‘Tortilla’ Wraps Exchange Servers in ProxyShell Attacks

The Microsoft Exchange ProxyShell vulnerabilities are being exploited yet again for ransomware, this time with Babuk from the new “Tortilla” threat actor.

A new-ish threat actor sometimes known as “Tortilla” is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.

Cisco Talos researchers said in a Wednesday report that they spotted the malicious campaign a few weeks ago, on Oct. 12.

Tortilla, an actor that’s been operating since July, is predominantly targeting U.S. victims. It’s also hurling a smaller number of infections that have hit machines in the Brazil, Finland, Germany,  Honduras, Thailand, Ukraine and the U.K., as shown on the map below.

Victim distribution map. Source: Cisco Talos.

Prior to this ransomware-inflicting campaign, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone PowerCat.


Netcat is a networking utility for reading from and writing to network connections using TCP or UDP, designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.

PowerCat has a penchant for Windows, the researchers

Read More: https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/