The Microsoft Exchange ProxyShell vulnerabilities are being exploited yet again for ransomware, this time with Babuk from the new “Tortilla” threat actor.
A new-ish threat actor sometimes known as “Tortilla” is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.
Cisco Talos researchers said in a Wednesday report that they spotted the malicious campaign a few weeks ago, on Oct. 12.
Tortilla, an actor that’s been operating since July, is predominantly targeting U.S. victims. It’s also hurling a smaller number of infections that have hit machines in the Brazil, Finland, Germany, Honduras, Thailand, Ukraine and the U.K., as shown on the map below.
Victim distribution map. Source: Cisco Talos.
Prior to this ransomware-inflicting campaign, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone PowerCat.
Netcat is a networking utility for reading from and writing to network connections using TCP or UDP, designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.
PowerCat has a penchant for Windows, the researchers
Read More: https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/