Quote:Cryptojacking can be added to the list of threats that face any unpatched Exchange servers that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.
Researchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain—which suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to webshells—to host Monero cryptomining malware, according to a report posted online this week by SophosLabs.
“An unknown attacker has been attempting to leverage what’s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,” Sophos principal researcher Andrew Brandt wrote in the report.
Researchers were inspecting telemetry when they discovered what they deemed an “unusual attack” targeting the customer’s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.
Researchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of indicators of compromise on the SophosLabs GitHub page to help organizations recognize if they’ve been attacked in this way.
Read more: Attackers Target ProxyLogon Exploit to Install Cryptojacker | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
