Cybercriminals are using the Prometei botnet to exploit Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858, according to Cybereason. Both vulnerabilities have been linked to Hafnium, a state-sponsored threat actor used in Exchange Server attacks reported in March 2021.
Prometei attackers are using Exchange vulnerabilities to penetrate networks for malware deployment, credential harvesting and other malicious activities, Cybereason said. They are targeting companies across a variety of industries, including:
- Finance
- Insurance
- Retail
- Manufacturing
- Utilities
- Travel
- Construction
In addition, Prometei attackers are leveraging Exchange vulnerabilities to infect networks in the United States, UK and other European countries, along with countries in South America and East Asia, Cybereason noted. They also appear to be avoiding targets in former Soviet bloc countries.
How Does Prometei Attack Microsoft Exchange Users?
Prometei tries to install the Monero miner component across Exchange users' endpoints, Cybereason indicated. To do so, Prometei leverages exploits such as EternalBlue and BlueKeep, harvests credentials and utilizes other techniques, so it can extend its reach across a network.
Furthermore, Windows- and Linux-Unix-based versions of Prometei are available, Cybereason pointed out. Each version adjusts its payload based on the detected operating system and targeted infected machines when it spreads.
Prometei also is designed to interact with four different command and control (C2) servers, Cybereason stated. This strengthens Prometei's infrastructure and makes it less susceptible to takedowns.
How to Guard Against Prometei Attacks
Microsoft has released Exchange Server security updates after the Hafnium attacks were discovered. The company has recommended that Exchange users apply the patches to their affected systems.
Along with using the Exchange patches, there are several other things that organizations can do to guard against Prometei and other botnet attacks, including:
- Monitor network activities
- Keep software and systems up to date
- Track failed login attempts
Organizations also can provide training to educate their workers about botnets and other cyber threats. That way, employees can do their part to help organizations combat current and emerging threats.
