Cybercriminals use the KrebsOnSecurity name to conduct attacks on critical Microsoft Exchange Servers.
KrebsOnSecurity is a well-known cybersecurity blog. The good name of Brian Krebs, an expert behind the blog, has been already abused by criminals in the past who turned him into a meme, launched denial-of-service (DoS) attacks against his website, and SWATed – made hoax calls to law enforcement.
Now, threat actors use a domain similar to the legitimate KrebsOnSecurity.com has been connected to hackers exploiting critical bugs in Microsoft Exchange Server.
Shadowserver Foundation, a nonprofit that helps identify and fix network security threats, says 21,248 compromised Microsoft Exchange servers have recently been detected communicating with the brian[.]krebsonsecurity[.]top domain.
In a blog post this weekend, Krebs says the compromised systems had likely been hijacked after which the attackers used Babydraco backdoors to communicate with the malicious domain.
Shadowserver’s honeypots saw that hackers deployed web shells to addresses like /owa/auth/babydraco.aspx for remote access and control.
In addition, attackers deploy a malicious file named “krebsonsecurity.exe” via PowerShell to facilitate data transfers. Krebs notes that none of the antivirus tools at Virustotal.com currently detect it as malicious.
“The motivations of the cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has a recent association with other cybercrime activity — and with harassing this author,” Krebs commented.
One of his readers reported in December 2020, that the domain was used to hijack their network and deploy a cryptocurrency mining botnet.
Last week, Microsoft warned of follow-up attacks on already compromised Exchange servers, which may include reconnaissance, ransomware deployment, and cryptocurrency mining operations.
“Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions,” the company said.