- Joined
- Dec 3, 2020
- Messages
- 1,722
An unknown Botnet called "Prometei" is attacking windows and Microsoft devices (vulnerable) using brute force SMb exploits. According to Cisco Talos, these SMB vulnerabilities help in mining cryptocurrency. The botnet has affected around a thousand devices. It came in March; however, according to experts at Cisco Talos, the campaign could only generate a small amount of $5000 in four months of its activities. The botnet was working since the beginning of March and took a blow on 8th June. However, the botnet kept working on its mining operations to steal credentials. According to experts, the botnet is working for somebody based in Europe, a single developer.
"Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining. It has been successful in keeping its computing power constant over the three months we've been tracking it," says Cisco Talo's report.
Vanja Svajcer, a cybersecurity expert, says that earning $1250 monthly is more than average for a European. Therefore, the developer would 've made a fair profit from the botnet. Besides crypto mining, it can also steal private credentials and escape without getting traced.
About SMB attack
The hacker exploits the Windows Server Message Block protocol using a vulnerability. After this, the hackers retrieve passwords from Mimikatz, which is an open-source app for credential authentication. To spread itself in SMB protocol, the hackers use the RdpcIip.exe spreader module. This spreader tries to authenticate SMB operation using retrieved credentials or a temporary guest profile, which doesn't require any password. If the spreader can infiltrate, it uses a Windows app to launch the botnet remotely. But if the attack fails, the hackers can use other versions of vulnerabilities to start botnet.
To protect yourself, Cisco Talos says, "defenders need to be constantly vigilant and monitor systems' behavior within their network. Attackers are like water — they will attempt to find the smallest crack to seep in. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."
"Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining. It has been successful in keeping its computing power constant over the three months we've been tracking it," says Cisco Talo's report.
Vanja Svajcer, a cybersecurity expert, says that earning $1250 monthly is more than average for a European. Therefore, the developer would 've made a fair profit from the botnet. Besides crypto mining, it can also steal private credentials and escape without getting traced.
About SMB attack
The hacker exploits the Windows Server Message Block protocol using a vulnerability. After this, the hackers retrieve passwords from Mimikatz, which is an open-source app for credential authentication. To spread itself in SMB protocol, the hackers use the RdpcIip.exe spreader module. This spreader tries to authenticate SMB operation using retrieved credentials or a temporary guest profile, which doesn't require any password. If the spreader can infiltrate, it uses a Windows app to launch the botnet remotely. But if the attack fails, the hackers can use other versions of vulnerabilities to start botnet.
To protect yourself, Cisco Talos says, "defenders need to be constantly vigilant and monitor systems' behavior within their network. Attackers are like water — they will attempt to find the smallest crack to seep in. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."