In a new wave of attacks aimed at unpatched Microsoft Exchange servers, cyber criminals have been actively searching the internet for servers that have not yet been updated with the latest Microsoft critical security updates with the idea to exploit them for cryptocurrency mining.
As per the information that is available, an anonymous intruder has tried to take advantage of the ProxyLogon exploit in order to insert a malicious Monero cryptominer into Exchange servers.
Defined by researchers as an unusual attack, this targeted campaign is aimed at using the processing capacity of compromised system for making money without the victim’s knowledge.
In general, server hardware is very suitable for cryptomining and pretty desirable by criminal actors, since it normally performs better than a desktop or laptop, professionals explain. Besides, this flaw in Exchange allows attackers to just check the entire internet for vulnerable servers and then secretly include them in the cryptojacking network.
While a compromise by a cryptocurrency miner like Monero may not be as extreme as a ransomware attack or the loss of confidential data, organizations should still be concerned because this doesn’t change the fact that malicious actors have been able to remotely access their network and gain a foothold of it.
Therefore, security researchers are stressing on the importance that the organizations who are using Exchange servers should do everything possible to immediately apply the critical security patches to protect themselves from attacks of this kind and other potential threats.
Those who are concerned about being compromised by the cryptominer should check the list of indicators published by researchers in this link.
The ProxyLogon issue began with Microsoft at the beginning of March when the organization claimed that it has spotted some zero-day vulnerabilities in the wild that have been used to target Microsoft Exchange Server versions.
Soon after Microsoft launched an out-of-band upgrade that would fix bugs in the ProxyLogon chain, the company claimed that more than 90% of the systems impacted have now been fixed. However, there are still unpatched systems that are likely to be left unprotected from targeted hacking attacks.