Cyber criminals are targeting vulnerable Microsoft Exchange servers with cryptocurrency mining malware in a campaign designed to secretly use the processing power of compromised systems to make money.
Zero-day vulnerabilities in Microsoft Exchange Server were detailed last month when Microsoft released critical security updates to prevent the exploitation of vulnerable systems.
- New ransomware threatens unpatched servers
- Microsoft doubling every two hours
- Check to see if you’re vulnerable using this tool
- Everything you need to know about Microsoft Exchange Server hack
- Microsoft rushes out a patch for older Exchange versions
- CISA to agencies: Patch now, or disconnect servers
- Zero-day vulnerabilities exploited in attacks against US governments
Cyber attackers ranging from nation-state-linked hacking groups to ransomware gangs have rushed to take advantage of unpatched Exchange servers — but they’re not the only ones.
SEE: Network security policy(TechRepublic Premium)
Cybersecurity researchers at Sophos have identified attackers attempting to take advantage of the Microsoft Exchange Server ProxyLogon exploit to secretly install a Monero cryptominer on Exchange servers.
“Server hardware is pretty desirable for cryptojacking because it usually has a higher performance than a desktop or laptop. Because the vulnerability permits the attackers to simply scan the whole internet for available, vulnerable machines, and then roll them into the network, it’s basically free money rolling in for the attackers,” Andrew Brandt, principal threat researcher at Sophos, told ZDNet.
Monero isn’t nearly as valuable as Bitcoin, but it’s easier to mine and, crucially for cyber criminals, provides greater anonymity, making the owner of the wallet — and those behind attacks — harder to trace.
While being compromised by a cryptocurrency miner might not sound as bad as a ransomware attack or the loss of sensitive data, it still represents a concern for organisations.
That’s because it means cyber attackers have been able to secretly gain access to the network and, crucially, that the organisation still hasn’t applied the critical updates designed to protect against all manner of attacks.
According to analysis by Sophos, the Monero wallet of the attacker behind this campaign began receiving funds from mining on March 9, just a few days after the Exchange vulnerabilities came to light, suggesting the attacker was quick off the mark in exploiting unpatched servers.
The attacks begin with a PowerShell command that retrieves a file from a previously compromised server’s Outlook Web Access logon path, which in turn downloads executable payloads to install the Monero miner.
Researchers note that the executable appears to contain a modified version of a tool that’s publicly available on Github; when the content is run on a compromised server, evidence of installation is deleted, while the mining process runs in memory.
It’s unlikely that the operators of servers that have been hijacked by crypto-mining malware will notice there’s an issue — unless the attacker gets greedy and uses an extensive amount of processing power that’s easily identified as unusual.
To protect networks against attacks that exploit the vulnerabilities in Microsoft Exchange Server, organisations are urged to apply the critical security updates as a matter of immediate priority.
“A lot of this speaks to the need for servers, especially internet-facing servers, to be running modern endpoint protection on them. Other than that, Microsoft has spelled out pretty clearly what’s needed to patch the vulnerabilities, so admins need to just be diligent and do those things,” said Brandt.
MORE ON CYBERSECURITY
- FBI blasts away web shells on US servers in wake of Exchange vulnerabilities
- How the Microsoft Exchange hack could impact your organization
- Microsoft Exchange Server attacks: ‘They’re being hacked faster than we can count’, says security company
- Microsoft Exchange attackers strike more than 30,000 US organizations
- Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool