Microsoft Exchange ProxyShell Exploits Used to Deploy Babuk Ransomware

Microsoft Exchange ProxyShell vulnerabilities are once again being exploited by threat actors to conduct ransomware attacks. Recently, researchers at Cisco Talos have observed a campaign of Babuk ransomware targeting victims via vulnerabilities in their Microsoft Exchange servers. The unknown threat actor, who researchers label “Tortilla,” has infected systems worldwide but has predominantly attacked U.S.-based entities. Typically, a Babuk ransomware attack begins with a DLL, or .NET executable loaded on the Exchange server via the ProxyShell vulnerability. “The Exchange IIS worker process w3wp.exe then executes this malicious payload to execute obfuscated PowerShell command that features endpoint protection bypassing, eventually invoking a web request to fetch a payload loader named ‘tortilla.exe.’ This loader will connect to ‘pastebin.pl’ and download a payload that is loaded into memory and injected into a NET Framework process, which ultimately encrypts the device with the Babuk Ransomware,” according to BleepingComputer. This activity seeks to exploit unpatched vulnerabilities; therefore, members are urged to apply the latest Microsoft security updates to protect their organizations from this threat. Read more at BleepingComputer or at Cisco Talos.