The exploitation of ProxyLogon vulnerabilities in Microsoft Exchange servers has exploded to an extent that threat actors are modifying their attacks to distribute a variety of malware. The latest in a row to weaponize these vulnerabilities is a botnet dubbed Prometei.
Recently, the Cybereason Nocturnus Team responded to several incidents involving infections from the Prometei botnet against companies in North America.
The attackers exploited two of the ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) to penetrate into the network and install the China Chopper webshell that ultimately would download the botnet.
Prometei is a modular and multi-stage cryptocurrency botnet that targets both Windows and Linux versions.
However, the variant used in the recent attack was found to provide the attackers with a stealthy and sophisticated backdoor that supported a wide range of tasks, along with harvesting credentials.
The victimology of the botnet ranges across multiple sectors, including finance, insurance, retail, manufacturing, utilities, travel, and construction.
It has been observed infecting networks in the U.S., the U.K, and several other European, South American, and East Asian countries.
Abuse of ProxyLogon - A matter of concern
On March 2, the world was introduced to four critical zero-day vulnerabilities impacting multiple versions of Microsoft Exchange Servers.
Despite the release of patches, the vulnerabilities, collectively dubbed ProxyLogon, attracted a number of malware attacks from multiple threat actor groups.
Just like the saying goes ‘a stitch in time saves nine,’ organizations worldwide must build a resilient defense system to protect their networks and systems from such attacks. It should be noted that anybody who hasn’t patched the vulnerabilities or mitigated the webshell-based threats that were revealed over the past months, is pretty much in the sweet spot of these attacks.