian Krebs has claimed he absolutely “did not hack your MS Exchange server” after new data suggested someone had compromised over 21,000 Microsoft Exchange Server email systems worldwide, infecting them with malware invoking Krebs and his KrebsonSecurity website.
“Let’s just get this out of the way right now: It wasn’t me,” Krebs, an investigative journalist specialising in cyber security, said in a blog post.
Krebs went on to note that non-profit organisation The Shadowserver Foundation, which helps network owners identify and fix security threats, said it had found 21,248 different Exchange servers which appeared to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top – which is not a safe domain.
On 26 March, The Shadowserver Foundation saw an attempt to install a new type of backdoor in compromised Exchange servers, and with each hacked host it installed the backdoor in the same place, according to Krebs.
“Shadowserver’s honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file “krebsonsecurity.exe” from the Internet address 159.65.136[.]128,” Krebs said.
The KrebsonSecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file, said Krebs, who, as a prominent figure in the cyber security research community is no stranger to having his name and likeness abused by attackers.
According to David Watson, a longtime member and director of the Shadowserver Foundation Europe, the KrebsonSecurity file will attempt to open an encrypted connection between the Exchange server and the IP address noted above, sending a small amount of traffic to it each minute.
Broadly, Shadowserver found more than 21,000 Exchange Server systems that had the Babydraco backdoor installed. However, it is not known how many of those systems also ran the secondary download from the rogue KrebsonSecurity domain.
Credit: Shadowserver.org Krebs said Watson claimed that, despite the abuse, this is potentially a good opportunity to highlight how vulnerable or compromised Microsoft Exchange servers are being exploited in the wild at present, and could hopefully help get the message out to victims.
“There are hundreds of thousands of Exchange Server systems worldwide that were vulnerable to attack (Microsoft suggests the number is about 400,000), and most of those have been patched over the last few weeks,” Krebs noted.
“However, there are still tens of thousands of vulnerable Exchange servers exposed online. On 25 March, Shadowserver tweeted that it was tracking 73,927 unique active webshell paths across 13,803 IP addresses,” he added.
Microsoft released security updates for Exchange Server in early March to protect users against vulnerabilities in on-premises versions of the software, with the China-based state-sponsored actor Hafnium flagged as the primary group behind the exploits.
The vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2013, 2016 and 2019, and are part of an attack chain initiated with the ability to make an untrusted connection to Exchange Server port 443.
Just days ago, Microsoft said it had updated Microsoft Defender Antivirus and System Centre Endpoint Protection to automatically mitigate against CVE-2021-26855 on vulnerable Exchange servers.
