Cisco security experts recently reported that another threat actor group is targeting Microsoft Exchange Server vulnerabilities to spread the ransomware "Babuk," and they have not strengthened the Proxy Shell vulnerability.
The Proxy Shell is a general term for 3 Exchange Server vulnerabilities that have: -
However, all these 3 exchange servers belong to the following vulnerabilities that were already patched by Microsoft in April and in May this year: -
Remote program attack vulnerability
Permission expansion vulnerabilities
Security function bypass vulnerabilities
About the Ransomware
The Babuk ransomware attack begins with a DLL or.NET executable that is installed on the Exchange server using the Proxy Shell vulnerability.
This vulnerability finally connects to 'pastebin.pl,' and subsequently downloads a payload that is placed into memory, which the hackers then inject into a NET Framework process, encrypting the device with the Babuk Ransomware.
Pathways for removing DLL and.NET components, following by the Tortilla campaign in which the Babuk ransomware was distributed:
Microsoft Exchange autodiscover server-side request forgery attempt
Atlassian Confluence OGNL injection remote code execution attempt
Apache Struts remote code execution attempt
WordPress wp-config.php access via directory traversal attempt
SolarWinds Orion authentication bypass attempt
Oracle WebLogic Server remote command execution attempt
Liferay arbitrary Java object deserialization attempt
To prevent the servers from being exploited in attacks, admins are strongly recommended to upgrade their servers to the latest versions.