Articles Vulnerable Microsoft Exchange Servers Attacked by Prometei Botnet

Vulnerable Microsoft Exchange Servers Attacked by Prometei Botnet


Since the patches for ProxyLogon problems were still not fully installed, attackers continue to attack vulnerable Microsoft Exchange servers. Now researchers from Cybereason Nocturnus have discovered the Prometei botnet, which mines Monero cryptocurrency on vulnerable machines.

In early March 2021, Microsoft engineers released unscheduled patches for  four vulnerabilities  in the Exchange mail server, which the researchers gave the general name  ProxyLogon  ( CVE-2021-26855 ,  CVE-2021-26857 ,  CVE-2021-26858  and  CVE-2021-27065 ).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.

Already in March, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

According to statistics released by Microsoft last month, approximately 92% of all Internet-connected Exchange servers have already received patches.


This modular malware was first detected  last year. It is capable of infecting Windows and Linux systems, and has previously used the EternalBlue exploit to spread over compromised networks and compromise vulnerable machines.

Cybereason Nocturnus experts write that Prometei is active at least 2016 (judging by the samples uploaded to VirusTotal). The botnet was recently updated and “learned” how to exploit ProxyLogon vulnerabilities. Thus, now Prometei attacks Exchange servers, and then installs payloads for mining on them, and also tries to spread further along the infected network using the EternalBlue and BlueKeep exploits, detected credentials and modules for SSH or SQL.

The updated malware has backdoor capabilities with support for an extensive set of commands, including downloading and executing files, searching for files on infected systems, and executing programs or commands on behalf of the attackers.

“If desired, attackers can infect compromised endpoints with other malicious programs and cooperate with ransomware operators, selling them access to systems,” the researchers warn.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you