New research by Sophos has revealed that a compromised Microsoft Exchange server hosted a crypto-jacker targeting other Exchange servers.
The Sophos report, titled Compromised Exchange Server Hosts Crypto-jacker To Target Other Exchange Servers, details how a variant of the legitimate open source Monero crypto-miner, xmr-stak, has been installed on a hacked Exchange server and used to target other Exchange servers that remain unpatched against the ProxyLogon vulnerabilities.
This follows the reporting of four zero-day Microsoft Exchange vulnerabilities and the release of security patches on 2 March and on 9 March, and highlights how a growing number of attackers are exploiting these vulnerabilities to carry out attacks.
The bad actors behind the attack named the new variant, ‘QuickCPU’, possibly to fool targets into thinking it is actually a completely unrelated, legitimate, open source CPU optimisation tool called Quick CPU.
Hitting servers within hours
Andrew Brandt, principal threat researcher at Sophos, says while some of the attacks that were looking to take advantage of the ProxyLogon Exchange vulnerabilities took around a week to emerge, the same cannot be said for crypto-miners.
“They were hitting vulnerable servers with their payloads within hours of the bugs being reported and security updates released. ‘QuickCPU,’ a variant of the xmr-stak Monero crypto-miner is no exception – our analysis of this campaign shows mining value flowing to the attackers’ Monero wallet on 9 March, with the attack diminishing rapidly in scale thereafter.”
According to him, this suggests that this is yet another quickly compiled, opportunistic and possibly experimental attack, aimed at making some easy money before widespread patching occurs.
Anti-detection techniques
Brandt says what makes this attack unusual is that its authors installed their crypto-mining payload on an infected Exchange server and then used that as a platform to spread the malicious miners to other infected servers.
“The attackers implemented a range of standard anti-detection techniques, installing the malicious miner in memory to keep it hidden from security scans, deleting the installation and configuration files after use, and using the traffic encryption of Transport Layer Security to communicate with their Monero wallet.”
For most victims the first indication of compromise is more than likely a significant drop in processing power. Servers that remain unpatched could be compromised for quite some time before this becomes clear, he adds.
“Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server. However, patching is not enough on its own,” he continues. “Organisations need to determine and address their wider exposure so they don’t remain vulnerable to later attacks.”
He advises admins to scan the Exchange server for Web shells and monitor servers for any unusual processes that appear seemingly out of nowhere, as high processor usage by an unfamiliar program could be a sign of crypto-mining activity or ransomware.
“If this isn’t possible, closely monitor the server until you migrate the Exchange data to an updated server then disconnect the unpatched server from the Internet.”