A new cryptojacking campaign has been discovered by security researchers at Morphisec. The campaign, which has been dubbed ProxyShellMiner by Morphisec, exploits three vulnerabilities in Microsoft Exchange servers to install a Monero miner on compromised machines.
Microsoft just recently urged Exchange Server customers to update to the latest secure builds of the service because of increased threats.
ProxyShellMiner – One More Microsoft Exchange Exploit
ProxyShellMiner is a cryptojacking campaign that leverages three vulnerabilities in Microsoft Exchange servers to gain remote code execution and install a Monero miner on the infected machines. Once the attackers have gained a foothold in the network, they can do anything from backdoor deployment to code execution.
The vulnerabilities are:
– CVE-2021-34473: An arbitrary file write vulnerability that allows an attacker to write web shells to any path on the server.
– CVE-2021-34523: An elevation of privilege vulnerability that allows an attacker to bypass authentication and access any mailbox on the server.
– CVE-2021-31207: A remote code execution vulnerability that allows an attacker to run arbitrary commands on the server.
The campaign was first detected by Morphisec in August 2021, when they observed a spike in malicious PowerShell scripts being executed on their customers' machines. The scripts were downloaded from compromised websites that hosted web shells written by the attackers using CVE-2021-34473. The scripts then used CVE-2021-34523 and CVE-2021-31207 to execute commands on the target Exchange servers and install a Monero miner called XMRig. The miner was configured to use a proxy service called ProxyPipe, which hides the mining traffic and makes it harder to detect.
The campaign targets Exchange servers that have not been patched for the three vulnerabilities. Morphisec found evidence that some of the infected servers were also compromised by other threat actors using different web shells and malware. This suggests that multiple groups are exploiting the same vulnerabilities and competing for access to vulnerable servers.
Protecting Microsoft Exchange against ProxyShellMiner
The best way to protect yourself from ProxyShellMiner is to apply the latest security updates from Microsoft for your Exchange servers. Microsoft released patches for these vulnerabilities in April and May 2021 as part of their monthly security updates.
You should also monitor your network traffic for any suspicious activity, such as connections to unknown domains or IP addresses, or high CPU usage on your servers. You can use tools like Morphisec's Endpoint Threat Prevention platform to detect and block malicious PowerShell scripts and other advanced threats.
If you suspect that your Exchange server has been compromised by ProxyShellMiner or any other malware, you should isolate it from your network and perform a thorough investigation and remediation. You should also change your passwords and revoke any suspicious access tokens or certificates.
Tip of the day: Tired of Windows´s default notification and other system sounds? In our tutorial we show you how to change windows sounds or turn off system sounds entirely.