BumbleBee Opens Exchange Servers in xHunt Spy Campaign

2021-01-12 18:30

A webshell called BumbleBee has taken flight in an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations.

"We found BumbleBee hosted on an internal Internet Information Services web server on the same network as the compromised Exchange server, as well as on two internal IIS web servers at two other Kuwaiti organizations," researchers explained in a Monday blog.

"We also observed the actor creating SSH tunnels to internal servers for TCP port 80, which suggests the actor used the tunnel to access internal IIS web servers. We believe that the actor accessed these additional internal IIS web servers to leverage file uploading functionality in internal web applications to install BumbleBee as a method of lateral movement."

"The actor spent three hours and 37 minutes on Sept. 16, 2020, running commands via the BumbleBee web shell installed on the [first] compromised Exchange server," according to the analysis.

In addition to analyzing commands executed on the compromised Exchange server, Unit 42 also analyzed the commands executed on the BumbleBee web shell at an internal IIS web server hosted at one of the two other Kuwaiti organizations.

The most recent campaign stretched back to February, when xHunt compromised an Exchange server via Outlook Web App using compromised credentials.

News URL

https://threatpost.com/bumblebee-exchange-servers-xhunt-spy/162973/

#exchange #server #SPY