Security News > 2021 > March > Microsoft Exchange exploits now used by cryptomining malware
The operators of Lemon Duck, a cryptomining botnet that targets enterprise networks, are now using Microsoft Exchange ProxyLogon exploits in attacks against unpatched servers.
Lemon Duck's ongoing attacks on vulnerable Exchange servers have already reached a massive scale, according to Costin Raiu, director of Kaspersky's Global Research and Analysis Team.
These indicators of compromise associated with Lemon Duck were also observed by Huntress Labs while analyzing mass exploitation of on-premises Microsoft Exchange servers.
Lemon Duck also supports spreading to servers running exposed Redis databases and Hadoop clusters managed using YARN. Its operators also employed large-scale COVID-19-themed spam campaigns for propagation in the past, exploiting the CVE-2017-8570 Microsoft Office remote code execution vulnerability to deliver the malware payload. "The Lemon Duck cryptominer is one of the more advanced types of cryptojacker payloads we've seen," Sophos security researcher Rajesh Nataraj said.
Since Microsoft disclosed ongoing attacks using ProxyLogon exploits last week, at least ten APT groups have been spotted by Slovak internet security firm ESET targeting unpatched Exchange servers.
Starting on March 9th, the operators of new human-operated ransomware dubbed DearCry have also started encrypting unpatched Microsoft Exchange servers.
News URL
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware (source)
- SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims (source)
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2017-07-11 | CVE-2017-8570 | Unspecified vulnerability in Microsoft Office Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability". | 7.8 |