Unpatched Microsoft Exchange Servers hit with cryptojacking

The hackers are after Monero.
Microsoft logo
Microsoft logo at a Microsoft store in New York. (John Smith/VIEWpress)

Hackers are hitting Microsoft Exchange Servers with a Monero cryptominer, according to Sophos research published Tuesday.

The attackers, whom Sophos did not identify, began their apparently financially-motivated campaign shortly after Microsoft announced four zero-day vulnerabilities, according to Sophos.

The attackers have lost several of the servers they used to steal Monero — a kind of cryptocurrency — from victims, an indication that those with vulnerable machines are applying patches and hunting for compromises. But over the past month, the hackers have looked for new vulnerable servers to exploit, indicating some are still not paying attention to patching notices, Sophos warned.

There were fewer than 10,000 vulnerable systems in the U.S. as of March 22, according to the National Security Council, compared with 120,000 entities that were vulnerable when the vulnerabilities were discovered. As of late March over 92% of affected servers were patched or mitigated, according to Microsoft.


This particular Monero mining operation kicked off with a PowerShell command that retrieves a file from another compromised server’s Outlook Web Access logon path. This later allows the hackers to inject the miner, after which they delete the evidence it has been injected, according to the research.

According to files Sophos researchers examined, the attacker gave this collection of miners a nickname: “DRUGS.” 

Nation-state hackers and criminals have been rushing to take advantage of the Microsoft flaws since the company announced their existence last month, with security experts warning against an onslaught of webshell, ransomware and cryptojacking attacks. And although organizations have been working to patch against attacks, the Sophos research is a reminder that patching does not necessarily kick out hackers if they’ve already exploited the flaws.

In recent days the FBI has gone to court to remove malicious code from U.S. computers running the Microsoft Exchange Server email program in an effort to combat criminal and nation-state hacking taking advantage, the Department of Justice announced Tuesday. The DOJ asked for the court order precisely because some organizations “appeared unable” to clean up their systems properly.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts