Security experts have discovered a large-scale cryptocurrency botnet targeting the Microsoft Exchange vulnerabilities associated with the recent Hafnium attacks. Dubbed Prometei, the botnet was unearthed by researchers from the Cybereason Nocturnus team.
The threat actors behind the botnet are piggybacking on four zero-day vulnerabilities in the Microsoft Exchange email server, collectively referred to as the ProxyLogon vulnerabilities, that were first exploited by Chinese state-sponsored threat actors known as Hafnium.
Despite various efforts, including Microsoft’s one-click tool to patch the vulnerabilities and the FBI’s actions to remove backdoors from hacked servers, attackers still sense enough opportunity to exploit the vulnerabilities. In fact, Cybereason’s research highlights victims across a variety of industries and from countries all around the world.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
“The Prometei Botnet poses a big risk for companies because it has been under reported. When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but could exfiltrate sensitive information as well,” said Assaf Dahan, Senior Director and Head of Threat Research, Cybereason.
Lethal threat
Cybereason shares that Prometei has versions for both Windows and Linux installations, and it selects the appropriate payload based on the operating system on the targeted machine.
The threat actors, who are Russian speakers as per Cybereason’s research, use the botnet to install the Monero crypto-miner on corporate endpoints.
In addition to the Microsoft Exchange vulnerabilities, they also make use of the EternalBlue and BlueKeep exploits to move across networks.
In her breakdown of the Prometei botnet, Lior Rochberger, a threat researcher at Cybereason, warns that the threat actors can also infect the compromised endpoints with other malware and might even sell access to the endpoints to ransomware gangs, which makes it a fairly lethal threat.
