The sky-high valuations of cryptocurrencies isn’t lost on hackers, who are responding with increasingly sophisticated attacks that covertly harness the computers and electricity of unwitting people to generate digital coins worth large sums of money.
One example is a recently uncovered mass hack of servers that has mined about $6,000 worth of the cryptocurrency known as AEON in the past 23 days. Based on the rate the underlying cryptographic hashes are being generated, Morphus Labs Chief Research Officer Renato Marinho estimated that about 450 separate conscripted machines are participating. Marinho analyzed one of the servers and found that attackers gained control over it by exploiting CVE-2017-10271, a critical vulnerability in Oracle’s WebLogic package that was patched in October. The owner of the compromised server, however, had yet to install the fix.
“The exploit is pretty simple to execute and comes with a Bash script to make it easy to scan for potential victims,” Marinho wrote in a blog post published Sunday. “In this case, the campaign objective is to mine cryptocurrencies, but, of course, the vulnerability and exploit can be used for other purposes.”
The post said the currency being mined is known as Monero. On Monday, however, the researcher told Ars he finally gained access to the attackers’ mining pool, which showed the currency was, in fact, AEON.
The exploit used on the machine Marinho examined shut down WebLogic, presumably in an attempt to reduce the load put on the CPUs of the compromised machine. Killing WebLogic makes it easy for victims to know when they have been compromised, but the exploit the researcher reviewed could easily have been modified in later attacks to ensure WebLogic continues to operate normally. The number of coins generated over the past 23 days suggests many operators remain unaware their servers have been hacked.
Researchers from security firm F5 documented a slightly more elaborate campaign in December that, as of December 15, had generated more than $8,500 in Monero. The attack code used in that case exploited servers running outdated versions of the DotNetNuke content management system and the Apache Struts 2 Web application framework.
The latter vulnerability, by the way, was CVE-2017-5638, the same flaw that attackers used to hack Equifax and steal data for as many as 143 million US consumers.
For added effectiveness, the attack also incorporated two exploits developed by the National Security Agency before they were stolen and published in April by a mysterious group known as the Shadow Brokers. Code-named “EternalBlue” and “EternalSynergy,” the NSA-developed Windows exploits allowed infections to spread from infected DotNetNuke or Apache Struts 2 servers to Windows computers inside compromised networks, as long as the Windows machines hadn’t installed a patch Microsoft released in March.
The campaigns documented by Morphus and F5 follow the discovery in October of a surge of sites and malicious apps that covertly mine cryptocurrencies. The devices targeted in those attacks were mostly low-powered phones and consumer computers. By targeting higher-powered servers, the newer campaigns have the potential to generate larger amounts of digital coins. Given the number of unpatched servers and the irrationally sharp increase in currency market capitalizations in recent months, similar campaigns are likely to increase.