Cybercriminals continue to exploit unpatched Microsoft Exchange servers. Cybersecurity researchers at Sophos report an unknown attacked has been attempting to leverage the ProxyLogon exploit to unload malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server. 

According to Sophos, they were inspecting telemetry when they across this unusual attack targeting a customer's Exchange server. he attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth). 

Andrew Brandt, principal threat researcher at Sophos, told ZDNet, "Server hardware is pretty desirable for cryptojacking because it usually has a higher performance than a desktop or laptop. Because the vulnerability permits the attackers to simply scan the whole internet for available, vulnerable machines, and then roll them into the network, it's basically free money rolling in for the attackers."

Cybersecurity researchers at Sophos report the Monero wallet of the threat actor behind this attack began receiving funds on March 9 (the Patch Tuesday in which the Exchange updates were released as part of the update cycle), which corresponds with when researchers saw the attack begin. As time has gone on, the attacker lost several servers and the cryptomining output decreased, but then gained a few new ones that more than make up for the early losses, Sophos reports.

"It stood to reason that the Microsoft Exchange server vulnerabilities would be leveraged toward a broad set of nefarious ends," says Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers. "What makes this example interesting is that having hacked into one such Exchange server, the attacker staged a cryptomining package on it and when hacking into other Exchange servers simply retrieved the package from the staged location. Firewalls are unlikely to block traffic between Exchange servers and may even give such traffic a pass in terms of content inspection thus providing a good channel for delivery of dubious executables."

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a vulnerability remediation orchestration provider, says that unless "you are OK with somebody living in your basement and not paying rent, or a neighbor torrenting on your Wi-Fi, you probably don’t want cryptominers running payloads on your Exchange Server. We’d recommend anybody running Exchange to scan for this vulnerability as soon as possible to identify and prioritize potential risk to your business from the ProxyLogon exploit."

For the Sophos report, please visit https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/