Target sighted, a new group of hackers named Lemon Duck is discovered by the researchers, and they are actively exploiting the zero-day vulnerabilities on the Microsoft Exchange Server, which brings thousands of organizations into a vulnerable state.
Researchers previously discovered there are four flaws that were exploited by ProxyLogon, the exploit caused on-prem Microsoft Exchange Server 2013, 2016, and 2010. The flaws were eventually patched during March.
In the same month, Lemon Duck made a move to embed botnet into the vulnerable server and used the mining system of cryptocurrency. Now, researchers from Cisco Talos have given us a clear glance into the cyberattackers’ current scheme.
The researchers are targeting the high-severity vulnerabilities in Microsoft Exchange Server and were shown that the exploit sudden spike in April, starting from the US, then Europe, and South East Asia, also there’s a substantial spike in India too.
The hackers used automated tools to scan, detect and exploit server before loading payloads, like Cobalt Strike DNS beacons and web shell, there were used in mining software and additional malware. The researchers note that the Cobalt Strike tool helps the hackers to operate within the organizations’ environment, they also target Microsoft Exchange Server vulnerabilities and compromise the system with the botnet.