The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware.
The malware operators target Exchange servers through a series of vulnerabilities that were made public on March 3, the same day Microsoft released patches for them. The bugs had been targeted before the public announcement and activity surrounding them increased soon after.
On March 3, CISA published an advisory on the exploitation of the Exchange vulnerabilities, and this week it announced an update for that alert, to add Malware Analysis Reports (MARs) that include information on additional attacks.
The first of these provides details on China Chopper webshells that were identified on Exchange servers following initial compromise through the aforementioned vulnerabilities, and which provide adversaries with control over the infected machine.
A total of 10 webshells were identified, CISA notes, but these should not be considered an all-inclusive list of webshells that threat actors are leveraging in attacks targeting Exchange servers.
Additionally, CISA is warning of assaults on Microsoft Exchange that are attempting to drop the DearCry ransomware on vulnerable servers.
Also referred to as DoejoCrypt, DearCry is the first ransomware family known to target Exchange servers. For over two weeks, the Black Kingdom/Pydomer ransomware has been engaging in similar attempts too.
In the newly shared MARs, CISA has included tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), to help defenders identify and remediate potential compromise.
The attacks on Microsoft Exchange servers, however, are far more diverse, and also involve the use of cryptominers in some cases. In fact, Microsoft themselves warned roughly two weeks ago of activity involving the Lemon Duck cryptocurrency botnet.
Now, Sophos reveals that the targeting of Exchange servers for crypto-mining purposes dates all the way back to March 9, hours after Microsoft’s Patch Tuesday updates that addressed the exploited vulnerabilities were released. Ever since, the security firm says, an unknown actor has been compromising servers to deploy a malicious Monero miner.
What makes this attack stand out, however, is the fact that the malicious payload itself is hosted on a compromised Exchange server and is being retrieved through a PowerShell command. The payload masquerades as a legitimate utility, named QuickCPU.
Within days, the miner was loaded onto multiple compromised servers, with the crypto-currency output spiking significantly. The activity continues, albeit at a much lower pace, as the miner has lost some of the infected servers.
Related: CISA Releases Tool to Detect Microsoft 365 Compromise
Related: CISA, FBI Warn of Attacks Targeting Fortinet FortiOS
Related: CISA Warns Organizations About Attacks on Cloud Services
More from Ionut Arghire
- US, Israel Provide Guidance on Securing Remote Access Software
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
- Dozens of Malicious Extensions Found in Chrome Web Store
Latest News
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
