While news of the Exchange vulnerabilities spread, so did the amount of attacks from attentive threat actors.

When the news initially broke, security researchers saw Hafnium attacks coming in bunches, but they weren’t the only group in the mix. Among the other groups, activity of one group using Exchange flaws to install web shells on infected servers for cryptomining was discovered.

The expansion from state-sponsored threat actors to cybercrime organizations shows the severity of these attacks and the long-term implications these vulnerabilities will have. At SpearTip, we observed Black Kingdom ransomware being heavily exploited through Exchange servers which shows the different ways threat actors are looking to take advantage of these vulnerabilities.

As for the cryptomining malware, a botnet called Lemon_Duck was discovered using the ProxyLogon exploits through unpatched Exchange servers. In previous attacks, the malware installed XMRig Monero (XMR) CPU coinminers on infected devices to mine cryptocurrency for the malware operators.

The operators are using deployed web shells on compromised servers to download payloads from sites such as p.estonine.com and cdn.chatcdn.net.

In prior attacks, the cryptomining botnet was used to gain access to networks over the SMB protocol using EternalBlue or by brute-forcing their way into Linux machines and MS SQL servers.

Many unpatched servers remain according to scans completed by multiple security groups. Get ahead of the threats looking to do harm to your organization with SpearTip’s security operations center. Not only can we respond to incidents and intrusions immediately, but we can also provide proactive services to ensure your organization isn’t impacted by threats in the first place.