Cryptocurrency miners have begun using two older and already patched vulnerabilities to compromise servers to mine the Monero digital currency.
Trend Micro researcher Hubert Lin reported a significant increase in the use of Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) starting in December. So far it’s estimated the malicious actor behind the attacks has netted about $12,000 or 30XMR.
“We believe that this is the work of a single threat actor, as the sites all point to a single malicious domain to download Monero miners, which also all point to a single Monero address,” Lin wrote.
How does it work?
Initially, the process begins with a malicious HTTP request that is received in the server. If it is vulnerable to Apache Struts and DotNetNuke flaws, the malicious code injected by the request eventually leads to the downloading of a Monero miner. This attack hit rather Windows and Linux systems, but the injected request depends on target OS. Nonetheless, the same URL is shared between Apache Struts and Dotnetnuke:
Windows – hxxp://eeme7j[.]win/scv[.]ps1 leading to the download of a miner from hxxp://eeme7j[.]win/mule[.]exe (detected as TROJ_BITMIN.JU) Linux – hxxp://eeme7j[.]win/larva[.]sh leading to the download of a miner from hxxp://eeme7j[.]win/mule (detected as ELF_BITMIN.AK)
Both systems have available patches since March and August 2017.
Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks. He is also Freelance Writer.
Read more here.