Connect with us

Cyber Security

Prometei: Yet Another Malware Weaponizing Proxylogon Vulnerabilities

Published

on

The exploitation of ProxyLogon vulnerabilities in Microsoft Exchange servers has exploded to an extent that threat actors are modifying their attacks to distribute a variety of malware. The latest in a row to weaponize these vulnerabilities is a botnet dubbed Prometei.

What’s happening?

  • Recently, the Cybereason Nocturnus Team responded to several incidents involving infections from the Prometei botnet against companies in North America.
  • The attackers exploited two of the ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) to penetrate into the network and install the China Chopper webshell that ultimately would download the botnet.
  • Prometei is a modular and multi-stage cryptocurrency botnet that targets both Windows and Linux versions.
  • However, the variant used in the recent attack was found to provide the attackers with a stealthy and sophisticated backdoor that supported a wide range of tasks, along with harvesting credentials.

Key findings

  • The victimology of the botnet ranges across multiple sectors, including finance, insurance, retail, manufacturing, utilities, travel, and construction.
  • It has been observed infecting networks in the U.S., the U.K, and several other European, South American, and East Asian countries.

Abuse of ProxyLogon – A matter of concern

  • On March 2, the world was introduced to four critical zero-day vulnerabilities impacting multiple versions of Microsoft Exchange Servers.
  • Despite the release of patches, the vulnerabilities, collectively dubbed ProxyLogon, attracted a number of malware attacks from multiple threat actor groups.
  • Some of the notable malware observed in the exploitation include DearCry ransomwareBlack Kingdom ransomware, and XMR-Stak Miner.

The bottom line

Just like the saying goes ‘a stitch in time saves nine,’ organizations worldwide must build a resilient defense system to protect their networks and systems from such attacks. It should be noted that anybody who hasn’t patched the vulnerabilities or mitigated the webshell-based threats that were revealed over the past months, is pretty much in the sweet spot of these attacks.

Source: https://cyware.com/news/prometei-yet-another-malware-weaponizing-proxylogon-vulnerabilities-8fb39ed6

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO