New data suggests that hackers behind the recent Microsoft Exchange email server hack have attempted to implicate security researcher Brian Krebs following his initial reporting on the cyberattack. More than 21,000 Microsoft Exchange servers around the world had malware planted on them that includes Kreb’s name and website.
Breitbart News recently reported that hackers used a ransomware virus called DearCry to target Microsoft Exchange business email servers that have yet to be updated. Breitbart News has reported extensively on the Microsoft Exchange hack.
Microsoft warned customers that it believes a Chinese-stated backed hacking group, referred to as Hafnium, has used four previously undisclosed security flaws in Microsoft’s Exchange Server enterprise email product in an attempt to steal private information.
Now, security researcher Brian Krebs alleges that hackers attempted to implicate him in the hack and has denied any involvement. In an article titled “No, I Did Not Hack Your MS Exchange Server,” Krebs writes
New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name.
Let’s just get this out of the way right now: It wasn’t me.
The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling).
Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and “honeypots” — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.
Hundreds of thousands of Exchange Server systems were targeted in the hack, Microsoft estimates the number to be around 400,000, but most have received security patches to fix the issue in recent weeks. However, tens of thousands of vulnerable servers have yet to receive the patch.
Krebs noted that cybercriminals have been using his name in hacks since last year. He received an email from a reader in December 2020 which stated: “This morning, I noticed a fan making excessive noise on a server in my homelab. I didn’t think much of it at the time, but after a thorough cleaning and test, it still was noisy. After I was done with some work-related things, I checked up on it – and found that a cryptominer had been dropped on my box, pointing to XXX-XX-XXX.krebsonsecurity.top’. In all, this has infected all three linux boxes on my network.”
The number censored by the letter X in the domain name was Krebs’ own Social Security number. Krebs has compiled a few notable examples of hackers using his name and brand which can be found here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address lucasnolan@protonmail.com
COMMENTS
Please let us know if you're having issues with commenting.