Attacker leverages cryptominer to target Microsoft Exchange servers

Attacker leverages cryptominer to target Microsoft Exchange servers

Microsoft prepares for a news conference t in Los Angeles, California. (Photo by Kevork Djansezian/Getty Images)

Researchers on Tuesday reported that an unknown attacker hacked one Microsoft Exchange server as a means to install a malicious Monero cryptominer onto other Exchange servers to gain access.


The news came the same day Microsoft told its Exchange customers to run all the latest patches to mitigate the latest vulnerabilities, including new critical bugs, and was backed up by top cyber officials in the federal government.


In a blog post, SophosLabs said its team was inspecting telemetry when it came across this unusual attack targeting a customer’s Exchange servers – an indication that the Exchange supply chain hack will continue to cause headaches for security pros.


According to the researchers, “the attack begins with a PowerShell command to retrieve a file names win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” Based on the Monero blockchain the researchers observed, the cryptowallet began receiving funds on March 9 – the Patch Tuesday in which the Exchange updates were released as part of the update cycle. This corresponds with when the SophosLabs team first saw the attack begin. As time passed during March and into early April, the attacker lost several servers and its cryptomining output decreased, but then the researchers said it gained a few new ones that more than made up for the early losses.


“It stands to reason that the Microsoft Exchange server vulnerabilities would be leveraged toward a broad set of nefarious ends,” said Ol ..