Compromised Microsoft Exchange Server Used to Host Cryptominer
Researchers say an unknown attacker is targeting vulnerable Exchange Servers with a payload hosted on a compromised Exchange Server.
Researchers at Sophos report an unknown attacker is attempting to use a compromised Microsoft Exchange Server to deliver a malicious Monero cryptominer onto other vulnerable Microsoft Exchange Servers. Monero is an anonymous form of cryptocurrency that is favored by attackers over the more popular Bitcoin.
The attack uses the ProxyLogon exploit. Because the cryptominer is hosted on a compromised Exchange Server, it may be easier for the attacker to deliver the payload to other vulnerable targets as firewalls are less likely block traffic between Exchange Servers.
The SophosLabs team has been examining telemetry in the weeks following Microsoft's news about the serious Exchange Server vulnerability and came across the attack targeting a customer's Exchange Server.
"The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server's Outlook Web Access logon path (/owa/auth)," Sophos says in a release on the details of the exploit.
A breakdown of how the attack works can be found here.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024