Microsoft Exchange exploits now used by cryptomining malware

The operators of Lemon_Duck, a cryptomining botnet that targets enterprise networks, are now using Microsoft Exchange ProxyLogon exploits in attacks against unpatched servers.

The malware is known for installing XMRig Monero (XMR) CPU coinminers on infected devices to mine cryptocurrency for the botnet's owners.

Lemon_Duck's ongoing attacks on vulnerable Exchange servers have already reached a massive scale, according to Costin Raiu, director of Kaspersky's Global Research and Analysis Team.

The attackers are using web shells deployed on compromised servers to download malicious payloads from p.estonine[.]com and cdn.chatcdn[.]net.

These indicators of compromise associated with Lemon_Duck were also observed by Huntress Labs while analyzing mass exploitation of on-premises Microsoft Exchange servers.

The cybercriminals behind the #LemonDuck cryptocurrency mining botnet are massively hitting vulnerable Exchange servers via ProxyLogon. IOCs to check: p.estonine[.]com, cdn.chatcdn[.]net.

— Costin Raiu (@craiu) March 12, 2021

Continuously updated cryptomining botnet

In previous attacks, the botnet was used to gain access to victims' networks over the SMB protocol using EternalBlue or by brute-forcing Linux machines and MS SQL servers.

Lemon_Duck also supports spreading to servers running exposed Redis (REmote DIctionary Server) databases and Hadoop clusters managed using YARN (Yet Another Resource Negotiator).

Its operators also employed large-scale COVID-19-themed spam campaigns for propagation in the past, exploiting the CVE-2017-8570 Microsoft Office remote code execution (RCE) vulnerability to deliver the malware payload.

"The Lemon Duck cryptominer is one of the more advanced types of cryptojacker payloads we've seen," Sophos security researcher Rajesh Nataraj said.

"Its creators continuously update the code with new threat vectors and obfuscation techniques to evade detection, and the miner itself is 'fileless,' meaning it remains memory resident and leaves no trace of itself on the victim's filesystem."

Exchange servers targeted by ransomware, state hackers

Since Microsoft disclosed ongoing attacks using ProxyLogon exploits last week, at least ten APT groups have been spotted by Slovak internet security firm ESET targeting unpatched Exchange servers.

ESET also detected the deployment of PowerShell downloaders on multiple email servers via attack infrastructure previously linked to the DLTMiner coin-mining campaign.

A (mostly) working ProxyLogon proof-of-concept exploit was shared earlier this week (and later removed) by a Vietnamese security researcher.

Starting on March 9th, the operators of new human-operated ransomware dubbed DearCry have also started encrypting unpatched Microsoft Exchange servers.

According to Palo Alto Networks's telemetry data, more than 125,000 Exchange Servers still wait to be patched worldwide.

Tens of thousands of organizations have already been compromised following ongoing attacks exploiting the ProxyLogon flaws since at least January, two months before Microsoft started releasing patches.