Security News > 2021 > April > Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers

Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers
2021-04-23 08:00

Attackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.

"Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more," Boston-based cybersecurity firm Cybereason said in an analysis summarizing its findings.

The intrusions take advantage of the recently patched vulnerabilities in Microsoft Exchange Servers with the goal of abusing the processing power of the Windows systems to mine Monero.

In the attack sequence observed by the firm, the adversary was found exploiting Exchange server flaws CVE-2021-27065 and CVE-2021-26858 as an initial compromise vector to install the China Chopper web shell and gain backdoor ingress to the network.

Recent versions of the bot module come with backdoor capabilities that support an extensive set of commands, including an additional module called "Microsoft Exchange Defender" that masquerades as a legitimate Microsoft product, which likely takes care of removing other competing web shells that may be installed on the machine so that Prometei gets access to the resources necessary to mine cryptocurrency efficiently.

"As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks."


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/fzitt_8-kGM/prometei-botnet-exploiting-unpatched.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-03-03 CVE-2021-26858 Unspecified vulnerability in Microsoft Exchange Server
Microsoft Exchange Server Remote Code Execution Vulnerability
0.0
2021-03-03 CVE-2021-27065 Path Traversal vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Remote Code Execution Vulnerability
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399