Security researchers have warned of a widespread campaign that seeks to propagate Prometei cryptocurrency mining botnet by taking advantage of unpatched Microsoft Exchange servers.

According to Cybereason's Nocturnus team that discovered the operation, threat actors behind the botnet have been leveraging recently disclosed Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) to gain access to a network and install malware. The both bugs are part of four Microsoft Exchange zero-days collectively known as ProxyLogon associated with the recent attacks carried out by the Chinese APT Hafnium. Microsoft patched the vulnerabilities in March this year.

Prometei is a modular and multi-stage cryptocurrency botnet that was first spotted in July 2020 and is thought to have been around since 2016. The botnet has both Windows and Linux versions and its main goal is to mine Monero cryptocurrency. This is achieved by using a variety of techniques and tools, ranging from Mimikatz to SMB and RDP exploits.

Botnet targets organizations in finance, insurance, retail, manufacturing, utilities, travel, and construction industries across the U.S., UK, Germany, France, Spain, Italy and many other European countries, as well as countries in South America and East Asia. Believed to be operated by Russian speaking threat actors, the botnet doesn’t target former Soviet bloc countries, the researchers noted.

Cybereason also believes the botnet operators are financially motivated and likely not sponsored by a nation-state.

"When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well," the researchers said.

"If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints."

Last week, the US Department of Justice announced that the FBI has conducted a successful operation in which it removed web shells from hundreds of hacked Microsoft Exchange servers.