Cryptomining Campaign Leverages MS Exchange Server Flaw

A Russian botnet group called Prometei is exploiting critical Microsoft Exchange Server vulnerabilities to mine cryptocurrency from various organizations across the world, a new report by security firm Cybereason finds.

See Also: Live Webinar | Empowering Financial Services with a Secure Data Path From Endpoint to Cloud

Cybereason notes the Russian campaign is targeting victim organizations to install monero cryptominer on corporate endpoints, adding that the group appears to be financially-motivated.

“The threat actor appears to be Russian speaking and is purposely avoiding infections in former Soviet bloc countries,” Cybereason notes. “The main objective of Prometei is to install the Monero crypto miner on corporate endpoints. To spread across networks, the threat actor is using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.”

Since the latest campaign began, the threat actors have targeted companies across the U.S., U.K., Germany, France, Spain, Italy and other European countries, as well as South America and East Asia, the report adds.

Complex Malware

Prometei is a relatively new botnet variant which was first discovered by Cisco Talos in July 2020 after the strain was found targeting vulnerable Microsoft Windows devices by brute-forcing SMB vulnerabilities to mine monero cryptocurrency (see: Cryptomining Botnet Exploits Windows SMB Vulnerabilities).

According to Cybereason, Prometei has been designed to ensure persistence on infected machines and mainly compromises the victims’ devices through SMB and RDP vulnerabilities. Some of its other features include use of four different command and control infrastructures, making it resistant to takedowns and deploying Windows or Linux versions of the payload based on the victims’ operating system.

“The Prometei Botnet poses a significant risk for companies because it has been under-reported. When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well,”says Assaf Dahan, senior director and head of threat research at Cybereason. “If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. And to make matters worse, cryptomining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers.”

Microsoft Vulnerabilities

The four vulnerabilities in on-premises Microsoft Exchange servers were revealed by the company on March 2 after it issued emergency patches to fix the flaws in Microsoft Exchange

When Microsoft first began releasing security updates, it warned that a previously unknown Chinese APT group called Hafnium appeared to have been exploiting the flaws in recent months. In March, security firm ESET reported that at least 10 APT groups have been exploiting the flaws.

In addition to APT groups, ransomware groups Black Kingdom and DearCry were reported to also be exploiting the flaw.

A recent report by security firm F-Secure said the numbers doubled after the publication of proof-of-concept attack code for ProxyLogon, which is one of the four zero-day flaws patched by Microsoft in early March (see: Microsoft Exchange Flaw: Attacks Surge After Code Published).

In April, security firm Rapid7 said less than 20 percent of all Microsoft Exchange servers were patched globally, which meant that more than 350,000 Exchange servers were still exposed to the vulnerabilities (see: Microsoft Exchange: At Least 10 APT Groups Exploiting Flaws).

U.S Actions

Owing to the rise in Exchange Server hacks, which include compromise of several U.S.-based retailers, local governments, as well as key European agencies such as the European Banking Authority, – the U.S government has initiated several measures to counter further threats.

These include formation of a Unified Coordination Group to lead the government’s response to attacks exploiting unpatched vulnerabilities in on-premises Microsoft Exchange email servers and the introduction of the Homeland and Cyber Threat Act, which allows U.S. citizens to file lawsuits against foreign governments, employees and agents of those countries if a cybersecurity incident causes damages.

This month, a federal court in Texas gave the FBI the go-ahead to remove malware from on-premises Microsoft Exchange servers at organizations infected in a wave of voluminous zero-day attacks earlier this year (see: FBI Removing Web Shells From Infected Exchange Servers).