Hackers Fail to Blame Exchange Server Attacks on Brian Krebs


March 30, 2021

Brian Krebs has quite the reputation in the cybersecurity community. A good reputation too. He’s not some nefarious dweeb out there trying to cash in on fear and it’s related ilk. He’s a true blue, dyed in the wool, cybersecurity researcher and journalist.

Krebs is such an authority on the topic, I find myself visiting his site daily, if not more, to see what trail of crumbs he’s been following. His latest series, based around the recent Microsoft Exchange Server attacks has been, really, really good and worth following (and you can do so here).

Krebs added a new entry on the 28th that is silly but worth sharing. Attackers have trying to “frame” him for just over 21,000 (and counting) exchange server attacks since he started his coverage. The discovery was made by the Shadowserver Foundation.

Shadowserver found compromised Exchange servers were trying to connect with a malicious URL named brian[.]krebsonsecurity[.}tops. It looks like the attackers who’ve tried to blame Krebs(for whatever reason, probably a little bit of infamy when he posted his article on the subject) are associated with a variety of Exchange Server hacks.

After attackers install their backdoor, in this instance located at “/owa/auth/babydraco.aspx.”, the Exchange Server starts to communicate with the malicious Krebs url mentioned above and downloads and installs a “krebsonsecurity.exe” file.

“The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file,” said David Watson, when interviewed by Krebs. He also said, “the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute.”

Microsoft did issue a patch earlier this month that helps protect Exchange Server users. You can find more information about that here.

Like our blog? You can view more posts down below.

Carl Keyser is the Content Manager at Integris.

Keep reading

A Personal Twist on Zero Trust Security

A Personal Twist on Zero Trust Security

The massive Australian data breach in late September inspires me to share a personal twist on Zero Trust Security. What makes this incident colossal? BBC News Australia reports, "Australian telecommunications giant Optus revealed about 10 million customers - about 40%...

4 Cybersecurity Takeaways from China’s Largest Data Breach

4 Cybersecurity Takeaways from China’s Largest Data Breach

Cybersecurity drama strikes again as human error leads to China's biggest data breach and perhaps the most significant hack of personal information in history. According to Threat Post, the incident was triggered after a Chinese government software developer wrote a...

The Business Impact of the AGCO Ransomware Attack

The Business Impact of the AGCO Ransomware Attack

On May 6, 2022, global agricultural equipment manufacturer and distributor AGCO announced they were victims of a ransomware attack. The cyber assault hit some of their production facilities on May 5. Restoring operations to normal will take several or more days. While...