Tag Archive for: Cryptomining

New cryptomining malware builds an army of Windows, Linux bots

/in


New cryptomining malware builds an army of Windows, Linux bots

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.

First spotted by Alibaba Cloud (Aliyun) security researchers in February (who dubbed it Sysrv-hello) and active since December 2020, the botnet has also landed on the radars of researchers at Lacework Labs and Juniper Threat Labs after a surge of activity during March.

While, at first, it was using a multi-component architecture with the miner and worm (propagator) modules, the botnet has been upgraded to use a single binary capable of mining and auto-spreading the malware to other devices.

Sysrv-hello’s propagator component aggressively scans the Internet for more vulnerable systems to add to its army of Monero mining bots with exploits targeting vulnerabilities that allow it to execute malicious code remotely.

The attackers “are targeting cloud workloads through remote code injection/remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic and Apache Struts to gain initial access,” Lacework found.

After hacking into a server and killing competing cryptocurrency miners, the malware will also spread over the network in brute force attacks using SSH private keys collected from various locations on infected servers 

“Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files,” Lacework added.

Sysrv-hello attack flow
Sysrv-hello attack flow (Lacework)

Vulnerabilities targeted by Sysrv-hello

After the botnet’s activity surged in March, Juniper identified six vulnerabilities exploited by malware samples collected in active attacks:

  • Mongo Express RCE (CVE-2019-10758)
  • XML-RPC (CVE-2017-11610)
  • Saltstack RCE (CVE-2020-16846)
  • Drupal Ajax RCE (CVE-2018-7600)
  • ThinkPHP RCE (no CVE)
  • XXL-JOB Unauth RCE (no CVE)

Other exploits used by the botnet in the past also include:

  • Laravel (CVE-2021-3129)
  • Oracle Weblogic (CVE-2020-14882)
  • Atlassian Confluence Server (CVE-2019-3396)
  • Apache Solr (CVE-2019-0193)
  • PHPUnit (CVE-2017-9841)
  • Jboss…

Source…

Windows and Linux devices are under attack by a new cryptomining worm

/in


Windows and Linux devices are under attack by a new cryptomining worm

Getty Images

A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.

Research company Juniper started monitoring what it’s calling the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.

The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.

Constantly growing arsenal

By March, Sysrv developers had redesigned the malware to combine the worm and miner into a single binary. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to make it better able to survive reboots and to have more sophisticated capabilities. The worm was exploiting six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP, and Drupal Ajax.

“Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a Thursday blog post.

Juniper Research

Thursday’s post listed more than a dozen exploits that are under attack by the malware. They are:

Exploit Software
CVE-2021-3129 Laravel
CVE-2020-14882 Oracle Weblogic
CVE-2019-3396 Widget Connector macro in Atlassian Confluence Server
CVE-2019-10758 Mongo Express
CVE-2019-0193 Apache Solr
CVE-2017-9841 PHPUnit
CVE-2017-12149 Jboss Application Server
CVE-2017-11610 Supervisor (XML-RPC)
Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE) Apache Hadoop
Brute force Jenkins Jenkins
Jupyter Notebook Command Execution (No CVE) Jupyter Notebook Server
CVE-2019-7238 Sonatype Nexus Repository Manager
Tomcat Manager Unauth Upload…

Source…

Microsoft Exchange exploits now used by cryptomining malware

/in


Microsoft Exchange exploits now used by cryptomining malware

The operators of Lemon_Duck, a cryptomining botnet that targets enterprise networks, are now using Microsoft Exchange ProxyLogon exploits in attacks against unpatched servers.

The malware is known for installing XMRig Monero (XMR) CPU coinminers on infected devices to mine cryptocurrency for the botnet’s owners.

Lemon_Duck’s ongoing attacks on vulnerable Exchange servers have already reached a massive scale, according to Costin Raiu, director of Kaspersky’s Global Research and Analysis Team.

The attackers are using web shells deployed on compromised servers to download malicious payloads from p.estonine[.]com and cdn.chatcdn[.]net.

These indicators of compromise associated with Lemon_Duck were also observed by Huntress Labs while analyzing mass exploitation of on-premises Microsoft Exchange servers.

Continuously updated cryptomining botnet

In previous attacks, the botnet was used to gain access to victims’ networks over the SMB protocol using EternalBlue or by brute-forcing Linux machines and MS SQL servers.

Lemon_Duck also supports spreading to servers running exposed Redis (REmote DIctionary Server) databases and Hadoop clusters managed using YARN (Yet Another Resource Negotiator).

Its operators also employed large-scale COVID-19-themed spam campaigns for propagation in the past, exploiting the CVE-2017-8570 Microsoft Office remote code execution (RCE) vulnerability to deliver the malware payload.

“The Lemon Duck cryptominer is one of the more advanced types of cryptojacker payloads we’ve seen,” Sophos security researcher Rajesh Nataraj said.

“Its creators continuously update the code with new threat vectors and obfuscation techniques to evade detection, and the miner itself is ‘fileless,’ meaning it remains memory resident and leaves no trace of itself on the victim’s filesystem.”

Exchange servers targeted by ransomware, state hackers

Since Microsoft disclosed ongoing attacks using ProxyLogon exploits last week, at least ten APT groups have been…

Source…

DDoS Attacks Wane in Q4 Amid Cryptomining Resurgence – Threatpost

/in



DDoS Attacks Wane in Q4 Amid Cryptomining Resurgence  Threatpost

Source…