Prometei botnet uses NSA exploit, hits unpatched MS exchange servers

Unpatched MS Exchange Servers are being hunted by Prometei botnet to expand its army of Monero cryptocurrency mining bots.
Prometei botnet uses NSA exploit, hits unpatched MS exchange servers

According to researchers, there are separate Prometei botnet versions available for Linux and Windows-based systems.

According to a report from Cybereason, unpatched MS Exchange Servers are being hunted by Prometei botnet to expand its army of Monero cryptocurrency mining bots. It doesn’t come as a surprise because the vulnerabilities CVE-2021-27065 and CVE-2021-26858 identified in MS Exchange Servers have made it easier for cybercriminals to exploit the service.

The vulnerabilities are linked to a state-sponsored APT group, Hafnium, that exploited them in MS Exchange Server attacks in March 2021. The perpetrators of this campaign are yet unknown, but Cybereason suspects that the threat actors are Russian as they speak Russian and Prometei is also a Russian term for Prometheus.

Broad Range of Sectors Affected by the Botnet

Prometei botnet threatens various industries as threat actors are looking to deploy malware and credential-stealing tools on compromised devices. According to researchers, sectors like finance, retail, insurance, manufacturing, construction, and travel, etc., are highly vulnerable.

SEE: Cryptojacking botnet Prometei uses NSA exploit to steal data, mine Monero

Moreover, Prometei botnet operators leverage MS Exchange vulnerabilities to target networks in the USA, UK, South America, East Asia, and some European countries. However, Cybereason researchers noted that the attackers are avoiding targets in the Soviet bloc.

How Prometei Attacks MS Exchange Users?

Prometei installs the Monero miner component at all the endpoints of Exchange users through leveraging exploits like EternalBlue and BlueKeep. It can harvest credentials and uses SSH or SQL spreader modules to maintain and amplify its control on the network.

It is worth noting that EternalBlue is a cyberattack exploit developed and used by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hackers on April 14, 2017.

There are separate Prometei versions available for Linux and Windows-based systems, claims Cybereason. Each version can adjust its payload after examining the detected OS and infected machines.

It can also interact with four different C&C servers, which also strengthens the botnet infrastructure and makes it less vulnerable to takedowns.

This modular malware was first spotted in 2020 when it mainly targeted Windows computers through EternalBlue exploit. However, according to Cybereason’s Nocturnus team, the botnet has been active since 2016.

It focuses on deploying the cryptomining payload to start generating revenues for its operators.

“When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well,” stated Cybereason, senior director and head of threat research, Assaf Dahan.

According to Cybereason’s blog post, the malware is upgraded with backdoor capabilities and now supports an extensive range of commands, including downloading/executing files, executing commands on behalf of its operators, and searching for files on targeted systems.

“The latest versions of Prometei now provide the attackers with a sophisticated and stealthy backdoor that supports a wide range of tasks that make mining Monero coins the least of the victims’ concerns,” the Cybereason team said.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts