Skip to main content

Massive global botnet takes advantage of Microsoft Exchange vulnerabilities

botnet
(Image credit: Shutterstock / Jaiz Anuar)
Audio player loading…

Security experts have discovered a large-scale cryptocurrency (opens in new tab) botnet targeting the Microsoft Exchange (opens in new tab) vulnerabilities associated with the recent Hafnium attacks. Dubbed Prometei, the botnet was unearthed by researchers from the Cybereason Nocturnus team. 

The threat actors behind the botnet are piggybacking on four zero-day vulnerabilities in the Microsoft Exchange email (opens in new tab) server, collectively referred to as the ProxyLogon vulnerabilities (opens in new tab), that were first exploited by Chinese state-sponsored threat actors known as Hafnium.

Despite various efforts, including Microsoft’s one-click tool (opens in new tab) to patch the vulnerabilities and the FBI’s actions to remove backdoors (opens in new tab) from hacked servers, attackers still sense enough opportunity to exploit the vulnerabilities. In fact, Cybereason’s research highlights victims across a variety of industries and from countries all around the world. 

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window (opens in new tab)<<

“The Prometei Botnet poses a big risk for companies because it has been under reported. When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but could exfiltrate sensitive information as well,” said Assaf Dahan, Senior Director and Head of Threat Research, Cybereason.

Lethal threat

Cybereason shares that Prometei has versions for both Windows and Linux installations (opens in new tab), and it selects the appropriate payload based on the operating system on the targeted machine.

The threat actors, who are Russian speakers as per Cybereason’s research, use the botnet to install the Monero crypto-miner (opens in new tab) on corporate endpoints. 

In addition to the Microsoft Exchange vulnerabilities, they also make use of the EternalBlue and BlueKeep exploits to move across networks.

In her breakdown of the Prometei botnet (opens in new tab), Lior Rochberger, a threat researcher at Cybereason, warns that the threat actors can also infect the compromised endpoints with other malware (opens in new tab) and might even sell access to the endpoints to ransomware (opens in new tab) gangs, which makes it a fairly lethal threat.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.