Cyber criminals are installing cryptojacking malware on unpatched Microsoft Exchange servers

Cyber attackers are scanning the internet for vulnerable Microsoft Exchange servers they can exploit to mine for cryptocurrency. "It's basically free money rolling in for the attackers," warn cybersecurity researchers.
Written by Danny Palmer, Senior Writer

Cyber criminals are targeting vulnerable Microsoft Exchange servers with cryptocurrency mining malware in a campaign designed to secretly use the processing power of compromised systems to make money. 

Zero-day vulnerabilities in Microsoft Exchange Server were detailed last month when Microsoft released critical security updates to prevent the exploitation of vulnerable systems.

Cyber attackers ranging from nation-state-linked hacking groups to ransomware gangs have rushed to take advantage of unpatched Exchange servers -- but they're not the only ones.

SEE: Network security policy (TechRepublic Premium)

Cybersecurity researchers at Sophos have identified attackers attempting to take advantage of the Microsoft Exchange Server ProxyLogon exploit to secretly install a Monero cryptominer on Exchange servers.

"Server hardware is pretty desirable for cryptojacking because it usually has a higher performance than a desktop or laptop. Because the vulnerability permits the attackers to simply scan the whole internet for available, vulnerable machines, and then roll them into the network, it's basically free money rolling in for the attackers," Andrew Brandt, principal threat researcher at Sophos, told ZDNet.

Monero isn't nearly as valuable as Bitcoin, but it's easier to mine and, crucially for cyber criminals, provides greater anonymity, making the owner of the wallet -- and those behind attacks -- harder to trace.

While being compromised by a cryptocurrency miner might not sound as bad as a ransomware attack or the loss of sensitive data, it still represents a concern for organisations.

That's because it means cyber attackers have been able to secretly gain access to the network and, crucially, that the organisation still hasn't applied the critical updates designed to protect against all manner of attacks.

According to analysis by Sophos, the Monero wallet of the attacker behind this campaign began receiving funds from mining on March 9, just a few days after the Exchange vulnerabilities came to light, suggesting the attacker was quick off the mark in exploiting unpatched servers.

The attacks begin with a PowerShell command that retrieves a file from a previously compromised server's Outlook Web Access logon path, which in turn downloads executable payloads to install the Monero miner.

Researchers note that the executable appears to contain a modified version of a tool that's publicly available on Github; when the content is run on a compromised server, evidence of installation is deleted, while the mining process runs in memory.

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

It's unlikely that the operators of servers that have been hijacked by crypto-mining malware will notice there's an issue -- unless the attacker gets greedy and uses an extensive amount of processing power that's easily identified as unusual.

To protect networks against attacks that exploit the vulnerabilities in Microsoft Exchange Server, organisations are urged to apply the critical security updates as a matter of immediate priority.

"A lot of this speaks to the need for servers, especially internet-facing servers, to be running modern endpoint protection on them. Other than that, Microsoft has spelled out pretty clearly what's needed to patch the vulnerabilities, so admins need to just be diligent and do those things," said Brandt.


Editorial standards