Cybercriminals Install Malware on Microsoft Exchange Servers

Cyberattackers began to scan the internet for unpatched Microsoft Exchange servers. So, they can use it to mine for cryptocurrency. Cybersecurity researchers warn that It is free money for the attackers.

Cybercriminals target vulnerable Microsoft Exchange servers with cryptocurrency mining malware. They design it to use the power secretly to make money.

Last month, Microsoft released critical security updates to prevent vulnerable systems’ exploitation.
Cyberattackers try to take advantage of unpatched Exchange servers. They are a group of hackers using the same strategy.

Cybersecurity researchers have identified attackers attempting to take advantage of the Microsoft Exchange Server. They use ProxyLogon exploit to install a Monero cryptominer on Exchange servers secretly.

Server hardware is desirable for cryptojackers because it has a higher performance than a desktop or laptop. The vulnerability allows attackers to scan the whole internet for vulnerable machines and roll them into the network. A principal threat researcher at Sophos, Andrew Brandt, said that it’s free money rolling in for the cryptojackers.

Monero isn’t as valuable as Bitcoin. Still, it’s easier to mine and, it provides anonymity. It is hard for the owner of the wallet to trace.

Cryptocurrency miners might not sound as bad as a ransomware attack, but it still is the organizations’ concern.

That’s because cyber attackers have been able to gain access to the network. The organization still hasn’t applied updates to protect against all manner of attacks.

According to an analysis by Sophos, the attacker’s Monero wallet began to receive funds from March. It happened a few days after the Exchange vulnerabilities came to light.

What kind of process is it?

The attacks began with a PowerShell that reclaims a file from a compromised server’s Outlook Web Access login path. It downloads payloads that are executable to install the Monero miner.

Researchers said that the executable files appear to contain a modified version of a publicly available tool on Github. When a compromised server runs the content, evidence of installation is no longer available. It happens while the mining process runs in memory.