Security News

A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware. The ProxyShell attacks against vulnerable Microsoft Exchange servers started several months ago, with LockFile and Conti being among the first ransomware groups to exploit them.

A new bad actor called Tortilla is running the campaign, and most affected users are in the U.S. Cisco Talos has a warning out for U.S. companies about a new variant of the Babuk ransomware. Security researchers Chetan Raghuprasad, Vanja Svajcer and Caitlin Huey describe the new threat in a Talos Intelligence blog post.

A new-ish threat actor sometimes known as "Tortilla" is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware. ProxyShell is a name given to an attack that chains a trio of vulnerabilities together, to enable unauthenticated attackers to perform remote code execution and to snag plaintext passwords.

Microsoft has added a new Exchange Server feature that automatically applies interim mitigations for high-risk security flaws to secure on-premises servers against incoming attacks and give admins more time to apply security updates.The new Exchange Server component, aptly named Microsoft Exchange Emergency Mitigation service, builds upon Microsoft's Exchange On-premises Mitigation Tool released in March to help customers minimize the attack surface exposed by the ProxyLogon bugs.

Microsoft Exchange clients like Outlook have been supplying unprotected user credentials if you ask in a particular way since at least 2016. On August 10, 2016, Marco van Beek, managing director at UK-based IT consultancy Supporting Role, emailed the Microsoft Security Response Center to disclose an Autodiscover exploit that worked with multiple email clients, including Microsoft Outlook.

Microsoft announced that Basic Authentication will be turned off for all protocols in all tenants starting October 1st, 2022, to protect millions of Exchange Online users. "Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage," the Exchange Online Team said earlier this week.

Guardicore security researcher Amit Serper has discovered a severe design bug in MIcrosoft Exchange's autodiscover - a protocol that lets users easily configure applications such as Microsoft Outlook with just email addresses and passwords. The flaw has caused the Autodiscover service to leak nearly 100,000 unique login names and passwords for Windows domains worldwide, Serper said in a technical report released this week.

An unpatched design flaw in the implementation of Microsoft Exchange's Autodiscover protocol has resulted in the leak of approximately 100,000 login names and passwords for Windows domains worldwide. "This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text that are being transferred over the wire," Guardicore's Amit Serper said in a technical report.

As part of its continued hardline against ransomware attacks, the U.S. Department of Treasury has prohibited anyone in the United States from conducting business with SUEX OTC, a Russian-linked currency exchange. The feds analyzed SUEX's transactions and found that the exchange facilitated transactions of illicit proceeds from at least eight ransomware variants, according to the release.

A flaw in Microsoft's Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances. If the client doesn't receive any response from these URLs - which would happen if Exchange was improperly configured or was somehow prevented from accessing the designated resources - the Autodiscover protocol tries a "Back-off" algorithm that uses Autodiscover with a TLD as a hostname.