BlackByte Ransomware found exploiting ProxyShell vulnerabilities

561

Proxy Shell vulnerabilities identified in Microsoft Exchange Servers are being exploited by hackers operating and distributing a new ransomware variant dubbed BlackByte.

A new report published by cyber threat detection firm Red Canary clearly states that hackers are being able to exploit the three bugs identified in Microsoft Exchange Servers that are combinedly called as Proxy Shells.

The extent of exploitation seems to be elevated, as hackers can delegate the server privileges to execute codes in remote form.

Interestingly, the threat actors behind the spread of BlackByte were also found executing much from the compromised exchanged server by dropping Cobalt Strike beacon into the web shell, thus creating more opportunities for them to indulge in remote exploitation of desktop applications, credential dumping and constant espionage.

Microsoft has issued a fix to a similar vulnerability in May this year by patching flaws that were being used by those launching LockFile Ransomware onto compromised systems.

The tech giant also issued an alert to system administrators to patch their vulnerable Exchange Servers quickly to avoid being targeted by more ProxyShell Attack claims.

Note- Such campaigns of infecting Exchange Servers and then using them to distribute malware through emails were first identified in January this year. Microsoft issued a public statement in March 2021 saying that about 250,000 of its servers belonging to over 30k American organizations could have fallen prey to the attack. By April 2021, the Satya Nadella led company found that its email servers were being exploited to be used as ransomware distribution devices.

Ad
Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security