Security News > 2021 > April > Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers

Attackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.

"Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more," Boston-based cybersecurity firm Cybereason said in an analysis summarizing its findings.

The intrusions take advantage of the recently patched vulnerabilities in Microsoft Exchange Servers with the goal of abusing the processing power of the Windows systems to mine Monero.

In the attack sequence observed by the firm, the adversary was found exploiting Exchange server flaws CVE-2021-27065 and CVE-2021-26858 as an initial compromise vector to install the China Chopper web shell and gain backdoor ingress to the network.

Recent versions of the bot module come with backdoor capabilities that support an extensive set of commands, including an additional module called "Microsoft Exchange Defender" that masquerades as a legitimate Microsoft product, which likely takes care of removing other competing web shells that may be installed on the machine so that Prometei gets access to the resources necessary to mine cryptocurrency efficiently.

"As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks."

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/fzitt_8-kGM/prometei-botnet-exploiting-unpatched.html