In the latest cybercrime developments, researchers have detected a relatively new crypto-mining Prometei botnet that is actively exploiting unpatched Microsoft Exchange servers all over the globe.
Malicious Prometei Botnet:
According to Cybereason Nocturnus, the crypto mining botnet, named ‘Prometei Botnet’, has been speculated to be around since at least 2016. However, its official initial sighting was detected in July 2020.
Detailing the Prometei botnet, it has been actively exploiting the Microsoft Exchange server vulnerabilities CVE-2021-27065 and CVE-2021-26858 to hack victim networks, exfiltrate data and install supplementary malware.
These vulnerabilities are elemental to the four zero-days patched by Microsoft back in March after being exploited by the Chinese APT group Hafnium.
Experts analyzing the Prometei crypto mining botnet have noted that the malware spreads and victimizes users in a random and opportunistic method.
Hazardous abilities of the crypto miner:
This approach of the malware makes it even more hazardous and threatening since its targets cannot be generalized. It is also concerning that it is rather arduous to disrupt Prometie since it has four individual command-and-control (C&C) servers to add resilience.
Prometei botnet has been observed to be preying in systems across a variety of industries, including finance, insurance, retail, manufacturing, as well as the utilities, travel, and construction industries, while particularly targeting and infecting organizations networks in the US, UK, and many other European countries, as well as countries in South America and East Asia.
Also read,
It was also noted that the malicious actors perpetrating the malware specifically avoid industries local to former Soviet bloc countries.
Detailing the mal-operations of the crypto mining botnet, subsequent to the elementary exploitation, it is crafted to get deployed across the network to install the Monero miner on all potential endpoints.
To facilitate this, it employs established exploits EternalBlue and BlueKeep, as well as poaches credentials, and exploits SMB and RDP along with other components such as SSH client and SQL spreader.
Specially designed to target diverse OS:
The Prometei botnet has also been found with the ability to take advantage of to jeopardize specific systems with different operating systems.
If malicious actors obtain successful control of the infected system, it has the potential to steal sensitive data along with mining bitcoin by processing power.
“If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. To make matters worse, crypto-mining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers.” noted the Cybereason researchers.