Malicious cryptominer exploits MS Exchange Server vulnerabilities

Cybercriminals continue to exploit four major ProxyLogon vulnerabilities associated with Microsoft Exchange, despite global warnings to organisations that patching and protecting systems is imperative to avoid potential attacks.

Attacks have come in the form of DearCry and Black Kingdom ransomware, as well as cryptomining malware.

Sophos principal threat researcher Andrew Brandt says that cryptominers were quick to take advantage of the vulnerabilities ‘within hours’ of them being reported and ready for patches.

Sophos recently published an alert that xmr-stak, a variant of the legitimate Monero Miner cryptominer tool, has been found on a hacked Exchange server.

Xmr-stak used its place within the hacked server to target other unpatched Exchange servers that are not protected against the ProxyLogon vulnerabilities.

The creators of the xmr-stak variant called it QuickCPU, which shares the name with an unrelated CPU optimisation tool. 

“Our analysis of this campaign shows mining value flowing to the attackers’ Monero wallet on March 9, with the attack diminishing rapidly in scale thereafter. This suggests we are looking at yet another rapidly compiled, opportunistic and possibly experimental attack attempting to make some easy money before widespread patching takes place,” explains Brandt.

He adds that the attackers used anti-detection techniques such as installing the miner within memory to hide it from scans, deleting all traces of its installation and configuration files, and encrypting its communications with the Monero wallet associated with the miner.

While the infection generally generates a significant drop in processing power, unpatched servers can be compromised for much longer before symptoms emerge.

Brandt says that the first step organisations should take is to install all patches related to the ProxyLogon and Exchange Server vulnerabilities.

Organisations must also analyse their wider exposure so that they are not subjected to any more attacks.

Brandt says, “Admins should scan the Exchange server for web shells and monitor servers for any unusual processes that appear seemingly out of nowhere. 

“High processor usage by an unfamiliar program could be a sign of crypto-mining activity or ransomware. If this isn’t possible, closely monitor the server until you migrate the Exchange data to an updated server then disconnect the unpatched server from the internet.” 

Threats against ProxyLogon and millions of other vulnerabilities are growing by the day, yet organisations are limited by cybersecurity skills shortages that mean in-house protection from these threats is difficult – if not impossible.

Sophos Managed Threat Response provides 24/7 threat hunting, detection, and response delivered by an expert team as a fully managed service. Click here for more details.