Microsoft Exchange ProxyShell is being exploited to mine crypto once again

Criminals are deploying cryptominers targeting Microsoft Exchange

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are using known ProxyShell vulnerabilities to install cryptocurrency miners on vulnerableMicrosoftExchange servers, researchers have claimed.

Cybersecurity experts from Morphisec observed unidentified attackers using ProxyShell (an umbrella term for multiple vulnerabilities that, when chained together, allow for remote code execution) to install XMRig on Microsoft Exchange servers.

XMRig is one of the most popular cryptocurrency mining malware variants, generating the Monero (XMR) cryptocurrency for attackers. Monero is a popular choice among cybercriminals because of its privacy features and the fact that it’s almost impossible to trace.

Hiding in plain sight

Morphisec says that the vulnerabilities used in this campaign are CVE-2021-34473 and CVE-2021-34523. Both of these were discovered, and patched, two years ago. Therefore, the best way to protect against these attacks is to apply the fix to vulnerableendpoints.

The attackers have also put in extra effort to make sure they remain hidden for as long as possible, the researchers said.

Once the miner is set up, it will create a firewall rule, applied to all Windows Firewall profiles, to block all outgoing traffic. That way, the researchers continued, the IT teams and other defenders won’t be notified of the breach in the system.

Windows and Linux servers turned into crypto miners>This new Linux malware floods machines with cryptominers and DDoS bots>Check out the best malware protection services right now

Furthermore, the malware will wait at least 30 seconds between starting the mining process and creating the firewall rule, to evade triggering alarms from security tools that monitor process runtime behavior.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Cryptocurrency miners won’t destroy a computer, but as they take up almost all of the computing power, will render the device practically useless. What’s more, they could rake up enormous electricity bills for the computers’ owners.

Morphisec also said that vulnerable Microsoft Exchange server owners shouldn’t take the attack lightly, as after making their way into the network, there’s nothing stopping the attackers from deploying any other form of malware.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

7 myths about email security everyone should stop believing

Best Usenet client of 2024

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption