Hackers are using known ProxyShell vulnerabilities to install cryptocurrency miners on fragile Microsoft Exchange servers, researchers say.
Morphisec cybersecurity specialists have observed unidentified attackers using ProxyShell (a general term for multiple vulnerabilities that, when chained together, allow remote code execution) to install XMRig on Microsoft Exchange servers.
XMRig is one of the most popular cryptocurrency mining malware variants, producing the Monero (XMR) cryptocurrency for attackers. Monero is a popular alternative among cybercriminals due to its privacy quirks and the fact that it is virtually untraceable.
Hidden in plain sight
Morphisec claims that the vulnerabilities used in this campaign are CVE-XNUMX-XNUMXKXNUMX and CVE-XNUMX-XNUMXKXNUMX. Both were discovered and fixed a couple of years ago. Consequently, the best way to guard against these attacks is to patch fragile endpoints (opens in a new tab).
The attackers also did everything possible to ensure they remained hidden for as long as possible, the scholars said.
Once the miner is configured, it will create a firewall rule, applied to each and every Windows firewall profile, to block all outgoing traffic. That way, scholars continued, IT teams and other advocates won't be notified of the breach in the system.
In addition, the malware will wait at least thirty seconds between the start of the mining process and the creation of the firewall rule, in order to avoid triggering alarms from security tools that monitor the execution behavior of the process.
Cryptocurrency miners won't wreck a computer, but since they consume virtually all computing power, they will render the device virtually useless. On top of this, they could add enormously to electricity bills for computer owners.
Morphisec also said that owners of fragile Microsoft Exchange servers should not take the attack lightly, because after entering the network, there is nothing to stop attackers from incorporating any other form of malware.
Via: BleepingComputer (opens in a new tab)