The exploitation of ProxyLogon vulnerabilities in Microsoft Exchange servers has exploded to an extent that threat actors are modifying their attacks to distribute a variety of malware. The latest in a row to weaponize these vulnerabilities is a botnet dubbed Prometei.
What’s happening?
- Recently, the Cybereason Nocturnus Team responded to several incidents involving infections from the Prometei botnet against companies in North America.
- The attackers exploited two of the ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) to penetrate into the network and install the China Chopper webshell that ultimately would download the botnet.
- Prometei is a modular and multi-stage cryptocurrency botnet that targets both Windows and Linux versions.
- However, the variant used in the recent attack was found to provide the attackers with a stealthy and sophisticated backdoor that supported a wide range of tasks, along with harvesting credentials.
Key findings
- The victimology of the botnet ranges across multiple sectors, including finance, insurance, retail, manufacturing, utilities, travel, and construction.
- It has been observed infecting networks in the U.S., the U.K, and several other European, South American, and East Asian countries.
Abuse of ProxyLogon – A matter of concern
- On March 2, the world was introduced to four critical zero-day vulnerabilities impacting multiple versions of Microsoft Exchange Servers.
- Despite the release of patches, the vulnerabilities, collectively dubbed ProxyLogon, attracted a number of malware attacks from multiple threat actor groups.
- Some of the notable malware observed in the exploitation include DearCry ransomware, Black Kingdom ransomware, and XMR-Stak Miner.
The bottom line
Just like the saying goes ‘a stitch in time saves nine,’ organizations worldwide must build a resilient defense system to protect their networks and systems from such attacks. It should be noted that anybody who hasn’t patched the vulnerabilities or mitigated the webshell-based threats that were revealed over the past months, is pretty much in the sweet spot of these attacks.
Source: https://cyware.com/news/prometei-yet-another-malware-weaponizing-proxylogon-vulnerabilities-8fb39ed6