The exploitation of ProxyLogon vulnerabilities in Microsoft Exchange servers has exploded to an extent that threat actors are modifying their attacks to distribute a variety of malware. The latest in a row to weaponize these vulnerabilities is a botnet dubbed Prometei.

What’s happening?

  • Recently, the Cybereason Nocturnus Team responded to several incidents involving infections from the Prometei botnet against companies in North America.
  • The attackers exploited two of the ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) to penetrate into the network and install the China Chopper webshell that ultimately would download the botnet.
  • Prometei is a modular and multi-stage cryptocurrency botnet that targets both Windows and Linux versions.
  • However, the variant used in the recent attack was found to provide the attackers with a stealthy and sophisticated backdoor that supported a wide range of tasks, along with harvesting credentials.

Key findings

  • The victimology of the botnet ranges across multiple sectors, including finance, insurance, retail, manufacturing, utilities, travel, and construction.
  • It has been observed infecting networks in the U.S., the U.K, and several other European, South American, and East Asian countries.

Abuse of ProxyLogon - A matter of concern

  • On March 2, the world was introduced to four critical zero-day vulnerabilities impacting multiple versions of Microsoft Exchange Servers.
  • Despite the release of patches, the vulnerabilities, collectively dubbed ProxyLogon, attracted a number of malware attacks from multiple threat actor groups.
  • Some of the notable malware observed in the exploitation include DearCry ransomware, Black Kingdom ransomware, and XMR-Stak Miner.

The bottom line

Just like the saying goes ‘a stitch in time saves nine,’ organizations worldwide must build a resilient defense system to protect their networks and systems from such attacks. It should be noted that anybody who hasn’t patched the vulnerabilities or mitigated the webshell-based threats that were revealed over the past months, is pretty much in the sweet spot of these attacks.

Cyware Publisher