top of page

Hackers use Microsoft Exchange flaws to distribute the Babuk ransomware.


Cisco security experts recently reported that another threat actor group is targeting Microsoft Exchange Server vulnerabilities to spread the ransomware "Babuk," and they have not strengthened the Proxy Shell vulnerability.

The Proxy Shell is a general term for 3 Exchange Server vulnerabilities that have: -

  • CVE-2021-34473

  • CVE-2021-34523

  • CVE-2021-31207

However, all these 3 exchange servers belong to the following vulnerabilities that were already patched by Microsoft in April and in May this year: -

  • Remote program attack vulnerability

  • Permission expansion vulnerabilities

  • Security function bypass vulnerabilities

About the Ransomware

The Babuk ransomware attack begins with a DLL or.NET executable that is installed on the Exchange server using the Proxy Shell vulnerability.

This vulnerability finally connects to ',' and subsequently downloads a payload that is placed into memory, which the hackers then inject into a NET Framework process, encrypting the device with the Babuk Ransomware.

Pathways for removing DLL and.NET components, following by the Tortilla campaign in which the Babuk ransomware was distributed:

  • Microsoft Exchange autodiscover server-side request forgery attempt

  • Atlassian Confluence OGNL injection remote code execution attempt

  • Apache Struts remote code execution attempt

  • WordPress wp-config.php access via directory traversal attempt

  • SolarWinds Orion authentication bypass attempt

  • Oracle WebLogic Server remote command execution attempt

  • Liferay arbitrary Java object deserialization attempt


To prevent the servers from being exploited in attacks, admins are strongly recommended to upgrade their servers to the latest versions.

2 views0 comments


bottom of page