Attackers Breach 21,000 Microsoft Exchange Servers, Install Malware Implicating Brian Krebs

Security researcher Brian Krebs wants you to know... "New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let's just get this out of the way right now: It wasn't me." The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with [a domain that begins with brian . krebsonsecurity... Not a safe domain.] Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and "honeypots" — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

David Watson, a longtime member and director of the Shadowserver Foundation Europe, says his group has been keeping a close eye on hundreds of unique variants of backdoors (a.k.a. "web shells") that various cybercrime groups worldwide have been using to commandeer any unpatched Exchange servers. These backdoors give an attacker complete, remote control over the Exchange server (including any of the server's emails)... Shadowserver's honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file "krebsonsecurity.exe"... Oddly, none of the several dozen antivirus tools available to scan the file at Virustotal.com currently detect it as malicious. The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file. Watson said the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute.

Shadowserver found more than 21,000 Exchange Server systems that had the Babydraco backdoor installed. But Watson said they don't know how many of those systems also ran the secondary download from the rogue Krebsonsecurity domain. "Despite the abuse, this is potentially a good opportunity to highlight how vulnerable/compromised MS Exchange servers are being exploited in the wild right now, and hopefully help get the message out to victims that they need to sign up our free daily network reports," Watson said.

Popularity contest.

[Ostracus]

I wonder what one has to do to be so popular criminals will virtually spray paint your name all over the crime scene?

Re:Popularity contest.

[freeze128]

Anyone who knows the name 'Brian Krebs' and KrebsOnSecurity knows that he would not infect these servers, and that he is a leader in finding vulnerabilities and patching them for the good of everyone (except maybe the criminals).

Want to be hated by criminals? Be at the top of your game in stopping them.

Re:

[phantomfive]

He catches hackers. In the past, they've DDOSed his website [csoonline.com]. When malware comes around, he is among the first to analyze it, and when he finds it, he often does investigations to find who is responsible. He reads through popular hacker forums and finds people.

Good thing

[93 Escort Wagon]

Good thing that proprietary closed code base keeps software like Microsoft Exchange free from widely-exploited vulnerabilities.

Re:

[irateogle]

Security issues are found in both closed source and open source software. Microsoft released a patch and some people have not applied it a month later. If you don't patch internet facing software ASAP, you get what you get.

Re:

[93 Escort Wagon]

Security issues are found in both closed source and open source software.

Oh yeah, I completely agree with you. But, given that whenever an open source bug is announced people use it as an opportunity to cast shade on FOSS in general, I figured turnabout was fair play.

https://duckduckgo.com/?q=%22m... [duckduckgo.com]

My personal exchange server got pwned as well

[togermano]

I run a personal server that I try things out on before doing it professionally and happened to setup exchange 2019 a month ago. Whatever variant I got encrypted every dir the user had access too and left a ransomed txt file saying pay 10k to unecrypt your files. Luckily it didn't have enough permission to touch the windows/programs app directory so the damage was minimum. I knew something was up when a exe file with a random long name was taking up abunch of CPU. Microsoft antivirus didnt detect the exe files at the time but it does now... Avast detected it before microsofts.

Re:

[KiloByte]

Ookay, you say "doing it professionally" -- so how come Exchange is involved?

Re:

[BAReFO0t]

MCSEs think they are professionals.

They will tell you about "these amazing facilities that Linux will probably get /never/...", like logging and shell scripting and a (pathetic attempt at a) package manager. :)

Re:

[Anonymous Coward]

MCSEs think they are professionals.

They're getting paid for it, that makes em professionals, right?

Re:

[sizzlinkitty]

No you can be complete amateur hour and still get paid for it.

Why not IMAP?

[pavangpd]

As a rhetorical question, what is so different about Exchange when compared to IMAP? Why not simply use an IMAP server and be done with it?

Re:

[Anonymous Coward]

Exchange has strong integration with Microsoft based account management, and strong support of the calendar integration used by Outlook. Don't underestimate the calender: to people who believe that work gets done at meetings, it's the major use for email.

The primary IMAP open source implementation, "wu-imapd", was saddled for years with the development policies of its author, Marc Crispin. Any attempt add SSL support or even point to URL's where SSL patches were available was met with wild-eyed accusations

Re:

[dskoll]

wu-imapd hasn't been the "primary IMAP open source implementation" for a long time now. Pretty much everyone I know who runs an open-source IMAP server runs one of Cyrus IMAP or Dovecot.

Re:

[fuzznutz]

I switched to Courier years ago after I got sick of having to constantly dick around with wu-imapd. I finally gave wu-imapd the finger after an update resulted in taking down the mail and me spending all night fixing it. Now I've moved on again to Dovecot and I've had this server for nearly five years.

Re:

[ctilsie242]

I have not seen wu-imapd in ages. Instead, I see Dovecot as the default imapd server in RHEL, CentOS, Ubuntu and others. Dovecot provides some useful features, such as IMAPS, and STARTTLS... and STARTTLS is something all IMAP servers should have.

Roundcube is a solid web based IMAP client.

I hate to see people winding up on Gmail or M365, but it is understandable... maintaining a mail server can be a headache, because one small thing can get one's IP range on a blacklist. You can maintain it, but between I

Re:

[Nkwe]

As a rhetorical question, what is so different about Exchange when compared to IMAP? Why not simply use an IMAP server and be done with it?

