Saturday, October 12, 2024
HomeVulnerabilityHackers Using Prometei Botnet to Exploiting Microsoft Exchange Vulnerabilities

Hackers Using Prometei Botnet to Exploiting Microsoft Exchange Vulnerabilities

Published on

Malware protection

Researchers from Cybereason has recently announced the discovery of a new highly-targeted botnet campaign, which uses the stealth and omnipresent Prometei botnet to target companies around the world.

Threat actors are exploiting the recently published Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to penetrate random networks. This threat is causing major financial and data losses for businesses.

All these vulnerabilities can be connected together by any attackers to exploit these flaws to authenticate on the Exchange server to gain administrator rights, install malware, and steal data from the infected systems.

- Advertisement - SIEM as a Service

As in March, more than 10 hacking groups have attacked the vulnerable Microsoft Exchange servers by disposing of the miners, ransomware, and web shells on all the vulnerable servers.

But, Microsoft has already claimed that last month, nearly 92% of all the Exchange servers that are connected to the internet have already received the security patches.

The senior director and head of threat research at Cybereason, Assaf Dahan, said that “the Prometei botnet poses a great risk to the companies around the globe, as they have not been sufficiently informed about it. When attackers take control of the infected machines, they get the ability to steal not only cryptocurrencies but also sensitive information of the victims.”

Key Findings

  • Exploiting Microsoft Exchange Vulnerabilities
  • Wide range of Victims
  • Exploiting SMB and RDP Vulnerabilities
  • Cross-Platform Threat
  • Cybercrime with APT Flavor
  • Resilient C2 Infrastructure
  • Older than it Seems

This modular malware was initially detected by cybersecurity experts last year, and it’s capable of infecting the systems based on Windows and Linux.

Apart from these things, it also has previously used the EternalBlue exploit to spread across compromised networks and compromise all the vulnerable systems.

Security researchers at the Cybereason Nocturnus team have claimed that Prometei has been known to the cybersecurity community since 2016. And the botnet was recently updated, and the operators of it have made it learn how to exploit ProxyLogon vulnerabilities.

That’s why now Prometei botnet attacks Microsoft Exchange servers and then installs the payloads for mining cryptocurrency (Monero) on the infected machine.

After that, the botnet seeks to spread across the infected network by using the exploits like EternalBlue, BlueKeep, harvesting credentials, SMB & RDP exploits and other modules like SSH client and SQL spreader.

In case of any failure, the malware launches the following exploits, EternalBlue, with a forced rollback of SMB to vulnerable version 1 and BlueKeep.

Here the primary target of the threat actors is to install the cryptojacking malware or Monero miner to extract cryptocurrency like Monero.

The Prometei botnet generally exploits the vulnerabilities in Microsoft Exchange servers to gain initial network access and tries to infect as many as possible endpoints using a whole set of known attack methods to proceed indirectly across the network.

Moreover, the updated version of the malware has backdoor capabilities with support for an extensive set of commands that includes downloading and executing files, searching for files on compromised machines, and executing programs or commands on behalf of the threat actors.

File names used

  • C:\dell\searchindexer.exe
  • C:\dell\desktop.dat
  • C:\Windows\svchost.exe

Breakdown of Mitre ATT&CK

The cybersecurity analysts have also noted and claimed that the operators of the Prometei botnet want long-term persistence in the compromised network, using methods linked to advanced  APT groups and government hacking groups.

Apart from these, the security researchers believe that the Prometei botnet is still looking for new targets, and here the best way to avoid being a victim of this botnet is to apply all the security updates released by Microsoft for its vulnerable Exchange Server.

While now, if we talk about the crypto-miner, then we all know that it’s really a resource-consuming means that adversely affects the network stability and performance, which in turn affects the business continuity.

So, the affected organizations should first try to get one good process for managing code and patch all the vulnerable systems. But, here, the security and IT teams play the key role in preventing such incidents, as they constantly pursue all the known threats and report them to the organization to mitigate.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

CISA Warns of Fortinet & Ivanti Vulnerabilities Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities...

Chrome Security Update, Patched for High-Severity Vulnerabilities

Google has rolled out a new update for its Chrome browser, addressing several high-severity...