Cybersecurity firm Cybereason says attackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei. The actor behind the operation employs a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and mine Monero. The attack sequence observed by the firm was found exploiting Exchange server flaws CVE-2021-27065 and CVE 2021-26858 as an initial compromise vector to install the China Chopper web shell.
Source: https://thehackernews.com/2021/04/prometei-botnet-exploiting-unpatched.html