CATEGORIES
home News

Lemon Duck Botnet Evolves To Pummel Victims Using Microsoft Exchange Server Vulnerabilities

by Nathan OrdMonday, May 10, 2021, 03:15 PM EDT
lemon duck botnet adapting techniques according to cisco talos
When it was found that Microsoft Exchange on-premises was vulnerable to hackers, quite a bit of havoc ensued across a wide range of industries. Since then, the FBI obtained a court order to go in and remove backdoors to hacked servers, but there are likely many hacked Exchange servers still out there. In recent days, researchers have noticed an uptick in DNS queries and new infrastructure and components associated with the Lemon Duck cryptocurrency mining botnet that targeted these vulnerable Exchange servers.

In March, Microsoft first caught onto Lemon Duck “adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands” for some attacks. They managed to compromise many Exchange servers, dropping cryptocurrency miners along the way, but slowly “moved in the direction of being more of a malware loader than a simple miner.”

data lemon duck botnet adapting techniques according to cisco talos
DNS Query Data From Cisco Talos

Since April, Talos has been following Lemon Duck and observing updated infrastructure and new components targeting unpatched Microsoft Exchange servers and then attempting to download Cobalt Strike DNS beacons, which concurs with Microsoft’s conclusions about Lemon Duck. On Friday, researchers from Cisco Talos posted a deep dive into the Lemon Duck botnet, explaining the “updated tactics, techniques, and procedures (TTPs) associated with this threat actor.”

Talos’ posting noted several new Lemon Duck domains saw a spike in usage around April 9th of this year. It is reported that many of these requests “originated from North America, followed by Europe, South East Asia, with a few others from South America and Africa.” What is interesting about all of this is that Lemon Duck is changing its tactics constantly to “maximize their ability to achieve their mission objectives.” The threat actor has been found to remove antivirus products, tear down protections, and attempt to spread over networks to keep an income flow.

Whatever the attackers end up developing, companies need to be aware that hackers are always out there trying to make money and attack systems. If you happen to have an on-premises Exchange server, heed this as a warning that it needs to be patched and checked over to ensure it was not breached. Otherwise, you may have to worry about Lemon Duck soon.
Tags:  Microsoft, Malware, security, cybersecurity, Microsoft-Exchange, cryptocurrency, (nasdaq:msft), microsoft-exchange-server
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

HotTech

Reprints/Permissions

MORE

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2023 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment