Cybercriminals exploit vulnerable Microsoft Exchange servers to mine for cryptocurrency.
In this campaign, cybercriminals drop a cryptominer on the victim’s machine that secretly uses its processing power to mine Monero.
Cybersecurity researchers at Sophos were first to identify this cryptojacking campaign and say attackers take advantage of the Microsoft Exchange Server ProxyLogon exploit.
“Server hardware is pretty desirable for cryptojacking because it usually has a higher performance than a desktop or laptop. Because the vulnerability permits the attackers to simply scan the whole internet for available, vulnerable machines, and then roll them into the network, it’s basically free money rolling in for the attackers,” Andrew Brandt of Sophos told ZDNet.
Monero is more attractive for cybercriminals than the more popular Bitcoin or Ethereum because it’s easier to mine and, more importantly for cybercriminals, it provides greater anonymity. The anonymous nature of Monero makes it harder to trace the criminals.
According to Sophos, the attackers’ Monero wallet tied to this campaign has been receiving crypto funds from malicious mining since March 9. This is just a few days after the Exchange vulnerabilities had been uncovered. This highlights how quick attackers are in using new exploitation opportunities.
To start the attack chain, cybercriminals run a PowerShell command to drop a file from a previously compromised server’s Outlook Web Access logon path. The script downloads additional payloads and installs the Monero miner.
For executable, researchers say, the attackers appear to use a modified version of a tool that’s publicly available on Github. After execution, they clear all evidence of installation, while the mining process runs in memory.
This makes it very hard for server operators to detect such crypto-mining activity. They won’t notice there’s an intruder unless the criminal uses an unusually extensive amount of processing power that can be picked up by the security tools.
Organizations are urged to apply Microsoft’s recommended security updates as soon as possible.
“Microsoft has spelled out pretty clearly what’s needed to patch the vulnerabilities, so admins need to just be diligent and do those things,” said Brandt.