In a Wednesday blog post, researchers from Intezer said the worm spreads across the network to run XMRig Miner – a monero cryptocurrency miner – on a large scale. The malware then targets both Windows and Linux servers and can easily maneuver from one platform to the other. It targets public-facing services such as MySQL, Tomcat admin panel and Jenkins that have weak passwords. In an older version, the worm has also attempted to exploit WebLogic’s latest vulnerability: CVE-2020-14882.
During their analysis, the researchers found that the attacker kept updating the worm on the command and control server, which indicates that it’s active and might be targeting additional weak configured services in future updates.
The attack uses three files: a dropper script (bash or powershell), a Golang binary worm, and an XMRig Miner—all of which are hosted on the same command and control server.
Security teams have been advised to use complex passwords, limit login attempts and use two-factor authentication. Intezer also says to minimize the use of public- facing services and keep software updated with the latest security patches. Finally, they recommend using a cloud workload protection platform to gain full runtime visibility over the code in the company’s system and for getting alerted on any malicious or unauthorized code.
Dirk Schrader, global vice president at New Net Technologies, said that miners on servers are often viewed as a nuisance, something that security pros have to manage. However, for the attackers, especially in this case, Schrader said the potential number of systems is staggering: According to Shodan, there are 5.5 million MySQL, Tomcat, Jenkins, and WebLogic devices connected to the internet.
“It’s simple math, if only 0.1 percent of the systems are prone to the attack, there’s plenty of server power to use for mining and money generation, later to be used for other nefarious work by the cyber criminals,” Schrader said. “Protection against that kind of attack is done in the same way as with other types of attacks. Organizations should monitor their systems for vulnerabilities to patch them in time, control any changes happening to a server like a file being dropped and have a strong password policy in place.”