Brian Krebs has quite the reputation in the cybersecurity community. A good reputation too. He's not some nefarious dweeb out there trying to cash in on fear and it's related ilk. He's a true blue, dyed in the wool, cybersecurity researcher and journalist.
Krebs is such an authority on the topic, I find myself visiting his site daily, if not more, to see what trail of crumbs he's been following. His latest series, based around the recent Microsoft Exchange Server attacks has been, really, really good and worth following (you can do so here: https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/ ).
Krebs added a new entry on the 28th that is silly but worth sharing. Attackers have trying to "frame" him for just over 21,000 (and counting) exchange server attacks since he started his coverage. The discovery was made by the Shadowserver Foundation.
Shadowserver found compromised Exchange servers were trying to connect with a malicious URL named brian[.]krebsonsecurity[.}tops. It looks like the attackers who've tried to blame Krebs(for whatever reason, probably a little bit of infamy when he posted his article on the subject) are associated with a variety of Exchange Server hacks.
After attackers install their backdoor, in this instance located at “/owa/auth/babydraco.aspx.”, the Exchange Server starts to communicate with the malicious Krebs url mentioned above and downloads and installs a "krebsonsecurity.exe" file.
"The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file," said David Watson when interviewed by Krebs. He also said "the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute."
Microsoft did issue a patch earlier this month that helps protect Exchange Server users. You can find more information about that here: https://www.security7.net/news/microsoft-exchange-attack-30000-servers-compromised.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.