Cybereason Discovers Global Botnet Campaign Using Microsoft Exchange Vulnerabilities

Cybereason | April 23, 2021

Cybereason, the market leader in future-ready attack protection, reported today the discovery of a widespread, global campaign aimed at spreading the stealthy Prometei Botnet by attacking enterprises with a multi-stage attack to harvest computing power to mine bitcoin. To infiltrate networks, the threat actors, who tend to be Russian speakers, are exploiting previously disclosed Microsoft Exchange vulnerabilities used in the Hafnium attacks.

Prometei has a sophisticated infrastructure in place to guarantee its longevity on infected machines. Though Prometei was first reported in July 2020, Cybereason believes the botnet dates back to at least 2016, a year before the now-famous WannaCry and NotPetya malware attacks, which infected over 200 countries and caused billions of dollars in damage. Prometei is still evolving, with new features and tools being added daily.

“Because it has gone undetected, the Prometei Botnet poses a significant danger to companies. When attackers gain possession of infected machines, they can not only mine bitcoin by stealing processing power, but they can also exfiltrate classified information. The attackers may even inject the infected endpoints with other malware and work with ransomware groups to offer access to the endpoints if they so desire. To make matters worse, crypto mining consumes vital network computing power, adversely affecting business processes as well as the performance and reliability of sensitive servers,” said Assaf Dahan, Cybereason's senior director and head of threat research.

Key findings from the research, include:

• Wide range of Victims: Victims have been observed across a variety of industries, including Finance, Insurance, Retail, Manufacturing, Utilities, Travel, and Construction. Infected companies are based in countries around the world, including the United States, United Kingdom, Germany, France, Spain, Italy and other European countries, South America and East Asia.

• Russian Speaking Threat Actor: The threat actor appears to be Russian speaking and is purposely avoiding infections in former Soviet bloc countries.

• Exploiting SMB and RDP Vulnerabilities: The main objective of Prometei is to install the Monero crypto miner on corporate endpoints. To spread across networks, the threat actor is using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.

• Cross-Platform Threat: Prometei has both Windows-based and Linux-Unix-based versions, and it adjusts its payload based on the detected operating system on the targeted machines when spreading across the network.

• Cybercrime with APT Flavor: Cybereason assesses that the Prometei Botnet operators are financially motivated and intent on generating hefty sums of bitcoin, but is likely not backed by a nation-state.

• Resilient C2 Infrastructure: Prometei is designed to interact with four different C2 servers which strengthen the botnet’s infrastructure and maintain continuous communications, making it more resistant to takedowns.

Recommendations to companies for minimizing the Microsoft Exchange vulnerability include constantly scanning the environment for threats and imposing stricter patch management policies to ensure that all updates are deployed regularly. Sensitive network assets should also be hardened, multi-factor authentication implemented, and endpoint detection and response tools installed.

About Cybereason

Cybereason is a champion for today's cyber defenders, offering future-ready attack protection that unifies security from the endpoint to the enterprise and everywhere the battle moves. The Cybereason Defense Platform incorporates the industry's best detection and response (EDR and XDR), next-generation anti-virus (NGAV), and aggressive threat hunting to provide context-rich analysis of any component of a Malop (malicious operation). As a result, defenders will stop cyberattacks from endpoints to everywhere. Cybereason is a privately owned international company based in Boston that serves clients in over 30 countries.


As threats to password security have increased in recent years, multi-factor authentication (MFA) has rapidly gained adoption as a method for increasing the assurance of authentication for consumer and enterprise web and mobile applications. Read this whitepaper to learn about the growing demand for MFA.


As threats to password security have increased in recent years, multi-factor authentication (MFA) has rapidly gained adoption as a method for increasing the assurance of authentication for consumer and enterprise web and mobile applications. Read this whitepaper to learn about the growing demand for MFA.

