A cryptocurrency mining botnet is steadily gaining rounds exploiting unpatched Microsoft Exchange servers, according to a cybersecurity firm Cybereason Nocturnus.
The botnet, dubbed by the researchers “Prometei,” was first described in July 2020. Apparently, its operators have shifted their focus to the notorious Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858. Cybercriminals are trying to penetrate victim networks, steal credentials, and install malware.
Attackers target a variety of industries and do not show much regularity, according to the researchers:
“The victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread. Prometei has been observed to be active in systems across a variety of industries, including: finance, insurance, retail, manufacturing, utilities, travel, and construction,” Lior Rochberger, Cybereasons’ senior threat researcher noted in a blog post today.
The researchers observed that attackers mainly target victims in the West and avoid former USSR countries:
“It has been observed infecting networks in the US, UK and many other European countries, as well as countries in South America and East Asia. It was also observed that the threat actors appear to be explicitly avoiding infecting targets in former Soviet bloc countries.”
After initial infiltration, the botnet spreads laterally within the network and installs a Monero miner on as many machines as possible. To this end, attackers use popular exploits EternalBlue and BlueKeep, as well as try to steal credentials and exploit SMB and RDP, SSH client, and SQL spreader, Rochberger said.
Threat actors use four command-and-control (C&C) servers for added resilience and to make it harder to thwart Prometei.
Researchers warn that the botnet poses a serious risk and argue it has been under-reported:
“When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but could exfiltrate sensitive information as well.”
