ProxyShellMiner Detection: Novel Crypto-Mining Attacks Abusing CVE-2021-34473 and CVE-2021-34523 ProxyShell Vulnerabilities in Windows Exchange Servers 

Stay alert! Threat actors once again set eyes on Microsoft Windows Exchange servers, attempting to compromise them by exploiting infamous ProxyShell vulnerabilities. Cybersecurity researchers have observed a new evasive malicious campaign dubbed “ProxyShellMiner” that exploits two Microsoft Exchange ProxyShell flaws tracked as CVE-2021-34473 and CVE-2021-34523 to deliver cryptocurrency miners. 

Detect ProxyShellMiner Attacks Exploiting Microsoft Exchange ProxyShell Vulnerabilities

With the constantly growing volumes of crypto-mining attacks, organizations are looking for new ways to strengthen their cyber defense capabilities. The latest ProxyShellMiner campaign abusing ProxyShell flaws tracked as CVE-2021-34473 and CVE-2021-34523 applies sophisticated detection evasion techniques and poses a severe threat to compromised organizations enabling threat actors to experiment with a wide range of offensive capabilities, from malware deployment to code execution. 

To help organizations timely identify the presence of infection in their environment, SOC Prime’s Detection as Code platform has recently delivered a new Sigma rule to detect ProxyShellMiner crypto-mining attacks:

Possible ProxyShellMiner Campaign Exploiting CVE-2021-34473 and CVE-2021-34523 [ProxyShell] Vulnerabilities by Detecting Associated Files (via file_event)

This Sigma rule, written by our prolific Threat Bounty developer, Aytek Aytemur, detects malicious files related to a ProxyShellMiner campaign abusing ProxyShell vulnerabilities. The detection is aligned with the MITRE ATT&CK framework v12, addressing the Execution tactic with User Execution (T1204) applied as its primary technique. The Sigma rule can be automatically translated into 20 SIEM, EDR, and XDR solutions shaving seconds off cross-platform threat detection.

Looking for ways to master your Sigma rules and ATT&CK hard skills and gain recognition among industry peers? Join Threat Bounty Program to code your future CV, enabling you to either start a Detection Engineering career or self-advance in cybersecurity by sharing your Sigma rules with the community and monetizing your contributions. 

To be fully equipped with content to detect ongoing ProxyShell exploitation attempts, SOC Prime curates a set of dedicated Sigma rules. Click the buttons below to reach content for CVE-2021-34473 and CVE-2021-34523 vulnerability exploit detection filtered by the corresponding custom tags. All Sigma rules are enriched with CTI, provide ATT&CK references, and offer relevant operation metadata to foster streamlined threat investigation.

Explore Detections for CVE-2021-34473 Explore Detections for CVE-2021-34523

ProxyShellMiner Crypto-Mining Attack Analysis

ProxyShell is a title for a trio of security flaws that, if chained, enable adversaries to perform RCE on targeted Microsoft Windows Exchange servers. These vulnerabilities came to light and were patched by Microsoft back in 2021. However, since then, cyber defenders have been observing diverse exploitation attempts aimed to cripple the affected Exchange servers, like in the series of sophisticated attacks leveraging ProxyShell vulnerabilities to drop web shells on the compromised systems.

In the ongoing crypto-mining attack dubbed “ProxyShellMiner,” hackers weaponize two ProxyShell bugs known as CVE-2021-34473 and CVE-2021-34523 to gain a foothold in the corporate environment.

Morphisec cybersecurity researchers shed light on the related adversary activity. After compromising Exchange servers and gaining control of the organization’s network, adversaries deploy a .NET-based payload into the domain controller’s  folder to make sure that all devices within the affected environment are infected. Notably, the adversary C2 servers hosting the malware-related files appear to be legitimate, which poses a challenge to attack detection. 

ProxyShellMiner applies sophisticated encryption in addition to advanced persistence and detection evasion techniques. According to  Morphisec’s investigation, malware requires a command-line parameter for execution, being further used as a key to configure XMRig payload, also serving as an anti-runtime analysis technique. 

In the second attack phase, ProxyShellMiner downloads a “DC_DLL” file, which is further leveraged for the decryption of other files. Next, threat actors take advantage of the second malicious downloader to gain persistence on the compromised system by running a scheduled task. 

At the final attack stage, cyber defenders observe the use of security evasion techniques that hinder malware detection. This is achieved by generating a firewall rule affecting Windows Firewall profiles, which enables attackers to seamlessly drop the XMrig miner leveraging the commonly used adversary RunPE technique.

Cyber defenders state that ProxyShellMiner infections might be highly hazardous to the organizations’ environment and shouldn’t be taken for granted, since, after gaining access to the compromised network, attackers receive the green light to spread more malicious strains and leverage reverse tunneling to further cripple the infrastructure. 

Looking for a universal tool to streamline your detection code translation to multiple platforms and streamline your IOC-based hunts? Try the new version of SOC Prime’s Uncoder.IO, which allows automatically converting Sigma rules to 27+ SIEM, EDR, and XDR solutions, as well as creating custom IOC queries in a matter of seconds to search for threats in your environment. Both seasoned and aspiring security engineers can also leverage the tool to polish their Sigma rules with in-built automated checks and seamlessly share detection logic with the cyber defender community to drive industry collaboration.