Researchers discovered the threat actors using Exchange servers compromised using the highly publicized ProxyLogon exploit chain. Researchers published a list of indicators of compromise on the SophosLabs GitHub page to help organizations recognize if they ve been attacked in this way. Microsoft said it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server versions of the exploit chain in March. The attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector.
Source: https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/