After hafnium comes the miners: Attackers are currently also using the vulnerabilities in Exchange servers to install cryptomining malware, warns the computer emergency team (CERT Bund) of the Federal Office for Information Security (BSI). In Germany the malware DLTMiner was found “on at least 600 Exchange servers”. These are both still vulnerable installations and patched servers that were infected before the software update.
According to CERT Bund, around 12,000 of 56,000 Exchange servers in Germany are still vulnerable. The BSI therefore urgently warns that any unpatched systems should be updated immediately. In addition, administrators are strongly advised to also carefully examine patched servers for possible infestation.
Exploits in the wild
Back in December, Taiwanese security experts had found a previously unknown vulnerability in the Exchange server and subsequently detected an exploit that allowed attackers to bypass authentication and gain access to the server as administrators.
The loopholes were apparently already being actively exploited at this point. After Microsoft announced a patch, the attackers launched a major attack on the open zero-day vulnerabilities at the end of February and installed backdoors on the hacked systems. The BSI had declared the threat situation “red”.
Microsoft and security experts see the Chinese group “Hafnium” behind the attacks. However, other groups quickly jumped on the bandwagon. In addition to cyber espionage, the vulnerabilities are now also being exploited to install ransomware. In addition, the security experts from ESET had also found traces of the crypto miner DLTMiner for the first time.