Expert Commentary: Prometei Botnet Exploits Exchange Server Bugs to Grow

Security researchers have discovered that a persistent cryptocurrency mining botnet is exploiting still-unpatched Microsoft Exchange servers to grow globally.  Dubbed “Prometei,” the botnet was first reported on in July 2020 and is thought to have been around since 2016, according to Cybereason Nocturnus. However, the research team found a new development in that the threat actors behind it have been exploiting Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858 to penetrate victim networks, steal credentials and install malware. These bugs are part of the four zero-days patched by Microsoft back in March after being exploited by Chinese APT group Hafnium.

Experts Comments

April 23, 2021
Martin Jartelius
CSO
Outpost24

The vulnerabilities are well understood, highly exploited and have gained high attention from both hacker and security communities. The one interesting thing here would be if the team behind Prometei are developing new exploit capabilities for distribution, or if they have turned to the market of buying this capability from others. But for anyone in IT, if you have not already updated your exchange servers, by now it is time to assume they have been breached, and take action based on that

.....Read More

The vulnerabilities are well understood, highly exploited and have gained high attention from both hacker and security communities. The one interesting thing here would be if the team behind Prometei are developing new exploit capabilities for distribution, or if they have turned to the market of buying this capability from others. But for anyone in IT, if you have not already updated your exchange servers, by now it is time to assume they have been breached, and take action based on that rather than just patching.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.