After Oracle WebLogic miner attack, critical Apache Solr bug is now targeted

Money-hungry hackers have used over 1,400 unpatched Apache Solr servers to install a cryptocurrency miner.
Written by Liam Tung, Contributing Writer

Video: Cryptocurrency mining raises GPU prices, causes shortage

Hackers hit over 1,400 Apache Solr servers at the end of February in order to install once again, not ransomware, but a cryptocurrency miner.

The attack on Apache Solr servers bears some resemblance to a campaign discovered in January which exploited unpatched Oracle WebLogic instances to install a mining rig and earn attackers bitcoin-alternative Monero.

According to Renato Marinho, chief research officer at Morphus Labs, the Apache Solr attackers are using the critical remote code execution vulnerability tagged as CVE-2017-12629. The Apache Software Foundation released a fix for the flaw in October.

Solr is a widely used Apache program for building search functionality into websites.

Marinho reckons the Solr attackers are the same group who installed Monero miners on vulnerable Oracle WebLogic servers to generate the equivalent of $226,000 in Monero.

"Now that most Oracle WebLogic servers are fixed, miscreants had to move to another target," Marinho wrote on the SANS Internet Storm Center forum.

"Within nine days, from February 28 to March 8, this single campaign exploited 1,416 vulnerable Apache Solr servers to deploy Monero XMRig miners across the globe."

It's not known how much Monero the attackers have generated from compromised Solr servers because they're using a proxy to access Monero miner pools, which allows them to hide their Monero wallet addresses, Marinho told ZDNet.

However, there were only 722 WebLogic servers compromised, suggesting the Solr vulnerability has given the attackers twice as many servers to mine the cryptocurrency.

Servers, as opposed to PCs, are an attractive target for cryptomining in general because they're more likely to be running on powerful CPUs.

The attackers are scanning the internet for available Solr servers and using a publicly known exploit that was released in October.

See also: Special report: Cybersecurity in an IoT and mobile world (free PDF)

After compromising a machine, the attackers load a bash script that deploys the XMRig miner and sets up tasks to ensure the miner is chugging away day and night.

Admins will be able to see a process called 'fs-manager' running on affected machines connected to the miner pool through the address 'pool-proxy.com' on port 8080.

Marinho notes that IBM InfoSphere version 11.5, JBoss Data Grid versions 7.0.0, 7.1.0, JBoss Enterprise Application Platform (EAP) versions 6, 7, 7.0.8, and JBoss Enterprise Portal Platform version 6 may also be vulnerable to this attack because it exploits a vulnerability in a shared library.


This graphic shows the distribution of Apache Solr victims across the globe.

Image: Renato Marinho/Morphus Labs/SANS ISC

Previous and related coverage

How one hacker stole $226K worth of cryptocurrency from Oracle servers TechRepublic

An Oracle vulnerability published in December allowed attackers to mine the Monero cryptocurrency, but they don't seem to be stealing data.

Windows security: Microsoft fights massive cryptocoin miner malware outbreak

Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.

Ad network circumvents blockers to hijack browsers for cryptocurrency mining

An advertising network has come up with a way to ignore ad blockers in order to serve cryptocurrency mining scripts to visitors.

Cryptocurrency mining malware now as lucrative as ransomware for hackers

Attack techniques usually reserved for advanced campaigns have helped a cybercriminal scheme exploit hacked PCs for a big payday.

Cryptocurrency miners spent $776M on millions of GPUs last year (TechRepublic)

The rise of cryptocurrency mining has led to a GPU shortage impacting scientific research other industries.

Editorial standards