Cybereason has announced the discovery of a widespread, global campaign seeking to propagate the Prometei Botnet, by targeting organisations with a multi-stage attack to steal processing power to mine bitcoin. The threat actors, who appear to be Russian speakers, are taking advantage of previously disclosed Microsoft Exchange vulnerabilities leveraged in the Hafnium attacks to penetrate networks.
Prometei is designed to ensure persistence on infected machines and while it was first reported on in July 2020, Cybereason assesses that the botnet actually dates back to at least 2016- a year before the now infamous WannaCry and NotPetya malware attacks that affected more than 200 countries and caused billions in damages.
“The Prometei Botnet poses a big risk for companies because it has been under reported. When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but could exfiltrate sensitive information as well,” said Assaf Dahan, Senior Director and Head of Threat Research, Cybereason.
“If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints. And to make matters worse, cryptomining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers,” said Assaf Dahan, senior director and head of threat research, Cybereason.
Key findings from the research, include:
● Wide range of Victims: Victims have been observed across a variety of industries, including: Finance, Insurance, Retail, Manufacturing, Utilities, Travel and Construction. Infected companies are based in countries around the world, including the United States, United Kingdom, Germany, France, Spain, Italy and other European countries, South America and East Asia.
● Russian Speaking Threat Actor: The threat actor appears to be Russian speaking and is purposely avoiding infections in former Soviet bloc countries.
● Exploiting SMB and RDP Vulnerabilities: The main objective of Prometei is to install the Monero crypto miner on corporate endpoints. To spread across networks, the threat actor is using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.
● Cross-Platform Threat: Prometei has both Windows based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system on the targeted machines when spreading across the network.
● Cybercrime with APT Flavour: Cybereason assesses that the Prometei Botnet operators are financially motivated and intent on generating hefty sums of bitcoin, but is likely not backed by a nation-state.
● Resilient C2 Infrastructure: Prometei is designed to interact with four different C2 servers which strengthens the botnet’s infrastructure and maintains continuous communications, making it more resistant to takedowns.
Recommendations to organisations on containing the Microsoft Exchange vulnerability include continuously hunting in the environment for threats and strong patch management policies to ensure that all patches are regularly installed. In addition, critical network assets should be hardened, multi-factor authentication should be used, and endpoint detection and response tools should be installed.