Security News > 2023 > February > Microsoft Exchange ProxyShell flaws exploited in new crypto-mining attack
A new malware dubbed 'ProxyShellMiner' exploits the Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners throughout a Windows domain to generate profit for the attackers.
ProxyShell is the name of three Exchange vulnerabilities discovered and fixed by Microsoft in 2021.
In attacks seen by Morphisec, the threat actors exploit the ProxyShell flaws tracked as CVE-2021-34473 and CVE-2021-34523 to gain initial access to the organization's network.
For the malware to activate, it requires a command line parameter that also dubs as a password for the XMRig miner component.
That file decides which browser of those installed on the compromised system will be used for injecting the miner into its memory space, using a technique known as "Process hollowing." After that, it picks a random mining pool from a hardcoded list, and the mining activity begins.
Possibly, the miner continues to communicate with its mining pool via a backdoor that isn't monitored by security tools.
News URL
Related news
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining (source)
- U.S. Sanctions Two Crypto Exchanges for Facilitating Cybercrime and Money Laundering (source)
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Microsoft issues 117 patches – some for flaws already under attack (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)
- Deepfakes Can Fool Facial Recognition on Crypto Exchanges (source)
- Crypto-apocalypse soon? Chinese researchers find a potential quantum attack on classical encryption (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-14 | CVE-2021-34523 | Improper Authentication vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 9.0 |
| 2021-07-14 | CVE-2021-34473 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.1 |