Threat Update
The botnet “Prometei”, discovered in 2020, has been targeting Exchange servers across the United States using the vulnerabilities recently targeted by HAFNIUM.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The Prometei botnet, previously used for mining the cryptocurrency ‘Monero’, has recently been targeting Exchange Servers across the United States by exploiting the recent Microsoft Exchange vulnerabilities. The botnet has specifically been targeting CVE-2021-27065 and CVE-2021-26858; two remote code execution (RCE) vulnerabilities that can compromise the entire system and create a foothold for further propagation within the target network.
With the botnet targeting the Exchange vulnerabilities, security researchers have been able to identify that after initial exploitation, the botnet will attempt to install the ‘China Chopper Webshell’. Following this initial installation, the threat actor has attempted to download a payload via PowerShell from the web. Once the payload has been downloaded, the threat actor will delete the webshell to cover their tracks. The payload module is saved as “C:\windows\zsvc.exe”. When this is process is complete, the Prometei botnet execution starts to prepare the compromised host for additional modules by copying itself into “C:\Windows” under the name “sqhost.exe”, creating firewall rules using ‘netsh’ to allow “sqhost.exe”, and creates persistence using registry keys.
WHY IS IT NOTEWORTHY?
While Microsoft has released patches to address the critical RCE vulnerabilities present in Exchange over the past months, threat actors are continuing to hunt and exploit these vulnerabilities in unpatched systems. It is also important to note that the Prometei botnet is not “targeting” its victims; the botnet is utilizing an opportunistic approach that has compromised companies in various industries and across the globe.
WHAT IS THE EXPOSURE OR RISK?
Microsoft has stated that Exchange 2013, 2016, and 2019 are affected by these vulnerabilities and servers running these versions of Exchange should be patched. Additionally, the Prometei botnet targets both Windows and Linux devices, thus increasing the attack surface within a targeted or compromised environment. Since the threat actor has not exhibited a pattern of targets, all businesses running an affected version of Exchange should be on alert.
WHAT ARE THE RECOMMENDATIONS?
The most important recommendation is to ensure your Exchange environment has the appropriate patches applied. Microsoft has released documentation detailing how to apply the patches for the April vulnerabilities at the link below:
The patches and technical details for the March CVEs can also be found here:
References:
- https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
- https://msrc.microsoft.com/update-guide/vulnerability/
- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617
If you have any questions, please contact our Security Operations Center.
