News Hackers install Monero Miners through ProxyLogon vulnerabilities in Microsoft Exchange


Soldier

Essential
Joined
20.10.20
Messages
87
Reaction score
642
Points
83
The hackers ' wallet began receiving cryptocurrency on March 9, just a few days after it became aware of vulnerabilities in Microsoft Exchange.

Cybercriminals are attacking vulnerable Microsoft Exchange servers in order to install cryptocurrency mining software as part of a malicious campaign aimed at using the computing power of compromised systems to earn money.

During the attacks, attackers exploit vulnerabilities in Microsoft Exchange, known as ProxyLogon, disclosed last month. Hacker groups of all stripes, ranging from APT groups to financially motivated cybercriminals, exploited them to hack email servers. One of the Chinese cybercrime groups paved the way for further attacks by installing China Chopper web shells on hacked servers. As SecurityLab recently reported, the FBI obtained court approval to access hundreds of vulnerable Microsoft Exchange installations in the United States to remove web shells from infected systems.

Specialists of the Sophos information security company have identified hackers trying to" profit " from the ProxyLogon vulnerability by secretly installing Monero cryptocurrency miners.

The cost of Monero is far from the cost of bitcoin, but this cryptocurrency is easier to mine. Moreover, what is important for cybercriminals, Monero provides greater anonymity – the owners of wallets are much more difficult to track.

While infecting servers with a cryptocurrency miner may not seem as dangerous as an extortionate software attack or stealing sensitive data, it still poses a threat to organizations. If the hackers managed to install the miner, it means: first – they have access to the corporate network, and second – the organization did not apply critical updates designed to protect against all types of attacks.

According to Sophos, the Monero wallet belonging to the attackers began receiving cryptocurrency on March 9, 2021, just a few days after it became known about vulnerabilities in Microsoft Exchange.

The attack begins with a PowerShell command retrieving the file via a previously compromised Outlook Web Access. In turn, this file loads the executable payload for installing the Monero miner. The executable file contains a modified version of the tool, available to everyone on GitHub. When its contents are run on a compromised server, all installation evidence is removed, and the mining process takes place in memory.

It is unlikely that the operators of the servers on which the cryptominers were installed will notice the problem. They can only become suspicious if the attackers become greedy and start using too much computing power.
 
Top Bottom