Security News > 2021 > November > ‘Tortilla’ Wraps Exchange Servers in ProxyShell Attacks
A new-ish threat actor sometimes known as "Tortilla" is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.
ProxyShell is a name given to an attack that chains a trio of vulnerabilities together, to enable unauthenticated attackers to perform remote code execution and to snag plaintext passwords.
"We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell," according to the Cisco Talos writeup.
With Babuk source code readily available, all the Tortilla actors have to know is how to tweak it a tad, researchers said: A scenario that observers predicted back when the code appeared.
"The actor displays low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools," Cisco Talos researchers said in assessing the Tortilla gang.
They also recommended keeping servers and apps updated so as to squash vulnerabilities, such as the trio of CVEs exploited in the ProxyShell attacks.
News URL
https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/
Related news
- Over 3 million mail servers without encryption exposed to sniffing attacks (source)
- Over 660,000 Rsync servers exposed to code execution attacks (source)
- One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- New OpenSSH flaws expose SSH servers to MiTM and DoS attacks (source)