Security researchers have learned that a persistent cryptocurrency mining botnet is exploiting continue to-unpatched Microsoft Exchange servers to grow globally.
Dubbed “Prometei,” the botnet was 1st reported on in July 2020 and is thought to have been around since 2016, in accordance to Cybereason Nocturnus.
Having said that, the study workforce observed a new progress in that the risk actors driving it have been exploiting Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858 to penetrate target networks, steal credentials and put in malware.
These bugs are element of the four zero-days patched by Microsoft again in March following getting exploited by Chinese APT group Hafnium.
“The victimology is really random and opportunistic relatively than extremely targeted, which would make it even more hazardous and widespread. Prometei has been observed to be energetic in devices throughout a assortment of industries, such as: finance, insurance plan, retail, producing, utilities, travel, and design,” senior menace researcher Lior Rochberger of Cybereason mentioned in a web site post these days.
“It has been noticed infecting networks in the US, Uk and numerous other European nations around the world, as perfectly as international locations in South The usa and East Asia. It was also noticed that the threat actors surface to be explicitly preventing infecting targets in former Soviet bloc nations around the world.”
Just after preliminary exploitation, the botnet is created to spread across the network in purchase to install a Monero miner on as lots of endpoints as achievable. To do this, it uses tried using-and-tested exploits EternalBlue and BlueKeep, as properly as harvesting qualifications, and exploiting SMB and RDP together with other parts this sort of as SSH consumer and SQL spreader, Rochberger stated.
4 different command-and-control (C&C) servers insert resilience and make it more durable to disrupt the botnet, he included. Prometei is also created to use Windows or Linux payloads to compromise particular person endpoints relying on their OS.
Assaf Dahan, Cybereason senior director and head of risk exploration, argued that the botnet poses a really serious risk as it has been underneath-reported in the past.
“When the attackers just take manage of infected devices, they are not only capable of mining bitcoin by stealing processing power, but could exfiltrate sensitive details as very well,” he included.
“If they need to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to market entry to the endpoints. To make issues even worse, crypto-mining drains valuable network computing electric power, negatively impacting business functions and the overall performance and stability of critical servers.”
Some parts of this article are sourced from: