Security News > 2021 > November > ‘Tortilla’ Wraps Exchange Servers in ProxyShell Attacks
A new-ish threat actor sometimes known as "Tortilla" is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.
ProxyShell is a name given to an attack that chains a trio of vulnerabilities together, to enable unauthenticated attackers to perform remote code execution and to snag plaintext passwords.
"We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell," according to the Cisco Talos writeup.
With Babuk source code readily available, all the Tortilla actors have to know is how to tweak it a tad, researchers said: A scenario that observers predicted back when the code appeared.
"The actor displays low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools," Cisco Talos researchers said in assessing the Tortilla gang.
They also recommended keeping servers and apps updated so as to squash vulnerabilities, such as the trio of CVEs exploited in the ProxyShell attacks.
News URL
https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/
Related news
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)