Sophos Labs has identified an attacker using an Exchange vulnerability for cryptomining: “Admins should scan the Exchange server for web shells and monitor servers for unusual processes that appear to appear out of nowhere. High processor usage by an unknown program could be a sign of crypto mining activity or ransomware,” said Andrew Brandt, Principal Threat Researcher at Sophos.
The known, recent problems relating to Microsoft Exchange Server vulnerabilities are probably far from over: Even after the security patches of March 2 and 9, more and more attackers are using the exploit for their attacks. SophosLabs has now found an unknown attacker who uses the "ProxyLogon" vulnerability to install a crypto miner that attacks the unpatched servers. The "prospector" belongs to the family of the legitimate open source Monero miner xmr-stak. Andrew Brandt, Principal Threat Researcher at Sophos, reveals further details of the cryptominer attack.
Mining flowed into Monero wallets
“Our analysis of this campaign shows that on March 9, mining values flowed into the attackers' Monero wallets and that the attack quickly lost its scope afterwards. This suggests that we are dealing with yet another quickly assembled, opportunistic, and possibly experimental attack, which attempts to make some easy money before widespread patching occurs. Companies should not only patch their servers immediately, but also continue to monitor them closely.
For most victims, the first sign of compromise is likely to be a significant drop in processing power. Servers that are not patched may have been compromised for some time before this becomes apparent. Admins should scan the Exchange Server for web shells and monitor servers for unusual processes that appear to appear out of nowhere. A high processor load by an unknown program could be a sign of crypto mining activities or ransomware. "
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.