Ignoring the rhetorical part, Exchange is a platform, IMAP is a protocol. Exchange, the platform, speaks the IMAP protocol (as well as POP and its own proprietorial protocol.) Many other mail serving platforms serve IMAP. The Exchange proprietorial protocol allows management of contact information and calendar items as well as efficient server side search. The IMAP protocol has difficulty with these features (or at least implementations that are in regular use do.)

Re:Why not IMAP?

[Voyager529]

As a rhetorical question, what is so different about Exchange when compared to IMAP? Why not simply use an IMAP server and be done with it?

Things IMAP doesn't do...

1.) Calendars.
2.) Contacts.
3.) Tasks.
4.) Shared Calendars.
5.) Shared Contacts.
6.) Shared Tasks.
7.) Synchronized calendars between devices.
8.) Synchronized contacts between devices.
9.) Synchronized tasks between devices.
10.) Mailbox delegation.
11.) Resource booking.
12.) Integration with the rest of a Microsoft environment.
13.) Scalable to tens of thousands of mailboxes via clustering.
14.) All of these things get set up in Outlook (and most other mail clients) with three clicks or less.

So yes, Exchange sucks. However, the Dovecot + Postfix + CalDav + CardDav + LDAP recipe has its drawbacks, primarily in setup and usage for end users. Some projects that exist now have done a pretty solid job at integrating these things more seamlessly...but as much as Mailcow and OpenXchange have hit maturity in the past few years, two decades of inertia don't just go away because someone else has something "pretty close".

Re:

[sound+vision]

The calendar thing is a huge deal for some businesses. The last company I worked for used it for absolutely everything. Meetings, requesting a day off, deadlines. Everything was submitted and tracked by Outlook calendar.

I thought it was kind of clunky for all the stuff they shoehorned into it, but good luck trying to get everyone to change to a new way of doing it, even if equivalent replacements exist. This same company was using godawful DOS software from the 80s for inventory tracking and other core busi

Re:

[phantomfive]

And do you really trust Postfix to have fewer vulnerabilities than Exchange?

Re:

[WaffleMonster]

IMAP has no 2FA/MFA security

Nonsense, client authentication is widely supported.

Malware? You mean apart from Exchange?

[BAReFO0t]

Admins were scared everywhere that somebody would patch their Exchange server.... until they head it's not Microsoft.

"Hey, now at least there's a chance they fixed something!"

Plausible Deniability?

[Anonymous Coward]

Well, if it *was* Brian Krebs, of course he would deny it.

Why is this still happening in 2021

[terrorubic]

an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port! [proxylogon.com]

Re:

[NateFromMich]

Honestly, over the years I've encountered so many poorly configured exchange servers bouncing mail to servers it didn't even come from, that I'm not surprised at all.
I've always said that it's because idiots that can only point-and-click are the admins, but perhaps it's actually just shitty software.

Re:

[flyingfsck]

The sad thing about Exchange is that it was written by The Open Group. Yes, the owners of the UNIX trade mark did it to us.

Re:

[terrorubic]

"VFAT mounts on Bernoulli drives, Cache is not flushed before a disk is changed nor is the drive detected as being changed allowing for possible data corruption."

Status: OK to ship [edge-op.org]

Click Click Click

[fustakrakich]

...they need to sign up our free daily network reports!

Oh brother!

Great sticker..

[sizzlinkitty]

When one of us gets krebbed...All of us get krebbed. We are all NOTDAN!

Krebs

[UnCivil Liberty]

"Let's just get this out of the way right now: It wasn't me."
This is exactly what Brian Krebs would say after compromising more than 21,000 Microsoft Exchange Server email systems worldwide ;)

Exchange is insane

[WaffleMonster]

Perhaps twice a decade starting since before exchange even had an SMTP gateway and outlook existed for some reason or another I end up setting up a small exchange server and it literally has never worked right.. every time it always chokes on something.

Memory leaks, queues getting stuck on spam messages, database corruption, services crashing... Got to the point where I found it hard to believe anyone would use or tolerate such a product.

I assumed my experience can't possibly be representative of the wider world yet the experiences have always been something that stuck with me. Each time I think it was so long ago that things must be better this time yet it always ends up sideways.

Contrast with any other mail or Zimbra like groupware I've ever used and it is day and night. If a product like this is not even reliable then it is guaranteed to be hopelessly insecure.

Re:

[labnet]

Interesting. I've had the opposite experience.
Having used exchange for 20 years with 50+ users, it's been relatively pain free.

Re:

[gnordli]

That is surprising. I have been working with Exchange since 5.0 came out. It is a house of cards and way to complicated for what it needs to be; especially for small installations. I have had many times where just applying a CU completely hoses the installation and I had to revert to a backup snapshot. Lots of times the database just won't mount on startup, so you need to run edbutil to "fix" it -- even if it was already in a clean state.

The only thing that gets exposed to the Internet on the exchange

Cranking up the volume to 10 in the office

[thesjaakspoiler]

Join all in and sing along with me 'It wasn't me!'.
https://www.youtube.com/watch?... [youtube.com]

This is 2021

[Orlando]

People are still running their own email servers?