Microsoft Exchange Server hack resulted in an infection of more than 21,000 email systems around the world. However, a new report claimed that Brian Krebs could be the reason behind this problem. How true is this?

In defense of the claim, the cybersecurity expert said that it was not him who prompted the widespread malware attack. Let's find out if the Krebsonsecurity website has something to do with this case.

Brian Krebs Claims it Was Not Him Who Hack Microsoft Exchange Server

Brian Krebs Over Microsoft Exchange Server Hack: It Wasn't Me--Is This Security Website Safe?
(Photo : Screenshot from YouTube/PBS Newshour)

In Krebs' blog post on last week, Mar. 21, Krebs wrote that it was not him who made his way to compromise Microsoft's system. The cybersecurity specialist denied the allegations against him.

Furthermore, The Shadowserver Foundation, which is tasked to aid the users to fix cybersecurity issues noted that 21,248 Exchange servers were connected to an unsafe domain--brian.krebsonsecurity.top.

However, Krebs said on Friday, Mar.26 that there was an attempt made by the non-profit organization to create a new backdoor to crash the Exchange Servers. Each host was reportedly installing the backdoor in the same location.

"Shadowserver's honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file "krebsonsecurity.exe" from the Internet address 159.65.136[.]128," Krebs said.

Krebs added that the security website file's tasks include installing a root certificate, altering the registry of the system, and instructing the Windows Defender to never scan the file. This was not the first case that Krebs was involved in a cybersecurity issue, as he already encountered many cases involving malware and perpetrators.

Read Also: Microsoft Exchange Server Patches Still Didn't Work for 10,000 Computers! Is Microsoft in Deep Trouble? 

How KrebsonSecurity file Was Executed on Exchange Servers

According to a report by ARN, The director of the Shadowserver Foundation Europe, David Watson, said that the file will access the encryption happening between the IP address and the Exchange server. This will lead to small traffic that gradually grows each minute.

What Krebs wanted to point out here is the level of vulnerability of the Microsoft Exchange Servers, which means that they need a high degree of security so that it will not happen again in the future. There were reportedly over 400,000 attacks involving Microsoft Exchange servers where some of which were already patched over the past weeks.

On Thursday, Mar. 25, Krebs said that the Shadowserver has tracked 73,927 unique active web shell paths involving 13,803 IP addresses. This only suggested that there are still plenty of Exchange Servers that are still vulnerable at the moment.

Earlier this month, Microsoft unveiled its updates to tighten its security so users will be protected against vulnerabilities involving Hafnium, which was believed to be the main reason behind the software attack exploits.

The tech giant has recognized that the particular vulnerabilities, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 have infected version 2013, 2016, and 2019 of the Microsoft Exchange Server. It was a linked attack connected to the Exchange Server port 443 which triggered an untrusted connection.

A few ago, Microsoft reported that its Microsoft Defender Antivirus and System Centre Endpoint Protection had been updated to continue the mitigation process against CVE-2021-26855 to protect those servers that were vulnerable to the attack.

Related Article: Microsoft Exchange Servers Get Hacked--Company Publishes Mitigation Technique to Stop Chained Attack

This article is owned by Tech Times

Written by Joen Coronel

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion