Researchers Uncover Cryptocurrency Mining Botnet Exploiting Microsoft Exchange Servers
A recent discovery by security researchers has unveiled a persistent cryptocurrency mining botnet that is taking advantage of unpatched vulnerabilities in Microsoft Exchange servers to expand its reach globally.
Origins of the Botnet
Known as “Prometei,” this botnet first came to light in July 2020 and is believed to have been operational since 2016, as per insights from Cybereason Nocturnus. However, a new development has emerged as the threat actors behind Prometei have started leveraging Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858 to infiltrate networks, pilfer credentials, and deploy malware.
These vulnerabilities were part of the four zero-day flaws addressed by Microsoft in March after being exploited by the Chinese APT group Hafnium.
Global Impact and Modus Operandi
The researchers noted that Prometei’s targets are diverse and widespread, spanning industries such as finance, insurance, retail, manufacturing, utilities, travel, and construction. The botnet has been observed in the US, UK, various European countries, South America, and East Asia, deliberately avoiding former Soviet bloc nations.
Following the initial breach, Prometei propagates throughout the network to deploy a Monero miner on numerous endpoints. It leverages known exploits like EternalBlue and BlueKeep, steals credentials, and exploits SMB and RDP, along with components like SSH client and SQL spreader to achieve its objectives.
To enhance resilience, the botnet employs four distinct command-and-control servers, utilizing Windows or Linux payloads based on the targeted endpoint’s operating system.
Potential Risks and Implications
Cybereason’s senior threat researcher, Lior Rochberger, emphasized the significant risks posed by Prometei, underscoring its underreported nature in the past. The botnet’s capabilities extend beyond cryptocurrency mining, enabling attackers to exfiltrate sensitive data, introduce additional malware, or collaborate with ransomware groups to monetize compromised endpoints.
Moreover, the strain on network resources caused by crypto-mining can impair business operations, affecting server performance and stability.
In conclusion, the emergence of Prometei underscores the evolving landscape of cyber threats and the critical importance of promptly applying security patches to safeguard against exploitation by malicious actors.