The New Microsoft Exchange CryptoCurrency Hack

Microsoft Exchange CryptoCurrency Hack
Microsoft Exchange CryptoCurrency Hack
Is your Microsoft Exchange Server up to date? If not, the Prometai Malware hack might infect your network, steal your resources, and potentially bring down your business.

New cryptocurrency coins are created by solving complex mathematical problems, a process called “mining.” Those who mine cryptocurrency do so by building farms of extremely powerful computers designed specifically for these mining operations. Not only are the computers expensive, but so is the maintenance, networking and electrical power required to keep them running, sometimes making the effort unprofitable. But now cybercriminals have designed malware that seeks to avoid all of that expense by infecting millions of computers with code that will do the mining for them…on YOUR computers.

The malware, named Prometheus (after the Greek god of fire) and “Prometai” in Russian, exploits two vulnerabilities in Microsoft Exchange, which are together known as “ProxyLogon,” to help it distribute itself to users of the Exchange server. But the threat doesn’t stop there.

How The Prometai Malware Works

According to a report on, the attack begins with a hack of unpatched Microsoft Exchange servers that exploit the two ProxyLogon vulnerabilities. From there, it infects other PCs on the network.

Threatpost says that “ProxyLogon consists of four flaws that can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials.” That means that no matter how complex your passwords may be, your Exchange Servers may still be at risk.

The main payload of the malware is to run a cryptocurrency mining application. Miners do well when the costs of the machines, maintenance and network infrastructure are lower than the value of the coins generated by the application. And the venture becomes even more profitable when those costs are born by others.

Which Cryptocurrency is Mined by Prometai?

Most of us are familiar with Bitcoin, the most popular cryptocurrency, but this malware mines Monero, a lesser-known cryptocurrency. Why Monero? Because according to Genesis Mining, BitCoin is optimized to run on specialized hardware that uses chips called ASICs, and most office computers do not have high performance ASIC chips. On the other hand, Monero is “designed in such a way that ASIC computers do not have much of an advantage over ordinary computers. As a result, ordinary people can use a simple CPU and start mining right away.”

That makes mining Monero ideal for the untargeted distribution of this malware, because any computer it infects can be used for mining the coins.

Why is the Prometai Malware Dangerous?

The damage for the owners of these computers occurs on many levels.

  • The users of infected computers suffer from poor performance from their PCs as processing power is diverted to the mining operation.
  • Computers use additional electricity for the additional processor power required to run the mining software.
  • The malware can affect the stability of the infected computers.
  • It spreads to other workstations by using brute force techniques to guess user credentials, trying hundreds of common passwords
  • It spreads to Microsoft SQL Servers and PostgreSQL servers

But the real danger of the malware is that it provides a backdoor for loading other software that could do even more damage to your computers and your company. The backdoor could be used for:

  • Stealing Credentials
  • Stealing Intellectual Property
  • Installing Ransomware
  • Allowing Remote Control and Takeover of the computers

How To Protect Your Company From Prometai

The first and best thing you and your company can do to protect yourselves from this and similar malware infections is to keep your software updated. The entry point for Prometai are two vulnerabilities in Microsoft Exchange that Microsoft has already fixed. However, if your IT team has not installed the patches, your company remains vulnerable.

Systems that detect and prevent unauthorized installation of software on servers and workstations is another line of defense, as they could prevent the installation of the malware, or detect its presence early enough to minimize the damage.

SIEM systems, which view and analyze your entire IT infrastructure as a whole (rather than as separate components) can help to detect unusual activity across your network.

If you run a business, from a single laptop up to large enterprises, your business is vulnerable to this or similar malware, and there is no way to protect your business except to take an active role in defending yourself. Digital Uppercut offers all of these services and more as part of our Business Protection Toolkit, which contains 10 separate business protection tools and is growing.

Call Digital Uppercut

The Business Protection Toolkit allows Digital Uppercut to provide big business protection on a small business budget. If your business isn’t protected, or you aren’t sure if your current IT team is protecting your business well enough, call Digital Uppercut for a free consultation and a discussion of your situation. Make an appointment using our online contact form, or call us at 818-913-1335.