Application Security
Critical Infrastructure Security
Cybercrime as-a-service

Cybereason Says Russian Hacking Group Prometei Is Behind the Marketing campaign

Cryptomining Campaign Leverages Exchange Server Flaws

A Russian botnet group called Prometei is exploiting unpatched Microsoft Exchange Server vulnerabilities to mine cryptocurrency across the world, a new report by security firm Cybereason finds.

See Additionally: Live Webinar | Empowering Financial Services with a Secure Data Path From Endpoint to Cloud

Cybereason notes the Russian marketing campaign is concentrating on organizations to put in a monero cryptominer on company endpoints.

“The menace actor seems to be Russian talking and is purposely avoiding infections in former Soviet bloc nations,” Cybereason says. “The principle goal of Prometei is to put in the monero crypto miner on company endpoints. To unfold throughout networks, the menace actor is utilizing recognized Microsoft Alternate vulnerabilities, along with recognized exploits EternalBlue and BlueKeep.”

The Russian group has focused firms throughout the U.S., U.Ok., Germany, France, Spain, Italy and different European nations, in addition to South America and East Asia, the report provides.

Advanced Malware

Prometei is a comparatively new botnet variant that was first found by Cisco Talos in July 2020 after the pressure was discovered concentrating on susceptible Microsoft Home windows units by brute-forcing SMB vulnerabilities to mine monero cryptocurrency (see: Cryptomining Botnet Exploits Windows SMB Vulnerabilities).

Prometei is designed to make sure persistence on contaminated machines and primarily compromises the victims’ units by means of SMB and RDP vulnerabilities, Cybereason reviews. It makes use of 4 command-and-control infrastructures, making it proof against takedowns. And it deploys Home windows or Linux variations of the payload primarily based on every sufferer’s working system.

“The Prometei botnet poses a big danger for firms as a result of it has been under-reported. When the attackers take management of contaminated machines, they aren’t solely able to mining bitcoin by stealing processing energy, however may also exfiltrate delicate info as properly,” says Assaf Dahan, senior director and head of menace analysis at Cybereason. “In the event that they need to take action, the attackers might additionally infect the compromised endpoints with different malware and collaborate with ransomware gangs to promote entry to the endpoints. And to make issues worse, cryptomining drains helpful community computing energy, negatively impacting enterprise operations and the efficiency and stability of essential servers.”

Microsoft Vulnerabilities

4 vulnerabilities in on-premises Microsoft Alternate servers have been revealed by the corporate on March 2 after it issued emergency patches.

When Microsoft first started releasing safety updates, it warned {that a} beforehand unknown Chinese language APT group referred to as Hafnium appeared to have been exploiting the failings in latest months. In March, safety agency ESET reported that at least 10 APT groups had been exploiting the failings.

Along with APT teams, ransomware teams Black Kingdom and DearCry have been reported to even be exploiting the flaw.

A latest report by safety agency F-Safe stated the variety of exploits doubled after the publication of proof-of-concept assault code for ProxyLogon, which is likely one of the 4 zero-day flaws patched by Microsoft in early March (see: Microsoft Exchange Flaw: Attacks Surge After Code Published).

U.S. Actions

Owing to the rise in Alternate server hacks, which embody the compromise of a number of U.S.-based retailers and local governments, in addition to key European businesses such because the European Banking Authority, the united statesgovernment has initiated a number of measures to counter threats. For instance, it shaped a Unified Coordination Group to guide the federal government’s response to assaults exploiting Alternate e mail servers. However the Biden administration introduced final week that it was standing down that group.

This month, a federal court docket in Texas gave the FBI the go-ahead to take away malware from on-premises Microsoft Alternate servers at organizations contaminated in a wave of voluminous zero-day assaults earlier this 12 months (see: FBI Removing Web Shells From Infected Exchange Servers).

Source link