A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.
The ProxyShell attacks against vulnerable Microsoft Exchange servers started several months ago, with
LockFile and
Conti being among the first ransomware groups to exploit them.
According to a report by researchers at
Cisco Talos, a Babuk ransomware affiliate known as 'Tortilla' had joined the club in October, when the actor started using the '
China Chopper' web shell on breached Exchange servers.
The name Tortilla is based on malicious executables spotted in campaigns using the name Tortilla.exe.
Starts with Exchange
The Babuk ransomware attack starts with a DLL, or .NET executable dropped on the Exchange server using the ProxyShell vulnerability.