Unpatched Linux Vulnerability Used for Monero Mining

Guess what the favorite tool of hackers is when they want to infect Linux servers with crypto mining malware. It’s a 5-year-old security vulnerability that is being exploited in the cyprojacking campaign. The altered XMRig tool is the miner, which is legitimate and open source Monero miner.

A flaw that was discovered in 2013 in Network Weathermap plug-in, this tool was basically used by admin to evaluate network activity. The latest use of crypto mining was discovered by the researchers from Trend Micro, and they still believe this campaign is still active.

The key targets of this campaign are publicly accessible x86-64 Linux web servers, while the scope of the attack is not limited to any single destination since webservers across the globe are being targeted. United States, Japan, Taiwan, India, and China are some of the places identified as the top targets.

The same vulnerability can be utilized for infecting a webserver with malicious PHP code. According to researchers, this vulnerability is used by hackers for injecting HTML and JavaScript into the title of the network editor maps.

One wonders that such a critical flaw hasn’t been patched all this while, despite the availability of the patch for the last five years. Nevertheless, hackers are still making merry using this flaw for mining cryptocurrency. The vulnerability allows attackers to modify the code to install crypto-miner on the machine. The process is repeated after every three minutes to make sure the server restarts the mining process in case someone shuts down the system. It means the exploit is used for initiating a request for viewing the code on the webserver.

The attackers evade detection by instructing the XMRig tool to perform the actions discreetly. The CPU usage is modified by the Hacker simply by decreasing the percentage of power used to reduce the chances of detection.

The wallets have been used by the miners have also been identified by the researchers. One of the attackers received 320 Monero (approx. $75,000), said Trend Micro. It is worth noting that this is just a small proportion of what attackers are actually making through this campaign. Researchers opine that attackers must have mined $3 million in cryptocurrency.

To protect your computer from being used as a crypto mining tool, it is a good idea to keep the system patched. Those who run Cacti’s Network Weathermap plug-in must secure their data and keep it away from public servers. In the company’s official blog post, Trend Micro researchers noted:

“Data from Cacti should be properly kept internal to the environment. Having this data exposed represents a huge risk in terms of operational security. While this allows systems or network administrators to conveniently monitor their environments, it also does the same for threat actors.”