Related News


New White Paper to be Released by Bluefin and Alpine Security Consulting on Payment and Data Security

Alpine Security Consulting | July 12, 2021

A new white paperon “Formulating a Complete Payment Data and Security Approach, ”authored by Alpine Security Consulting, has releasedby the recognized leader inand tokenization and encryption technologies for payment and data security, Bluefin. The main points covered and discussed in the whitepaper are considerations when choosing a data protection approach, rules and regulations governing sensitive data and payment, Protected Health Information (PHI) and ACH account data, Personally Identifiable Information (PII), and how tokenization can be combined with encryption to provide a single solution for securing cardholder data (CHD). Topics covered in the white paper are: • Payment and Privacy Data – History and Trends • Data Breaches, the Pandemic Effect, and the Shift to Online Commerce • Protecting Privacy Data – HIPAA, GDPR, and Privacy Acts • Protecting Financial Data – PCI DSS and Nacha • Bluefin's Payment and Data Security Suite: PCI-validated P2PE and ShieldConex® Data Security • The Roles of Encryption, Tokenization and Authentication in Protecting Data Bluefin specializes in data security solutions and omnichannel payment. With the company’s PCI-validated point-to-point encryption (P2PE)solutions, it is specialized in protecting all data. It is for ShieldConex data security platform and point-of-sale (POS) payments for the encrypted tokenization of PHI,PII, ACH and CHD account data. About Bluefin For payment and data security, Bluefin is the renowned leader in antokenization and encryption technologies. Our security suite includes call center, mobile and unattended payments, PCI-validated point-to-point encryption (P2PE) for contactless face-to-face, and our ShieldConex® data security platform for the protection of Personal Health Information (PHI),Personal Health Information (PHI), personally Identifiable Information (PII), and payment data entered online. About Alpine Security Consulting Alpine was founded to fulfill a passion to help businesses. With an experience of over 20 years in security, technology, and compliance, Alpines skill set can support virtually any business learn how to control ground-breaking security technologies with the outcome of translating security savings into tangible business worth.

Read More

New Zealand stock exchange hit by cyber attack for second day

theguardian | August 26, 2020

New Zealand’s stock market has been interrupted by an apparent overseas cyber attack for the second day running. The Wellington-based NZX exchange went offline at 11.24am on Wednesday and although some connectivity was restored for investors, some trading was halted. The NZX said it had experienced “network connectivity issues” and that the NZX main board, NZX debt market and Fonterra shareholders market were placed on halt. However it then announced that those areas would resume trading with the rest of the market at 3pm on Wednesday.

Read More


Paubox to protect healthcare providers with One-of-its-kind Security tool

Paubox | July 01, 2021

Zero Trust Email, a new feature to the Paubox Email Suite, is announced by the leader in HIPAA compliant email, Paubox. Zero Trust Email, the only technology of its kind, has the purpose of protecting the sensitive data and information of healthcare organizations from cybersecurity attackers. A solution for protecting the data and information of healthcare organizations was necessary as at least 93% of healthcare organizations reported one cybersecurity breach during the last three years. Various accounts on servers run by American infrastructure companies such as AWS, GoDaddy, and Mailgun, are being set up by bad actors. This lets cybercriminals to pass virus checks and industry standard spam. Paubox has rolled out Zero Trust Email in response to it. According to Founder CEO of Paubox, Hoala Greevy, A core tenet of Zero Trust security is multi-factor authentication (MFA). Zero Trust Email needs an additional piece of evidence from the sender’s mail server to pass our Inbound Security checks. This additional layer of verification is critical to keeping bad actors away and under control. According to Cost of Data Breach report of IBM, in 2019, healthcare industry had almost lost $7 billion USD due to damages from data breaches caused by cyberattacks. Extra network admittance points created by a rising remote work force only open healthcare organizations to more cybersecurity susceptibilities and attacks. Zero Trust Email can minimize the damage due to both internal and external attacks in healthcare organizations.

Read More