A new “Tortilla” threat actor is targeting the Microsoft Exchange ProxyShell vulnerabilities with Babuk ransomware in an attempt to extort money from victims. According to a study released on Wednesday by Cisco Talos experts, the malicious activity was first discovered on October 12th.
Tortilla, a threat actor who has been active since July this year, mostly targets users in the United States. However, machines in the United Kingdom, Brazil, Finland, Germany, Thailand, Ukraine and Honduras have also been registered as victims of the actor’s activity.
Introducing ProxyShell’s Latest Attack Surface
According to Cisco Talos researchers, a fairly new infection chain strategy is being used to deploy Babuk in this newest ProxyShell campaign. In it, an intermediary unpacking module is hosted on a pastebin.com clone pastebin.pl. The intermediate unpacking stage is downloaded and decoded in memory before the final Babuk payload hidden inside the original sample is decrypted and executed, the researchers explain.
As Cisco Talos describes it, Babuk is a versatile ransomware that can be built for a variety of hardware and software systems using a ransomware builder. Researchers say they’ve spotted versions of Babuk for ESX and a 32-bit in addition to the Windows and ARM versions.
Three vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) have been combined to create the ProxyShell attack, which enables unauthenticated attackers to achieve remote code execution (RCE) and snatch credentials.
The infection chain also includes the use of a webshell named China Chopper, which allows attackers to retain access to a contaminated machine via a client-side program that includes all the functionality necessary to control the target.
How to Ensure the Safety of Microsoft Exchange?
As per the information that has been revealed, the Tortilla threat actor is carrying out an internet-wide scan in an attempt to find any weak points in the network’s defenses and compromise vulnerable hosts.
That’s why, according to experts, it’s important to keep an eye on any infection in its early stages and apply layered defense by activating behavioral protection for endpoints and servers. Keeping servers and applications up to date can also limit the chance of A trio of CVEs, such as those exploited in this new ProxyShell attack, from being exploited.
Cisco Talos researchers inform that when the Babuk ransomware encrypts your PC, it might destroy your backups by interrupting the backup process and erasing your volume shadow copies, which is why you should be on the lookout for backup demolition.
Also, they recommend being on the lookout for any system configuration changes, suspicious events indicated by detection systems for abrupt service termination, or excessively high I/O rates on drives connected to servers.