Following the reporting of the Microsoft Exchange vulnerabilities and the release of security patches on 2 March and on 9 March, a growing number of new adversaries are exploiting these bugs to launch attacks. IT security company Sophos has previously reported on attacks by DearCry and Black Kingdom ransomware.
Sophos has published new research, “Compromised Exchange Server Hosts Crypto-jacker To Target Other Exchange Servers,” detailing how a variant of the legitimate open-source Monero miner, xmr-stak, has been installed on a hacked Exchange server and used to target other Exchange servers that remain unpatched against the ProxyLogon vulnerabilities.
The operators behind the attack named the new variant, “QuickCPU,” possibly to confuse targets into thinking it is actually the (completely unrelated) legitimate, open source CPU optimization tool, Quick CPU.
Some of the key findings are summarized in the following commentary from Andrew Brandt, principal threat researcher at Sophos. If you are writing a story about crypto-miners or other attacks related to ProxyLogon, please feel free to use Andrew’s comments. We can also arrange an interview with Andrew and other threat experts, as needed.
“While some of the attacks looking to take advantage of the ProxyLogon Exchange vulnerabilities took a week or so to emerge, the same cannot be said for crypto-miners. They were hitting vulnerable servers with their payloads within hours of the bugs being reported and security updates released. ‘QuickCPU,’ a variant of the xmr-stak Monero crypto-miner is no exception – our analysis of this campaign shows mining value flowing to the attackers’ Monero wallet on March 9, with the attack diminishing rapidly in scale thereafter. This suggests we are looking at yet another rapidly compiled, opportunistic and possibly experimental attack attempting to make some easy money before widespread patching takes place.
“What makes this attack unusual is the fact that the operators installed their crypto-mining payload on an infected Exchange server and then used that as a platform to spread the malicious miners to other infected servers. The attackers implemented a range of standard anti-detection techniques, installing the malicious miner in memory to keep it hidden from security scans, deleting the installation and configuration files after use, and using the traffic encryption of Transport Layer Security to communicate with their Monero wallet. As a result, for most victims the first sign of compromise is likely to be a significant drop in processing power. Servers that remain unpatched could be compromised for quite some time before this becomes clear.
“Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server. However, patching is not enough on its own – organizations need to determine and address their wider exposure so they don’t remain vulnerable to later attacks. For instance, admins should scan the Exchange server for web shells and monitor servers for any unusual processes that appear seemingly out of nowhere. High processor usage by an unfamiliar program could be a sign of crypto-mining activity or ransomware. If this isn’t possible, closely monitor the server until you migrate the Exchange data to an updated server then disconnect the unpatched server from the internet.” - Andrew Brandt, principal threat researchers, Sophos
Sophos Intercept X and Sophos Intercept X with EDR protect against threats attempting to exploit the ProxyLogon Exchange vulnerabilities.
Learn more about the Sophos analysis of cryptominers and other threats targeting ProxyLogon vulnerabilities, detection and indicators of compromise at SophosLabs Uncut.