Criminals are installing Cryptojacking Malware on unpatched M. Exchange Servers

Cybercriminals continue to exploit unpatched Microsoft Exchange servers. Cybersecurity researchers at Sophos report an unknown attacked has been attempting to leverage the ProxyLogon exploit to unload malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server. 

Zero-day vulnerabilities in Microsoft Exchange Server were detailed last month when Microsoft released critical security updates to prevent the exploitation of vulnerable systems.

Cyber attackers ranging from nation-state-linked hacking groups to ransomware gangs have rushed to take advantage of unpatched Exchange servers — but they’re not the only ones.

According to Sophos, they were inspecting telemetry when they across this unusual attack targeting a customer’s Exchange server. he attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path /owa/auth. 

Cybersecurity researchers at Sophos report the Monero wallet of the threat actor behind this attack began receiving funds on March 9 (the Patch Tuesday in which the Exchange updates were released as part of the update cycle), which corresponds with when researchers saw the attack begin. As time has gone on, the attacker lost several servers and the cryptomining output decreased, but then gained a few new ones that more than make up for the early losses, Sophos reports. “It stood to reason that the Microsoft Exchange server vulnerabilities would be leveraged toward a broad set of nefarious ends,” says Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers. “What makes this example interesting is that having hacked into one such Exchange server, the attacker staged a cryptomining package on it and when hacking into other Exchange servers simply retrieved the package from the staged location. Firewalls are unlikely to block traffic between Exchange servers and may even give such traffic a pass in terms of content inspection thus providing a good channel for delivery of dubious executables.”

To protect networks against attacks that exploit the vulnerabilities in Microsoft Exchange Server, organisations are urged to apply the critical security updates as a matter of immediate priority.

“A lot of this speaks to the need for servers, especially internet-facing servers, to be running modern endpoint protection on them. Other than that, Microsoft has spelled out pretty clearly what’s needed to patch the vulnerabilities, so admins need to just be diligent and do those things,” said Brandt.