Security researchers have discovered that a persistent cryptocurrency mining botnet is exploiting still-unpatched Microsoft Exchange servers to grow globally.
Dubbed “Prometei,” the botnet was first reported on in July 2020 and is thought to have been around since 2016, according to Cybereason Nocturnus.
However, the research team found a new development in that the threat actors behind it have been exploiting Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858 to penetrate victim networks, steal credentials and install malware.
These bugs are part of the four zero-days patched by Microsoft back in March after being exploited by Chinese APT group Hafnium.
“The victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread. Prometei has been observed to be active in systems across a variety of industries, including: finance, insurance, retail, manufacturing, utilities, travel, and construction,” senior threat researcher Lior Rochberger of Cybereason noted in a blog post today.
“It has been observed infecting networks in the US, UK and many other European countries, as well as countries in South America and East Asia. It was also observed that the threat actors appear to be explicitly avoiding infecting targets in former Soviet bloc countries.”
After initial exploitation, the botnet is designed to spread across the network in order to install a Monero miner on as many endpoints as possible. To do this, it uses tried-and-tested exploits EternalBlue and BlueKeep, as well as harvesting credentials, and exploiting SMB and RDP alongside other components such as SSH client and SQL spreader, Rochberger said.
Four separate command-and-control (C&C) servers add resilience and make it harder to disrupt the botnet, he added. Prometei is also designed to use Windows or Linux payloads to compromise individual endpoints depending on their OS.
Assaf Dahan, Cybereason senior director and head of threat research, argued that the botnet poses a serious risk as it has been under-reported in the past.
“When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but could exfiltrate sensitive information as well,” he added.
“If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. To make matters worse, crypto-mining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers.”