Researchers on Tuesday reported that an unknown attacker hacked one Microsoft Exchange server as a means to install a malicious Monero cryptominer onto other Exchange servers to gain access.
The news came the same day Microsoft told its Exchange customers to run all the latest patches to mitigate the latest vulnerabilities, including new critical bugs, and was backed up by top cyber officials in the federal government.
In a blog post, SophosLabs said its team was inspecting telemetry when it came across this unusual attack targeting a customer’s Exchange servers – an indication that the Exchange supply chain hack will continue to cause headaches for security pros.
According to the researchers, “the attack begins with a PowerShell command to retrieve a file names win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” Based on the Monero blockchain the researchers observed, the cryptowallet began receiving funds on March 9 – the Patch Tuesday in which the Exchange updates were released as part of the update cycle. This corresponds with when the SophosLabs team first saw the attack begin. As time passed during March and into early April, the attacker lost several servers and its cryptomining output decreased, but then the researchers said it gained a few new ones that more than made up for the early losses.
“It stands to reason that the Microsoft Exchange server vulnerabilities would be leveraged toward a broad set of nefarious ends,” said Oliver Tavakoli, chief technology officer at Vectra. “What makes this example interesting is that having hacked into one such Exchange server, the attacker staged a cryptomining package on it and when hacking into other Exchange servers simply retrieved the package from the staged location. Firewalls are unlikely to block traffic between Exchange servers and may even give such traffic a pass in terms of content inspection, thus providing a good channel for delivery of dubious executables.”
Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, recommended that anyone running Exchange should scan for this vulnerability as soon as possible to identity and prioritize potential risk to the business.
“Unless you are OK with somebody living in your basement and not paying rent, or a neighbor torrenting on your Wi-Fi, you probably don’t want cryptominers running payloads on your Exchange Server,” he said.