[ad_1]
Microsoft is warning customers of LemonDuck crypto mining malware that targets both Windows and Linux systems and is spread via phishing emails, exploits, USB devices and brute force attacks, as well as attacks targeting critical on-premises Exchange Server vulnerabilities discovered in March. .
Also: The 25 most dangerous software vulnerabilities to watch out for
The group was discovered to be using bugs Exchange to mine cryptocurrencies in May, two years after its first appearance.
Notably, the group behind LemonDuck takes advantage of high-profile security bugs by exploiting older vulnerabilities during times when security teams are focused on fixing critical vulnerabilities and even removing competing malware.
“[LemonDuck] continues to use older vulnerabilities, which benefit attackers at times when the focus is on remedying a popular vulnerability rather than investigating trade-offs, ”notes the Microsoft 365 Defender Threat Intelligence team .
“In particular, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing further infection by patching the same vulnerabilities it used to access. ”
Cisco malware researchers Talos also explored the group’s Exchange activities. He found that LemonDuck used automated tools to analyze, detect, and mine servers before loading payloads such as the Cobalt Strike Penetration Test Kit – a favored tool for lateral movement – and web shells, allowing malware to install additional modules.
According to Microsoft, LemonDuck first hit China heavily, but has now spread to US, Russia, Germany, UK, India, Korea, Canada , to France and Vietnam. It focuses on the manufacturing and IoT sectors.
This year, the group stepped up keyboard or manual hacking after a first breach. The group is selective in its targets.
He also designed automated tasks to exploit the NSA’s Eternal Blue SMB exploit that was disclosed by Kremlin-backed hackers and used in the WannCry ransomware attack in 2017.
“The task was used to integrate the PCASTLE tool in order to achieve a few objectives: to abuse the EternalBlue SMB exploit, as well as to use brute force or pass the hash to move sideways and start the operation again. these behaviors still observed in LemondDuck campaigns today, ”notes the Microsoft security team.
LemonDuck takes its name from the “Lemon_Duck” variable in a PowerShell script that acts as a user agent to track infected devices.
The vulnerabilities it targets for initial compromise include CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE- 2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon) and CVE-2021-27065 (ProxyLogon).
“Once in a system with an Outlook mailbox, as part of its normal operating behavior, LemonDuck attempts to run a script that uses the credentials present on the device. The script prompts the mailbox. letters to send copies of a phishing message with predefined messages and attachments to all contacts, ”notes Microsoft.
[ad_2]
Source link