Security News > 2021 > April > Monero-mining botnet targets orgs through recent MS Exchange vulnerabilities
The recent Microsoft Exchange Server vulnerabilities might have initially been exploited by a government-backed APT group, but cybercriminals soon followed suit, using them to deliver ransomware and grow their botnet.
One perpetrator of the latter activities is Prometei, a cross-platform, modular Monero-mining botnet that seems to have flown under the radar for years.
Cybereason incident responders have witnessed instances of the botnet enslaving endpoints of companies across the globe, in a variety of industries.
One thing that the responders noticed is that the botnet avoids targets in former Soviet bloc countries.
Aside from exploiting CVE-2021-27065 and CVE-2021-26858, two MS Exchange vulnerabilities, the botnet also uses known exploits to leverage old security issues in the SMB and RDP protocols and brute-forces SSH credentials to spread to as many endpoints on the compromised network as possible.
"Between 2019-early 2020, the operators of Prometei made some significant changes to the botnet, which included using 4 different C2 servers embedded in the code - in an attempt to make the botnet more resilient to takedowns. We assess that the latest surge of compromises related to Prometei is another attempt to further build the botnet and expand their operation."
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/WSQLg9JXrvQ/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-03 | CVE-2021-26858 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 7.8 |
| 2021-03-03 | CVE-2021-27065 | Path Traversal vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 7.8 |