It didn’t take threat actors long to jump on a vulnerability affecting Microsoft Exchange mail server software.
While exploits involving an array of malware from ransomware to webshells are well-documented, Sophos researchers report that other payloads have been aimed at Exchange servers.
“It stood to reason that the Microsoft Exchange server vulnerabilities would be leveraged toward a broad set of nefarious ends,” said Oliver Tavakoli, CTO at Vectra.
In a blog post this week, the researchers have detailed attempts by an unknown attacker “to leverage what’s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server.”
Sophos came across what it called an “unusual attack” that targeted one of its customer’s Exchange servers while it was inspecting telemetry. The Monero blockchain shows that the wallet began receiving funds on March 9, which is the Patch Tuesday when Microsoft released Exchange updates.
Here’s how the attack worked: A PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth) kicked off the attack, they wrote. Instead of the expected compressed archive, the .zip file is actually a batch script that calls upon Windows’ built-in certutil.exe program “to download two additional files, win_s.zip and win_d.zip,” neither of which are compressed.
The attackers leveraged the certutil application’s ability to decode base64-encoded security certificates by encoding an executable payload in base64, which is wrapped in headers that make it appear to be a digital certificate.
Through a command run by the batch script, the decoded executable lands in the same directory; when decoded, the script runs the executable, extracting the miner and the configuration data. It then injects it into a system process before deleting the evidence, the researchers explained. “The file uses forged data in its Properties sheet that indicates the file is a Windows component, but the binary is not digitally signed and, besides, no such file has ever existed as a standard component of Windows, though there is a legitimate utility with the same name, made by a third-party software developer,” they wrote, noting the utility is not connected to the malware.
The executable seems to include a PEx64-Injector tool available on GitHub, which is known for its ability to migrate x64 exe to any x64 process with the added bonus of not requiring admin privileges. The executable extracts content from the miner installer temporarily to the filesystem. It configures the miner and injects it into a running process before quitting. The batch file once again deletes the evidence, while the miner continues to run in memory. That means it’s injected into a process already running on the system.
The researchers noted that the QuickCPU installer runs within the system folder on a compromised Exchange server once the certutil.exe decodes it. Within that installer’s archive is a configurator for the miner. “By default, the payload sets up the miner so that it only can communicate if it can have a secure TLS connection back to the Monero wallet where it will store its value,” they said. “If the miner detects that there’s a certificate mismatch (or some other indication of a TLS MITM), it quits and attempts to reconnect every 30 seconds.”
Since the Monero miner’s pools.txt file is temporarily written to disk, it reveals the wallet address and its password, as well as the name, “DRUGS,” that the attacker gave to the pool of miners.
“What makes this example interesting is that, having hacked into one such Exchange server, the attacker staged a cryptomining package on it and, when hacking into other Exchange servers, simply retrieved the package from the staged location,” said Tavakoli, noting that firewalls likely won’t “ block traffic between Exchange servers – and may even give such traffic a pass in terms of content inspection – providing a good channel for delivery of dubious executables.”
Indeed, unless a company is “OK with somebody living in your basement and not paying rent, or a neighbor torrenting on your WiFi, you probably don’t want cryptominers running payloads on your Exchange Server,” said Yaniv Bar-Dayan, CEO and founder at Vulcan Cyber, who recommended that “anybody running Exchange [should] scan for this vulnerability as soon as possible to identify and prioritize potential risk” from the ProxyLogon exploit.
It’s been a tough few months for Microsoft, particularly its Exchange Server customers. Not only did the company get caught up in the SolarWinds campaign and reveal a handful of Exchange vulnerabilities last month – including the one used in this attack – but those vulnerabilities prompted the Justice Department, acting on a court order, to take the extraordinary step of removing hundreds of malicious web shells installed through exploitation of those bugs.
Just this week the company released updates for several critical vulnerabilities, including two new flaws in on-premises Exchange Servers. Microsoft recommended organizations prioritize those updates. Considering how quickly attackers jump to exploit Exchange vulnerabilities, that seems like a good idea.