[MART] - Daily Diary #384 - Babuk Ransomware Exploiting ProxyShell Vulnerabilities

CTAS-MAT ctas-mat at appgate.com
Fri Nov 5 21:09:25 UTC 2021 

Hello,
I hope everyone is doing well!

Below is the entry for today.

11/05/2021 - Diary entry #384

Covered in many of our Daily Diaries, Babuk ransomware is one of the many ransomware groups that operate in the ransomware-as-a-service model. A few months ago the cybercrime gang behind Babuk also launched a wall-of-shame platform (covered in our Daily Diary #276) named Payload.bin, that contains not only Babuk victims but other ransomware gangs that "partner" with them.

Recently, a new campaign of Babuk was disclosed, using ProxyShell vulnerabilities in Microsoft Exchange for intrusion. ProxyShell vulnerabilities are tracked under CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Exploiting those vulnerabilities allows an unauthenticated attacker to get Remote Code Execution into any network using an outdated version of Microsoft Exchange.

It's not the first time a ransomware gang was found exploiting ProxyShell, in our Daily Diary #331 we covered LockFile ransomware exploiting the same vulnerabilities using the PetitPotam technique. The fact that other currently active ransomware gangs are adopting this exploit means that there are still companies using unpatched Microsoft Exchange servers, although those vulnerabilities were patched in Microsoft's August 2021 Patch Tuesday.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211105/bbb4b85a/attachment.htm>

More information about the MART mailing list