Security researchers have found that a persistent cryptocurrency mining botnet is exploiting even now-unpatched Microsoft Trade servers to expand globally.
Dubbed “Prometei,” the botnet was 1st reported on in July 2020 and is assumed to have been around due to the fact 2016, in accordance to Cybereason Nocturnus.
However, the investigation staff discovered a new progress in that the menace actors guiding it have been exploiting Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858 to penetrate sufferer networks, steal credentials and set up malware.
These bugs are section of the 4 zero-days patched by Microsoft back in March after being exploited by Chinese APT group Hafnium.
“The victimology is really random and opportunistic instead than remarkably targeted, which makes it even a lot more risky and common. Prometei has been noticed to be energetic in systems across a wide variety of industries, like: finance, insurance plan, retail, producing, utilities, travel, and design,” senior danger researcher Lior Rochberger of Cybereason observed in a site post these days.
“It has been observed infecting networks in the US, UK and quite a few other European nations, as very well as nations in South The usa and East Asia. It was also noticed that the danger actors look to be explicitly steering clear of infecting targets in previous Soviet bloc international locations.”
Following preliminary exploitation, the botnet is made to spread across the network in buy to put in a Monero miner on as several endpoints as doable. To do this, it works by using attempted-and-analyzed exploits EternalBlue and BlueKeep, as properly as harvesting qualifications, and exploiting SMB and RDP together with other factors this kind of as SSH shopper and SQL spreader, Rochberger claimed.
4 different command-and-handle (C&C) servers incorporate resilience and make it more durable to disrupt the botnet, he extra. Prometei is also designed to use Windows or Linux payloads to compromise person endpoints depending on their OS.
Assaf Dahan, Cybereason senior director and head of threat investigation, argued that the botnet poses a significant risk as it has been less than-reported in the past.
“When the attackers acquire command of contaminated devices, they are not only able of mining bitcoin by thieving processing power, but could exfiltrate delicate facts as nicely,” he extra.
“If they wish to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell accessibility to the endpoints. To make matters worse, crypto-mining drains precious network computing power, negatively impacting enterprise functions and the overall performance and stability of critical servers.”
Some pieces of this posting are sourced from: