Security researchers have revealed that a cryptocurrency-mining botnet, dubbed Prometei, is targeting the same Microsoft Exchange vulnerabilities associated with the recent Hafnium attacks.
According to researchers, these botnets target financial gain by stealing bitcoins and penetrate the network for malware deployment and credential harvesting. With a significant number of organizations far from patched, this puts thousands of businesses worldwide and billions of dollars at risk.
Researchers said that Prometei appears to be active in systems across various industries, including finance, insurance, retail, manufacturing, utilities, travel, and construction. Researchers have also observed the botnet infecting networks in the UK, the US, South America, and East Asia.
Researchers also found hackers were explicitly avoiding infecting targets in former Soviet bloc countries. This leads them to believe the Prometei group is financially motivated and operated by Russian-speaking individuals, though a nation-state does not back it.
The primary function of Prometei is to install the Monero crypto miner on corporate endpoints. The malware is spreading across networks using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.
In addition to affecting Windows systems, there are also versions for Linux systems. Researchers said the malware adjusts its payload based on the operating system it detects on the targeted machines when spreading across the network.
Researchers discovered the Prometei botnet in July 2020, but new evidence showed it was in the wild as far back as 2016. The Prometei botnet is continuously evolving, with new features and tools observed in the newer versions, they added.
Assaf Dahan, senior director and head of threat research, Cybereason, said the botnet poses a big risk for companies because it’s been underreported.
“When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well. If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints,” he said.
“And to make matters worse, cryptomining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers.”
-
How to implement a four-day week in techIn-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businessesIn-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discoveredNews The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
Brand-new Emotet campaign socially engineers its way from detectionNews This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomwareNews The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
-
Beating the bad bots: Six ways to identify and block spam trafficIn-depth Not all traffic is good. Learn how to prevent bad bots from overrunning your website
-
Ukraine's vigilante IT army now has a DDoS bot to automate attacks against RussiaNews The 270,000-strong IT Army of Ukraine will now combine supporters' cloud infrastructure to strengthen the daily attacks against their invaders
-
Microsoft's secure VBA macro rules already being bypassed by hackersNews Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware
-
Emotet infrastructure has almost doubled since resurgence was confirmed
News Researchers confirm the infrastructure has also been upgraded for a "better secured", more resilient operation
