Cybercriminals targeting unpatched Exchange servers by installing cryptojacking malware
Cybercriminals continue to exploit unpatched Microsoft Exchange servers. Cybersecurity researchers at Sophos report an unknown attacked has been attempting to leverage the ProxyLogon exploit to unload malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server.
According to Sophos, they were inspecting telemetry when they across this unusual attack targeting a customer's Exchange server. he attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).