Network Security, Content

Hackers Use Prometei Botnet to Attack Microsoft Exchange Users


Cybercriminals are using the Prometei botnet to exploit Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858, according to Cybereason. Both vulnerabilities have been linked to Hafnium, a state-sponsored threat actor used in Exchange Server attacks reported in March 2021.

Prometei attackers are using Exchange vulnerabilities to penetrate networks for malware deployment, credential harvesting and other malicious activities, Cybereason said. They are targeting companies across a variety of industries, including:

  • Finance
  • Insurance
  • Retail
  • Manufacturing
  • Utilities
  • Travel
  • Construction

In addition, Prometei attackers are leveraging Exchange vulnerabilities to infect networks in the United States, UK and other European countries, along with countries in South America and East Asia, Cybereason noted. They also appear to be avoiding targets in former Soviet bloc countries.

How Does Prometei Attack Microsoft Exchange Users?

Prometei tries to install the Monero miner component across Exchange users' endpoints, Cybereason indicated. To do so, Prometei leverages exploits such as EternalBlue and BlueKeep, harvests credentials and utilizes other techniques, so it can extend its reach across a network.

Furthermore, Windows- and Linux-Unix-based versions of Prometei are available, Cybereason pointed out. Each version adjusts its payload based on the detected operating system and targeted infected machines when it spreads.

Prometei also is designed to interact with four different command and control (C2) servers, Cybereason stated. This strengthens Prometei's infrastructure and makes it less susceptible to takedowns.

How to Guard Against Prometei Attacks

Microsoft has released Exchange Server security updates after the Hafnium attacks were discovered.  The company has recommended that Exchange users apply the patches to their affected systems.

Along with using the Exchange patches, there are several other things that organizations can do to guard against Prometei and other botnet attacks, including:

  • Monitor network activities
  • Keep software and systems up to date
  • Track failed login attempts

Organizations also can provide training to educate their workers about botnets and other cyber threats. That way, employees can do their part to help organizations combat current and emerging threats.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.