13 January 21, 16:28
(This post was last modified: 13 January 21, 16:28 by silversurfer.)
Quote:A webshell called BumbleBee has taken flight in an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations.
According to researchers at Palo Alto Networks’ Unit 42, BumbleBee (so named because of its color scheme) was observed being used to upload and download files to and from a compromised Exchange server back in September.
“We found BumbleBee hosted on an internal Internet Information Services (IIS) web server on the same network as the compromised Exchange server, as well as on two internal IIS web servers at two other Kuwaiti organizations,” researchers explained in a Monday blog.
Analysis showed that the attackers used VPN access to directly talk to BumbleBee, frequently switching between different VPN servers that appeared to be from different countries, including Belgium, Germany, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Sweden and the United Kingdom.
This hodgepodge approach was also borne out in the rotation of different operating systems and browsers, specifically Mozilla Firefox or Google Chrome on Windows 10, Windows 8.1 or Linux systems, the firm found.
Read more: https://threatpost.com/bumblebee-exchang...py/162973/