Hacked Exchange Server Hosts Monero Miner Targeting Other Exchange Servers

Remember the slew of vulnerabilities putting Microsoft Exchange servers at risk of various attacks?

ProxyLogon Vulnerabilities Used in Cryptojacking Attacks

Now another danger should be added to the threat list – cryptojacking also known as cryptocurrency mining. SophosLabs researchers discovered that the attackers exploiting Exchange servers are now using the compromised servers to host a Monero miner. Other threats against such servers include APT attacks, ransomware, and webshells.

“The SophosLabs team was inspecting telemetry when they came across the unusual attack targeting a customer’s Exchange server. The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth),” the report revealed.

An unidentified threat actor has been attempting to leverage the ProxyLogon exploit to impose a Monero cryptominer onto Exchange servers. The payload itself is also hosted on a compromised Exchange server.

The executable associated with the attack are known as Mal/Inject-GV and XMR-Stak Miner (PUA). The report also shared a full list of indicators of compromise to help organizations identify whether they have been attacked.

More about the ProxyLogon vulnerabilities

The vulnerabilities affecting Microsoft Exchange Server are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Affected versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019.

The flaws are used as part of an attack chain, known as ProxyLogon. To be successfully initiated, an attack requires an untrusted connection to a specific Exchange server port, 443. This loophole can be protected by restricting untrusted connection, or by setting up a VPN to separate the server from external access. However, these mitigations tricks only offer partial protection. The company warns that other portions of the chain attack can be triggered if an attacker already has access or can convince an administrator to run a malicious file.

It is noteworthy that last March, state-sponsored hacking groups were exploiting CVE-2020-0688, another vulnerability in Microsoft Exchange email servers. Then, in May, the Exchange server was attacked by the so-called Valar Trojan. The malware attack was targeting victims mainly in Germany and the USA, in an advanced threat scenario delivered to the vulnerable systems in a multi-stage way.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!
Follow Milena @Milenyim

More Posts

Follow Me:

Similar Posts