A hacking group called Lemon Duck has engaged itself in exploiting Microsoft Exchange Server vulnerabilities and using decoy TLDs (top-level domains). This active exploitation of zero-day Microsoft Exchange Server vulnerabilities referred to a security disaster for organizations spanning thousands in numbers. By all accounts, Microsoft Exchange servers are the target of the sophisticated threat. The detestable cyber-criminal activity takes place through ProxyLogon against North American targets. ProxyLogon involves a group of security bugs attacking on-premises versions of Microsoft Exchange Server software for email.
More precisely, on-premises Microsoft Exchange Server 2010, 2013, and 2016 have got impacted by ProxyLogon. According to estimates, it would compromise around 60,000 organizations. Sadly, nearly ten APT (advanced persistent threat) groups have adopted the flaws in attacks during the current year. It is because exploit code is also now available. Nevertheless, mitigation instructions, patches, and vulnerability detection tools have got made public in March.
The Method of Exploitation by Lemon Duck
In earlier attacks, the use of botnet set into motion accesses to networks of victims. It carries out over the SMB (server message block) protocol by brute-force, Microsoft SQL servers, and Linux machines. Also, Lemon Duck props up outspreading to servers exposed to Hadoop clusters and Redis databases. In the past, its operators also deployed extensive COVID-19 theme spam campaigns for propagation. It exploited one of the Microsoft Office RCE (remote code execution) vulnerabilities to deliver the malware payload.
Lemon Duck operatives utilize automated tools to detect and exploit servers prior to loading payloads. For example, Cobalt Strike DNS (domain name system) signals and web shells. It executes cryptocurrency mining software and further malware.
Lemon Duck embraces different exploit styles. For some cyberattacks, it employs a shell-less web option of direct PowerShell commands. They drop cryptocurrency miners after compromising Microsoft Exchange servers. In its actions, it runs in the direction of turning into a malware loader instead of being a simple miner. Moreover, cybercriminals are leveraging web shells employed on compromised servers to download malicious payloads.
The malware and related PowerShell scripts also eliminate antivirus products and stop services like Windows Defender and Windows Update. Besides, scheduled tasks get made to look after persistence. In ongoing campaigns, the CertUtil command-line program gets used to download two new PowerShell scripts entrusted with removing AV products. It makes persistence schedules and downloads XMRig cryptocurrency miner’s variant.
Cobalt Strike Appended to the Mix
Commercially available, Cobalt Strike is a penetration-testing tool. To detect network vulnerabilities, it sends out beacons. It imitates an attack when leveraged for its planned purpose. Since then, threat actors have understood how to exploit it against the network to deliver malware, withdraw data, and create fake C2 (command-and-control) profiles.
Meanwhile, the Cobalt Strike of Lemon Duck attempts to communicate with the C2 server since its payload gets configured as a Windows DNS beacon. According to researchers, it does it by using a DNS-based covert channel. Subsequently, the beacon communicates with the subdomain to pass encoded data through DNS-A record query requests.
Researchers claim that the exploitation of new tools may enable cybercriminals to operate more efficiently for prolonged periods within victim environments. The innovative tools include Cobalt Strike and other additional obfuscation techniques. New tactics, techniques, and procedures exploiting Microsoft Exchange Server vulnerabilities indicate that those threat actors are now interested in Exchange Servers. They endeavor to compromise more systems, maintaining or increasing the number of systems inside the Lemon Duck botnet.
For this reason, organizations should remain watchful against this threat since it is likely to evolve in the future. Contact us 24/7 to ensure proactive tactics and strategies against evolving cybersecurity threats.