Unpatched Microsoft Change servers are being focused by the Prometei botnet and added to its operators’ military of Monero (XMR) cryptocurrency mining bots.
This modular malware can infect each Home windows and Linux programs, and it was first spotted last year whereas utilizing the EternalBlue exploit to unfold throughout compromised networks and enslave susceptible Home windows computer systems.
Round since at the least 2016
Cybereason’s Nocturnus group just lately found that the botnet has probably been energetic for nearly half a decade, in line with Prometei artifacts submitted to VirusTotal in Might 2016.
Based mostly on new malware samples just lately discovered by Cybereason throughout latest incident responses, the botnet has additionally been up to date to use Change Server vulnerabilities patched by Microsoft in March.
The principle focus of Prometei’s assaults on Change servers is to deploy the cryptomining payload, begin incomes cash for its operators, and unfold to different units on the community utilizing EternalBlue and BlueKeep exploits, harvested credentials, and SSH or SQL spreader modules.
“When the attackers take management of contaminated machines, they aren’t solely able to mining bitcoin by stealing processing energy, however may also exfiltrate delicate data as nicely,” said Assaf Dahan, Cybereason senior director and head of risk analysis.
“In the event that they need to take action, the attackers may additionally infect the compromised endpoints with different malware and collaborate with ransomware gangs to promote entry to the endpoints.”
Cryptojacking botnet with backdoor options
Nevertheless, the malware has been upgraded with backdoor capabilities with help for an intensive array of instructions.
These embrace downloading and executing recordsdata, looking for recordsdata on contaminated programs, and executing applications or instructions on behalf of the attackers.
“The most recent variations of Prometei now present the attackers with a classy and stealthy backdoor that helps a variety of duties that make mining Monero cash the least of the victims’ considerations,” Cybereason Nocturnus Group said.
Whereas the risk actor(s) behind this botnet is unknown, there’s proof that they converse Russian, together with the identify of the botnet, Prometei (Russian for Prometheus), and the Russian code and product identify utilized in older variations.
Cybereason’s analysis additionally factors to the botnet operators being financially motivated and sure not sponsored by a nation-state.
“As noticed within the latest Prometei assaults, the risk actors rode the wave of the just lately found Microsoft Change vulnerabilities and exploited them to be able to penetrate focused networks,” the Cybereason Nocturnus Group added.
“This risk poses a terrific threat for organizations, for the reason that attackers have absolute management over the contaminated machines, and if they want so, they’ll steal data, infect the endpoints with different malware and even collaborate with ransomware gangs by promoting entry to the contaminated endpoints.”
Over 90% of susceptible Change servers now patched
The CVE-2021-27065 and CVE-2021-26858 flaws exploited by Prometei have been additionally abused by several Chinese-backed hacking groups and other hacking groups to deploy internet shells, ransomware [1, 2], and cryptomining malware.
In response to stats shared by Microsoft last month, roughly 92% of all Web-connected on-premises Change servers affected by these vulnerabilities at the moment are patched and secure from assaults.
Redmond additionally launched a one-click Exchange On-premises Mitigation Tool (EOMT) tool to assist small enterprise house owners rapidly mitigate the safety bugs even with out the assistance of a devoted safety group.
Including to that, Microsoft Defender Antivirus automatically protects unpatched Exchange servers from ongoing assaults by routinely mitigating the vulnerabilities.