Trend Micro researchers have observed a new Monero cryptocurrency mining campaign that targets Linux servers. The campaign is using reused and known vulnerabilities – more particularly, a flaw that has been patched for five years. Users should note that the campaign is currently active and ongoing, affecting the following regions – Japan, Taiwan, India, China, and the U.S.
Cryptocurrency Mining Attack Hits Linux Servers: the Details
The known vulnerability exploited in the malicious campaign is CVE-2013-2618:
Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
Why are attackers exploiting this particular old bug? As seen in its official description, it is a dated flaw in Cacti’s Network Weathermap plug-in, which is used by system administrators to visualize network activity.
Furthermore, Network WeatherMap only has two publicly reported flaws, and both of them are from June 2914. It’s possible the attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool, Trend Micro researchers explained.
More about the Miner Used in This Campaign
The final payload of the operation has been found to be a modified modified XMRig miner. It should be noted that XMRig is a legitimate and open-source XMR miner which has multiple updated versions that supports both 32-bit and 64-bit Windows and Linux operating systems.
XMRig should be executed along with a configuration file called ‘config.json’, or with parameters that specify/require details such as the algorithm to be used (CryptoNight/CryptoNight-Lite), maximum CPU usage, mining server, and login credentials (Monero wallet and password). The samples used in this attack were modified in a way that renders the configuration or parameters unnecessary. Everything is already embedded in its code.
The researchers collected five probable samples that led them to two unique login usernames, matching the Monero wallets where the mining pool payments are being sent.
So far, the attackers have mined about 320 XMR or approximately $74,677 based on the two wallets the researchers observed. However, these numbers represent only a small portion of the profit for the entire mining campaign. Previous reports of the same campaign showed a profit of $3 million worth of XMR coming from a single Monero wallet.
Another miner that is a modified version of the XMRig software is the so-called WaterMiner.
The WaterMiner Monero miner connects to a predefined pool by having specific instructions in its configuration file.
A mining pool is a centralized node which takes a Monero blockchain block and distributes it to the connected peers for processing. When a set number of shares are returned and verified by the pool a reward in the form of Monero cryptocurrency is wired to the designated wallet address.