Reportedly, a new threat actor is working to hack Microsoft Exchange ProxyShell servers to breach and get access to the company’s sensitive information by using ProxyShell vulnerability which is used to deploy the Babuk ransomware.
The ProxyShell attacks have been going for a few months now to make Microsoft Exchange servers vulnerable. LockFire and Conti were the first ransomware groups to exploit the servers.
According to a report by researchers at Cisco Talos, a Babuk ransomware affiliate known as ‘Tortilla’ had joined the club in October, when the actor started using the ‘China Chopper’ web shell on breached Exchange servers.According to the reports of Bleeping Computer
Tortilla’s name came from malicious executables that were seen in campaigns using Tortilla.exe.
The Babuk ransomware attack starts with a DLL, or .NET executable dropped on the Exchange server using the ProxyShell vulnerability. Babuk ransomware was launched in the initial months of 2021, when it started targeting businesses and then attempting the double-exortion attacks and targeting businesses.
The ransomware attackers asked for ransom which starts from $10,000. In some cases, the attackers were asking high ransom in terms of Bitcoin.
Microsoft exchange servers are getting a lot of threats from many different attackers and it is high time that the company starts taking tough steps to stop these malicious attacks.