According to researchers, hackers are using the ProxyLogon vulnerabilities in Microsoft Exchange Server to co-opt compromised machines into the Prometei cryptocurrency botnet.
The misuse of ProxyLogon vulnerabilities in Microsoft Exchange servers has grown to the point that threat actors are adapting their attacks to spread a wide range of malware. Prometei, the newest botnet to exploit these flaws, is the latest in a long line of exploits.
Prometei is a multi-modular botnet first discovered by Cisco Talos in July 2020, with the hacker using a variety of specially-crafted tools and proven exploits like EternalBlue and BlueKeep to harvest credentials, laterally spread across the network, and “increase the amount of systems participating in its Monero-mining pool.”
Observations
Recently, Cybereason, a cybersecurity company headquartered in Boston, said in a report summarising its findings, “Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more,”
The Cybereason Nocturnus Team responded to multiple incidents in North America involving infections from the Prometei botnet. Two ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) were used by the attackers to gain access to the network and instal the China Chopper webshell, which then downloaded the botnet.
Prometei is a multi-stage, scalable cryptocurrency botnet that targets both Windows and Linux. The version used in the recent attack, on the other hand, was discovered to provide the hackers with a stealthy and sophisticated backdoor that could be used for a variety of tasks, including credential harvesting.
The victimology of the botnet ranges across multiple sectors, including finance, insurance, retail, manufacturing, utilities, travel, and construction. It has been observed infecting networks in the U.S., the U.K, and several other European, South American, and East Asian countries.
Mechanism
According to the review, Prometei employs a variety of techniques and methods, ranging from Mimikatz to the EternalBlue and BlueKeep exploits, as well as other tools, to spread throughout the network. The main botnet application installs additional modules, including the following main components: exe and an archived file, Netwalker.7z (7zip is used to retrieve the data in the archive), exe.
Exchdefender poses as “Microsoft Exchange Defender” a fictitious program. According to Cybereason, it scans the files in a program files directory known to be used to host web shells on a regular basis, searching for one file in particular.
ProxyLogon – Clear & Present Danger
On March 2, the world was alerted to four critical zero-day vulnerabilities affecting various Microsoft Exchange Server versions. Despite the availability of fixes, the vulnerabilities, collectively known as ProxyLogon, have drawn malware attacks from a variety of threat actors.
DearCry ransomware, Black Kingdom ransomware, and XMR-Stak Miner are among the prominent malware discovered during the exploitation phase.
Concluding Words
Organizations all over the world must develop a robust security mechanism to defend their networks and infrastructure from such attacks, just as the saying goes, “a stitch in time saves nine.” It’s worth noting that everyone who hasn’t fixed the vulnerabilities or mitigated the webshell-based threats that have surfaced in recent months is in the crosshairs of these attacks.