IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Botnet targets vulnerable Microsoft Exchange servers

Cryptocurrency-mining botnet Prometei targeting same flaws as Hafnium attacks

Botnet on a red background

Security researchers have revealed that a cryptocurrency-mining botnet, dubbed Prometei, is targeting the same Microsoft Exchange vulnerabilities associated with the recent Hafnium attacks.

According to researchers, these botnets target financial gain by stealing bitcoins and penetrate the network for malware deployment and credential harvesting. With a significant number of organizations far from patched, this puts thousands of businesses worldwide and billions of dollars at risk.

Researchers said that Prometei appears to be active in systems across various industries, including finance, insurance, retail, manufacturing, utilities, travel, and construction. Researchers have also observed the botnet infecting networks in the UK, the US, South America, and East Asia.

Researchers also found hackers were explicitly avoiding infecting targets in former Soviet bloc countries. This leads them to believe the Prometei group is financially motivated and operated by Russian-speaking individuals, though a nation-state does not back it.

The primary function of Prometei is to install the Monero crypto miner on corporate endpoints. The malware is spreading across networks using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.

In addition to affecting Windows systems, there are also versions for Linux systems. Researchers said the malware adjusts its payload based on the operating system it detects on the targeted machines when spreading across the network.

Researchers discovered the Prometei botnet in July 2020, but new evidence showed it was in the wild as far back as 2016. The Prometei botnet is continuously evolving, with new features and tools observed in the newer versions, they added.

Assaf Dahan, senior director and head of threat research, Cybereason, said the botnet poses a big risk for companies because it’s been underreported.

“When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well. If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints,” he said.

“And to make matters worse, cryptomining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers.”

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Microsoft launches low-code Power Pages for 'intuitive' web development
web development

Microsoft launches low-code Power Pages for 'intuitive' web development

24 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022