Mass Microsoft Exchange Exploitation Prompts Cryptojacking Threat

The mass Microsoft Exchange exploitation is still attracting malicious hackers, including an unknown attacker attempting to leverage what’s known as the ProxyLogon exploit.

That’s according to findings from the SophosLabs team. It was inspecting telemetry when it came across the unusual attack targeting a customer’s Exchange server.

Since the Microsoft Exchange exploitation, a range of threat actors have been targeting exploitable servers with a variety of malware, from webshells to ransomware. But those aren’t the only payloads directed at Exchange servers.

The unknown attacker has been trying to foist a malicious Monero cryptominer onto Exchange servers with the payload hosted on a compromised Exchange server.

Cryptojacking infects computers to use them to mine cryptocurrencies usually without a user’s knowledge. It can lead to slowdowns and crashes due to straining of computational resources.

Different from Other Malware

Andrew Brandt is a principal researcher at Sophos.

Sophos’ Andrew Brandt

“The threat of cryptojacking is pretty different than other malware,” he said. “What it comes down to is that a vulnerable server is running a cryptominer, earning money for the attacker while generating a greater than normal demand for computing power. This can slow down the server’s performance for non-cryptomining tasks, and could prematurely cause mechanical parts like fans or hard drives to fail as a result of the increased demand.”

Moreover, if a threat actor installs a cryptominer on a server without the owner’s knowledge, it represents a “sort of canary in the coal mine,” Brandt said.

“It means that any other attacker could (and possibly already did) install other malware that could be much more harmful,” he said. “At the very least, this attack in particular is one way to know for sure that the server has not been patched properly against the ProxyLogon vulnerability.”

Beyond Patching

In addition to patching these servers and checking that they are no longer vulnerable, the existence of this kind of attack speaks to the need for enterprises that operate on-premises server hardware to install endpoint protection software on those servers, Brandt said.

“These have become much more advanced in recent years and no longer have a detrimental effect on server performance they once might have,” he said. “And the protection they provide is essential not only to stopping this kind of attack, but the next one as well, when Microsoft discovers any other vulnerability of the same nature as ProxyLogon in the future. It also pays to block the domains used by cryptocurrency miners to upload their hashes or the computational product of their work. If the miner cannot upload the work to an attacker’s wallet, it prevents the attacker from receiving any of the benefit of that work.”

Microsoft Exchange Exploitation Attracts Broad Range of Threats

Oliver Tavakoli is CTO at Vectra.

“It stood to reason that the Microsoft Exchange server vulnerabilities would be leveraged toward a broad set of nefarious ends,” he said. “What makes this example interesting is that having hacked into one such Exchange server, the attacker staged a cryptomining package on it and when hacking into other Exchange servers simply retrieved the package from the staged location. Firewalls are unlikely to block traffic between Exchange servers and may even give such traffic a pass in terms of content inspection thus providing a good channel for delivery of dubious executables.”

Vulcan Cyber’s Yaniv Bar-Dayan

Yaniv Bar-Dayan is CEO and co-founder of Vulcan Cyber.

“Unless you are OK with somebody living in your basement and not paying rent, or a neighbor torrenting on your Wi-Fi, you probably don’t want cryptominers running payloads on your Exchange server,” he said. “We’d recommend anybody running Exchange to scan for this vulnerability as soon as possible to identify and prioritize potential risk to your business from the ProxyLogon exploit.”

On Tuesday, Microsoft released patches for three versions of its Exchange server email and calendar software that companies use in on-premises data centers, according to CNBC. In addition, the federal government ordered all agencies to install them, warning the vulnerabilities being patched “pose an unacceptable risk to the federal enterprise and require an immediate and emergency action.”