Cryptomining Campaign Leverages Exchange Server Flaws

Application Security
,
Critical Infrastructure Security
,
Cybercrime as-a-service

Cybereason Says Russian Hacking Group Prometei Is Behind the Campaign

A Russian botnet group called Prometei is exploiting unpatched Microsoft Exchange Server vulnerabilities to mine cryptocurrency across the world, a new report by security firm Cybereason finds.

See Also: Live Webinar | Empowering Financial Services with a Secure Data Path From Endpoint to Cloud

Cybereason notes the Russian campaign is targeting organizations to install a monero cryptominer on corporate endpoints.

“The threat actor appears to be Russian speaking and is purposely avoiding infections in former Soviet bloc countries,” Cybereason says. “The main objective of Prometei is to install the monero crypto miner on corporate endpoints. To spread across networks, the threat actor is using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.”

The Russian group has targeted companies across the U.S., U.K., Germany, France, Spain, Italy and other European countries, as well as South America and East Asia, the report adds.


Complex Malware

Prometei is a relatively new botnet variant that was first discovered by Cisco Talos in July 2020 after the strain was found targeting vulnerable Microsoft Windows devices by brute-forcing SMB vulnerabilities to mine monero cryptocurrency (see: Cryptomining Botnet Exploits Windows SMB Vulnerabilities).

Prometei is designed to ensure persistence on infected machines and mainly compromises the victims’ devices through SMB and RDP vulnerabilities, Cybereason reports. It uses four command-and-control infrastructures, making it resistant to takedowns. And it deploys Windows or Linux versions of the payload based on each victim’s operating system.

“The Prometei botnet poses a significant risk for companies because it has been under-reported. When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well,” says Assaf Dahan, senior director and head of threat research at Cybereason. “If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. And to make matters worse, cryptomining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers.”

Microsoft Vulnerabilities

Four vulnerabilities in on-premises Microsoft Exchange servers were revealed by the company on March 2 after it issued emergency patches.

When Microsoft first began releasing security updates, it warned that a previously unknown Chinese APT group called Hafnium appeared to have been exploiting the flaws in recent months. In March, security firm ESET reported that at least 10 APT groups had been exploiting the flaws.

In addition to APT groups, ransomware groups Black Kingdom and DearCry were reported to also be exploiting the flaw.

A recent report by security firm F-Secure said the number of exploits doubled after the publication of proof-of-concept attack code for ProxyLogon, which is one of the four zero-day flaws patched by Microsoft in early March (see: Microsoft Exchange Flaw: Attacks Surge After Code Published).

U.S. Actions

Owing to the rise in Exchange server hacks, which include the compromise of several U.S.-based retailers and local governments, as well as key European agencies such as the European Banking Authority, the U.S government has initiated several measures to counter threats. For example, it formed a Unified Coordination Group to lead the government’s response to attacks exploiting Exchange email servers. But the Biden administration announced last week that it was standing down that group.

This month, a federal court in Texas gave the FBI the go-ahead to remove malware from on-premises Microsoft Exchange servers at organizations infected in a wave of voluminous zero-day attacks earlier this year (see: FBI Removing Web Shells From Infected Exchange Servers).