1 min read

Hackers Fail to Blame Exchange Server Attacks on Brian Krebs

Featured Image

Hackers Fail to Blame Exchange Server Attacks on Brian Krebs

Brian Krebs has quite the reputation in the cybersecurity community. A good reputation too. He's not some nefarious dweeb out there trying to cash in on fear and it's related ilk. He's a true blue, dyed in the wool, cybersecurity researcher and journalist.

Krebs is such an authority on the topic, I find myself visiting his site daily, if not more, to see what trail of crumbs he's been following. His latest series, based around the recent Microsoft Exchange Server attacks has been, really, really good and worth following (you can do so here: https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/ ).

Krebs added a new entry on the 28th that is silly but worth sharing. Attackers have trying to "frame" him for just over 21,000 (and counting) exchange server attacks since he started his coverage. The discovery was made by the Shadowserver Foundation

Shadowserver found compromised Exchange servers were trying to connect with a malicious URL named brian[.]krebsonsecurity[.}tops. It looks like the attackers who've tried to blame Krebs(for whatever reason, probably a little bit of infamy when he posted his article on the subject) are associated with a variety of Exchange Server hacks.

After attackers install their backdoor, in this instance located at /owa/auth/babydraco.aspx., the Exchange Server starts to communicate with the malicious Krebs url mentioned above and downloads and installs a "krebsonsecurity.exe" file.

"The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file," said David Watson  when interviewed by Krebs. He also said "the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute."

Microsoft did issue a patch earlier this month that helps protect Exchange Server users. You can find more information about that here: https://www.security7.net/news/microsoft-exchange-attack-30000-servers-compromised.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Dark Utilities: Off the shelf Command-And-Control Attacks...

Entities offering Cyberattacks-as-a-Service are fairly common and the newest member of the club, called Dark Utilities, is gaining popularity quickly.

Read More

What is a Managed Cybersecurity Services Provider?

We talk a lot about being a Managed Cybersecurity Services Provider and I thought it'd be a good idea to dive into exactly what a Managed...

Read More

Check Out or New Social Engineering Attack Guide!

We've been warning people for YEARS regarding the dangers posed by Social Engineering Attacks. We decided it was time to collect all of that...

Read More