Monero Miner Acessos Servidores Linux usando o antigo CVE-2013-2618

Trend Micro pesquisadores têm observado uma nova campanha de mineração criptomoeda Monero que tem como alvo servidores Linux. A campanha está usando reutilizados e vulnerabilidades conhecidas - mais particularmente, uma falha que foi corrigida por cinco anos. Users should note that the campaign is currently active and ongoing, affecting the following regions – Japan, Taiwan, Índia, China, and the U.S.

Cryptocurrency Mining Attack Hits Linux Servers: os detalhes

The known vulnerability exploited in the malicious campaign is CVE-2013-2618:

cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.

Why are attackers exploiting this particular old bug? As seen in its official description, it is a dated flaw in Cacti’s Network Weathermap plug-in, which is used by system administrators to visualize network activity.

além disso, Network WeatherMap only has two publicly reported flaws, and both of them are from June 2914. It’s possible the attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool, pesquisadores da Trend Micro explicado.

More about the Miner Used in This Campaign

The final payload of the operation has been found to be a modified modified XMRig miner. It should be noted that XMRig is a legitimate and open-source XMR miner which has multiple updated versions that supports both 32-bit and 64-bit Windows and Linux operating systems.

XMRig should be executed along with a configuration file called ‘config.json’, or with parameters that specify/require details such as the algorithm to be used (CryptoNight/CryptoNight-Lite), maximum CPU usage, mining server, and login credentials (Monero wallet and password). The samples used in this attack were modified in a way that renders the configuration or parameters unnecessary. Everything is already embedded in its code.

The researchers collected five probable samples that led them to two unique login usernames, matching the Monero wallets where the mining pool payments are being sent.

Tão longe, the attackers have mined about 320 XMR or approximately $74,677 based on the two wallets the researchers observed. Contudo, these numbers represent only a small portion of the profit for the entire mining campaign. Previous reports of the same campaign showed a profit of $3 million worth of XMR coming from a single Monero wallet.

Another miner that is a modified version of the XMRig software is the so-called WaterMiner.

O minerador WaterMiner Monero se conecta a um pool predefinido, tendo instruções específicas em seu arquivo de configuração.

Um pool de mineração é um nó centralizado que pega um bloco blockchain Monero e o distribui aos pares conectados para processamento. Quando um número definido de compartilhamentos é retornado e verificado pelo pool, uma recompensa na forma de criptomoeda Monero é conectada ao endereço da carteira designado.