A new cryptojacking campaign surfaced by researchers at various firms reveals that threat actors exploit vulnerabilities in Windows and Linux servers to mine Monero. There are various vulnerabilities targeted in these systems. The botnet formed by threat actors comes with a single binary with XMrig for mining and a spreader for infecting more.
Cryptojacking Against Windows and Linux
Cryptojacking is when the threat actors exploit a vulnerability in the targeted machine and install mining software to mint cryptocurrencies for their own benefit. And if done on a large scale by exploiting connected systems in a network, it forms a botnet and earns even more revenue to the threat actors.
One such operation is spotted by Aliyun (Alibaba Cloud) researchers in February this year. The unknown threat actors exploit various vulnerabilities in Windows and Linux servers to mine Monero coins. Named as Sysrv-hello, researchers later detailed this campaign at Juniper Threat Labs and Lacework Labs in March this year after a surge in attacks.
Saying the botnet operations are live since December 2020, it has been updated to be more effective and direct. As per researchers, the botnet used to have two components of the miner (XMrig for mining coins) and a worm for spreading across the network. But it was later upgraded to have a single binary file with both mining and spreading functions.
According to Lacework, the botnet is targeting “cloud workloads through remote code injection/remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic and Apache Struts” for initial access, and spreading through the network by obtaining SSH private keys available in the victim system.
The Juniper Threat Labs has detailed the vulnerabilities exploited by this botnet as below;
- Mongo Express RCE (CVE-2019-10758)
- XML-RPC (CVE-2017-11610)
- Saltstack RCE (CVE-2020-16846)
- Drupal Ajax RCE (CVE-2018-7600)
- ThinkPHP RCE (no CVE)
- XXL-JOB Unauth RCE (no CVE)
And some previous vulnerabilities exploited were also listed;
- Laravel (CVE-2021-3129)
- Oracle Weblogic (CVE-2020-14882)
- Atlassian Confluence Server (CVE-2019-3396)
- Apache Solr (CVE-2019-0193)
- PHPUnit (CVE-2017-9841)
- JBoss Application Server (CVE-2017-12149)
- Sonatype Nexus Repository Manager (CVE-2019-7238)
- Jenkins brute force
- WordPress brute force
- Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE)
- Jupyter Notebook Command Execution (No CVE)
- Tomcat Manager Unauth Upload Command Execution (No CVE)
Finding and tracking the connected Monero wallets of this botnet campaign has balances growing up slowly but steadily.