Microsoft Exchange ProxyShell is being exploited to mine crypto once again
>
Hackers use known ProxyShell vulnerabilities to install cryptocurrency miners on vulnerable Microsoft Exchange servers, researchers claim.
Morphisec cybersecurity experts observed unidentified attackers using ProxyShell (an umbrella term for multiple vulnerabilities that, when linked together, allow remote code execution) to install XMRig on Microsoft Exchange servers.
XMRig is one of the most popular cryptocurrency mining malware variants, which generates the Monero cryptocurrency (XMR) for attackers. Monero is a popular choice among cybercriminals due to its privacy features and the fact that it is nearly impossible to trace.
Hide in plain sight
Morphisec says the vulnerabilities used in this campaign are CVE-2021-34473 and CVE-2021-34523. Both were discovered and patched two years ago. Therefore, the best way to protect against these attacks is to apply the solution to vulnerable endpoints (opens in new tab).
The attackers also went to extra lengths to ensure they remain hidden for as long as possible, the researchers said.
Once the miner is set up, it creates a firewall rule that is applied to all Windows Firewall profiles to block all outgoing traffic. That way, the researchers continued, the IT teams and other defenders are not made aware of the system breach.
In addition, the malware waits at least 30 seconds between starting the mining process and creating the firewall rule to avoid triggering alarms from security tools that monitor the runtime behavior of the process.
Cryptocurrency miners will not destroy a computer, but since they take up almost all of the computing power, they will render the device practically useless. In addition, they can add up to huge electricity bills for the owners of the computers.
Morphisec also said that owners of vulnerable Microsoft Exchange servers shouldn’t take the attack lightly, because once they’ve broken into the network, there’s nothing to stop the attackers from deploying any other form of malware.
Through: Beeping computer (opens in new tab)