Cyber criminals are trying to use vulnerabilities in Microsoft Exchange servers to add to their botnet for mining cryptocurrency – but the level of access they’re gaining means they could use their access for other, much more dangerous cyberattacks.
Detailed by cybersecurity researchers at Cybereason, the Prometei botnet is a widespread global campaign that is targeting organisations in a multi-stage attack.
The cyber criminals behind the botnet are exploiting vulnerabilities in Microsoft Exchange Server as a means of penetrating networks. There are existing security updates, which can be installed in order to protect against attacks, but Prometei is scanning the internet for organisations that have yet to apply the patch and using that to gain a foothold on networks.
SEE: Network security policy (TechRepublic Premium)
Prometei isn’t targeting an organisation in particular; the attackers are just looking for any vulnerable networks they can exploit. According to researchers, the botnet has claimed victims in multiple industries in regions including North America, South America, Europe and East Asia.
The main objective of the attackers is to install cryptojacking malware to mine for Monero – allowing the criminals to secretly use the processing power of infected devices to line their pockets with cryptocurrency.
Prometei uses the vulnerabilities in Microsoft Exchange servers to gain initial access to the network and attempts to infect as many endpoints as it can – using a variety of known attack techniques to move laterally around networks.
These include harvesting login credentials, exploiting RDP vulnerabilities and even using older exploits including EternalBlue and BlueKeep to move around networks, performing the reconnaissance required to compromise as many machines as possible.
Like the Microsoft Exchange Server vulnerabilities, EternalBlue and BlueKeep have received patches – but the attackers are able to exploit organisations that haven’t applied them across their network.
“Unfortunately, having a patch available does not equal rapid deployment of the patch, as we have seen repeatedly in the past. For example, years after the EternalBlue exploit leaked and patches were available, we still kept seeing attackers exploiting this vulnerability,” Assaf Dahan, head of threat research at Cybereason told ZDNet.
Those behind Prometei appear to want to achieve long-term persistence on the network and they do that by using techniques associated with sophisticated cyber-criminal operations and even nation-state hacking groups.
For now at least, Prometei is focused on mining for cryptocurrency.
“The longer they can remain undetected on the network, the more cryptocurrency is being mined. Therefore, they improved the botnet’s resilience, added stealth features to the malware and used techniques and tools that are many times associated with Advanced Persistent Threats,” said Dahan.
“If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints,” he added.
Not much is known about the cyber-criminal operation behind Prometei, but according to Cybereason analysis of the group’s activity suggests it’s Russian speaking – and it appears as if the group actively looks to avoid infecting targets in Russia.
SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to do
The name of the botnet “Prometei” is also the Russian word for Prometheus, the titan God for fire in Greek mythology.
Prometei is still believed to be actively scanning for new targets to infect – and the best way to avoid falling victim is to apply the critical security updates for Microsoft Exchange Server.
“First and foremost, organisations should strive to have a good patch management procedure and to patch potentially vulnerable systems,” said Dahan.
“But most importantly, IT and security teams should be proactive and continuously hunt for known threats,” he concluded.