ProxyLogon Vulnerabilities Used in Cryptojacking Attacks
Now another danger should be added to the threat list – cryptojacking also known as cryptocurrency mining. SophosLabs researchers discovered that the attackers exploiting Exchange servers are now using the compromised servers to host a Monero miner. Other threats against such servers include APT attacks, ransomware, and webshells.
“The SophosLabs team was inspecting telemetry when they came across the unusual attack targeting a customer’s Exchange server. The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth),” the report revealed.
An unidentified threat actor has been attempting to leverage the ProxyLogon exploit to impose a Monero cryptominer onto Exchange servers. The payload itself is also hosted on a compromised Exchange server.
The executable associated with the attack are known as Mal/Inject-GV and XMR-Stak Miner (PUA). The report also shared a full list of indicators of compromise to help organizations identify whether they have been attacked.
More about the ProxyLogon vulnerabilities
The vulnerabilities affecting Microsoft Exchange Server are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Affected versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019.
The flaws are used as part of an attack chain, known as ProxyLogon. To be successfully initiated, an attack requires an untrusted connection to a specific Exchange server port, 443. This loophole can be protected by restricting untrusted connection, or by setting up a VPN to separate the server from external access. However, these mitigations tricks only offer partial protection. The company warns that other portions of the chain attack can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
It is noteworthy that last March, state-sponsored hacking groups were exploiting CVE-2020-0688, another vulnerability in Microsoft Exchange email servers. Then, in May, the Exchange server was attacked by the so-called Valar Trojan. The malware attack was targeting victims mainly in Germany and the USA, in an advanced threat scenario delivered to the vulnerable systems in a multi-stage way.