They take advantage of a vulnerability te Linux to mine Monero – Crypto Economy
An old vulnerability called “CVE-2013-2618” that permitted to infect computers with a script has bot recently used again te Linux servers that were still vulnerable. The Script used is the XMRig however which some hackers have generated more than $ 75,000 ter Monero (XMR).
What does the CVE-2013-2618 vulnerability do?
This vulnerability permits attackers to inject a script on the infected pc. Ter this case the script with which they have attacked the Linux servers is the Cryptominer XMRig, a legitimate and open source script that infects computers and makes them mine Cryptocurrencies without the user being aware of it.
It is not the very first time that this vulnerability and script has bot used to mine Monero with the absolute ignorance of those affected. Five years ago, it wasgoed already “patched” to avoid thesis attacks.
Remarkably the Linux servers were not ready, usually ter thesis attacks a modified version of the XMRig called WaterMiner is also used.
“Through our incident response-related monitoring, wij observed intrusion attempts whose indicators we’ve bot able to correlate to a previous cryptocurrency-mining campaign that used the JenkinsMiner malware. The difference: this campaign targets Linux servers. It’s also a classic case of reused vulnerabilities, spil it exploits a rather outdated security flaw whose patch has bot available for almost five years.”
They have stated that this campaign is still active and the servers affected by the attack on Linux are mainly located ter China, Japan, Taiwan, India and the USA.
They also eis that this attack is connected to the JenkinsMiner malware that wasgoed used on Windows computers, where hackers mined at least Three million dollars ter Monero (XMR).
Spil indicated by the Trend Micro team, the campaign’s attack chain requires the following:
- A web server running Linux (x86-64), given the custom-made XMRig Miner 64-bit ELFs.
- The web server should be publicly accessible.
- Cacti (an open-source, web-based network monitoring and graphing contraption) had to be implemented with the Plugin Architecture working and an outdated Network Weathermap (0.97a and prior).
- The web server hosting Cacti does not require authentication to access the web webpagina resource.
- For volmaakt execution, the web server should be running with ‘root’ (or omschrijving) permissions (some of the directives ter sh require root privileges).
Trend Micro is a leading cyber security company, founded ter the United States and headquartered te Japan. They have overheen 25 years of practice, have more than 5000 employees te its workforce and invoices more than 1.1 billion dollars.