Cybereason’s cybersecurity researchers revealed on April 22 that a “Prometei” botnet aimed at cryptocurrency mining exploits a “Microsoft Exchange Server” vulnerability. However, it is said that it is expanding its scale. However, once the access authority is deprived, it may lead to more dangerous cyber attacks due to the size of the authority. Researchers say the Prometei botnet is launching a multi-step attack on a wide range of organizations in a global campaign. The cybercriminals behind the botnet are exploiting vulnerabilities in Exchange Server to break into the network. A security patch for this vulnerability has already been published and can be applied to prevent attacks, but Prometei scans the Internet to find unpatched organizations and use it as a foothold for network intrusion. It has become like. Prometei is not targeting a specific organization, but is looking for vulnerable networks that can be targeted by a wide range of targets. According to researchers, the botnet has a network of multiple organizations in regions such as North America, South America, Europe and East Asia. The main purpose of the attackers is to install cryptojacking malware and mine “Monero”. Attackers are secretly using the processing power of infected devices to mine cryptocurrencies and fill their stomachs. Prometei exploits a vulnerability in Exchange Server to infiltrate the network and then infect as many endpoints as possible while traversing the network using a variety of known attack techniques. Is supposed to try. Techniques for moving within the network include collecting login credentials, exploiting vulnerabilities around RDP, and attacking vulnerabilities such as “EternalBlue” and “BlueKeep”, as well as spreading the infection to as many machines as possible. The vulnerabilities exploited in EternalBlue and BlueKeep, which also include the research activities required in, have already been patched as well as the Exchange Server vulnerabilities, but attackers have not applied such patches. You can spread your bots within your network. Assaf Dahan, Head of Threat Research at Cybereason, told ZDNet: “Unfortunately, as we’ve seen many times before, just because a patch is released, it’s quick. It doesn’t always apply. For example, even though the EternalBlue exploit has been around for years and patches have been available for many years, attackers have exploited this vulnerability. We are still seeing it. ” The criminals behind Prometei appear to be aiming for long-term activity in the invading network. To that end, criminals are using not only the techniques used in sophisticated cybercrime campaigns, but even the techniques used by state-backed hacking groups. Prometei, at least for now, is a botnet specializing in cryptocurrency mining. “The longer it goes undetected on the network, the more cryptocurrencies can be mined, and it improves botnet resilience, adds stealth to malware, and frequently APT (APT). We used techniques and tools related to (highly targeted attacks). ” “Attackers could also infect endpoints with other malware if they wanted to, or collaborate with ransomware groups to sell access to endpoints,” Dahan said. Little is known about the cybercriminal activity behind Prometei, but Cybereason’s analysis of the group’s activities suggests that Russian-speaking people may be involved. And the group seems to be trying to keep Russian targets out of the way. The name Prometei is also the Russian word for “Prometheus”. Prometheus is the god of fire in Greek mythology. Prometei is still believed to be actively scanning to infect new targets. The best way to avoid harm is to apply Exchange Server security patches. “First and foremost, organizations should have good patch management procedures in place and patch potentially vulnerable systems,” Dahan said. “But most importantly, IT and security teams should proactively and continuously track known threats,” Dahan said.