Hackers Using Prometei Botnet to Exploiting Microsoft Exchange Vulnerabilities


As in March, more than 10 hacking groups have assaulted the vulnerable Microsoft Exchange servers by disposing of the miners, ransomware, and web shells on all the susceptible servers.

All these vulnerabilities can be connected together by any attackers to exploit these defects to validate on the Exchange server to acquire administrator rights, set up malware, and steal information from the infected systems.

Here the primary target of the hazard actors is to install the cryptojacking malware or Monero miner to extract cryptocurrency like Monero.

Thats why now Prometei botnet attacks Microsoft Exchange servers and then sets up the payloads for mining cryptocurrency (Monero) on the contaminated maker.

The upgraded variation of the malware has backdoor capabilities with support for an extensive set of commands that consists of downloading and performing files, browsing for files on jeopardized machines, and carrying out programs or commands on behalf of the hazard actors.

The senior director and head of risk research at Cybereason, Assaf Dahan, stated that “the Prometei botnet positions a fantastic threat to the business around the world, as they have not been adequately informed about it. When opponents take control of the contaminated devices, they get the capability to take not only cryptocurrencies but also sensitive details of the victims.”

Security scientists at the Cybereason Nocturnus group have declared that Prometei has actually been understood to the cybersecurity neighborhood because 2016. And the botnet was just recently updated, and the operators of it have made it learn how to make use of ProxyLogon vulnerabilities.

Apart from these things, it likewise has formerly utilized the EternalBlue exploit to spread out across compromised networks and jeopardize all the susceptible systems.

After that, the botnet seeks to spread across the infected network by using the exploits like EternalBlue, BlueKeep, harvesting qualifications, SMB & & RDP exploits and other modules like SSH client and SQL spreader.

The Prometei botnet generally makes use of the vulnerabilities in Microsoft Exchange servers to gain preliminary network gain access to and attempts to infect as lots of as possible endpoints using an entire set of known attack approaches to continue indirectly throughout the network.

This modular malware was at first found by cybersecurity specialists in 2015, and its capable of infecting the systems based on Windows and Linux.

Microsoft has currently claimed that last month, almost 92% of all the Exchange servers that are connected to the internet have currently received the security patches.

Risk actors are making use of the just recently released Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, cve-2021-27065, and cve-2021-26858) to penetrate random networks. This hazard is triggering major monetary and information losses for services.

Key Findings

In case of any failure, the malware introduces the following exploits, EternalBlue, with a forced rollback of SMB to vulnerable version 1 and BlueKeep.

Exploiting Microsoft Exchange Vulnerabilities
Vast array of Victims
Exploiting SMB and RDP Vulnerabilities
Cross-Platform Threat
Cybercrime with APT Flavor
Durable C2 Infrastructure
Older than it Seems

Researchers from Cybereason has recently announced the discovery of a brand-new highly-targeted botnet project, which utilizes the stealth and universal Prometei botnet to target business worldwide.

Submit names used

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Breakdown of Mitre ATT&CK.

While now, if we speak about the crypto-miner, then all of us know that its truly a resource-consuming means that adversely impacts the network stability and efficiency, which in turn affects the service continuity.

The cybersecurity analysts have actually also noted and claimed that the operators of the Prometei botnet want long-term persistence in the compromised network, using methods linked to innovative APT groups and federal government hacking groups.

Apart from these, the security researchers believe that the Prometei botnet is still searching for new targets, and here the very best way to prevent being a victim of this botnet is to apply all the security updates launched by Microsoft for its susceptible Exchange Server.

So, the afflicted companies must initially try to get one great process for handling code and patch all the susceptible systems. However, here, the security and IT teams play the crucial role in avoiding such events, as they constantly pursue all the known threats and report them to the company to mitigate.

C: dellsearchindexer.exe.
C: delldesktop.dat.
C: Windowssvchost.exe.