Security experts have recently uncovered a persistent cryptocurrency mining botnet that is taking advantage of unpatched vulnerabilities in Microsoft Exchange servers to expand its reach globally.
Known as “Prometei,” this botnet was first identified in July 2020 and is believed to have been active since 2016, as per findings from Cybereason Nocturnus. However, researchers have now discovered that the threat actors behind Prometei are exploiting two still-unpatched Microsoft Exchange vulnerabilities, namely CVE-2021-27065 and CVE-2021-26858, to infiltrate networks, pilfer credentials, and deploy malware.
These vulnerabilities were part of the four zero-day flaws that Microsoft patched in March after they were exploited by the Chinese APT group Hafnium. Prometei’s victims appear to be chosen randomly and opportunistically, rather than through targeted attacks, which makes it a particularly dangerous and widespread threat. The botnet has been observed targeting organizations across various sectors such as finance, insurance, retail, manufacturing, utilities, travel, and construction in countries like the US, UK, Europe, South America, and East Asia.
Once a system is compromised, Prometei spreads throughout the network to install a Monero miner on multiple endpoints. To achieve this, the botnet utilizes well-known exploits like EternalBlue and BlueKeep, along with credential harvesting, SMB and RDP exploitation, and other components like SSH client and SQL spreader. Additionally, Prometei employs four separate command-and-control servers for added resilience and can deploy Windows or Linux payloads depending on the endpoint’s operating system.
According to Lior Rochberger, a senior threat researcher at Cybereason, the botnet’s activities have been flying under the radar and pose a significant risk due to its ability to mine cryptocurrency, steal sensitive data, and potentially collaborate with ransomware groups to sell access to compromised endpoints. The strain on network resources caused by crypto-mining can also disrupt business operations and impact server performance and stability.
In conclusion, the Prometei botnet represents a serious threat to organizations worldwide, and it is crucial for businesses to promptly patch their Microsoft Exchange servers and implement robust cybersecurity measures to defend against such malicious activities.