Attackers using remote coding execution vulnerabilities to install cryptocurrency miners in vulnerable hosts

Attackers using remote coding execution vulnerabilities to install cryptocurrency miners in vulnerable hosts

Introduction

Kicking off the New year, AusCERT received reports of multiple attacks attempting to run exploits against vulnerable hosts in order to install and operate Cryptocurrency miners in them. Similar attacks have been reported around the globe.

Sighted attacks so far have targeted hosts running Linux operating systems. The miners are dropped as ELF 64-bit files; these are Monero miners to be precise, and are variants of XMRig. [1]

Alienvault released a pulse addressing Monero Miner installation attacks. [2]

In one attack scenario, attackers exploited a Remote Code execution vulnerability in the WLS Security sub-component of the Oracle WebLogic Server (WLS) (CVE-2017-10271), to download and install Monero miner software in the target host.

Weblogic Server versions vulnerable to this attack are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.

This vulnerability was addressed in Oracle CPU [3]. 

Two articles from nsfocusglobal and morihi-soc (translation required) provide some analyses into these attacks. [4,5].

AusCERT performed its own analysis based on reports from multiple members. Indicators derived from that investigation have also been included in the list of indicators provided at the end of this blog.

A new python-based cryptominer botnet has also been recently exposed. It uses a JBOSS vulnerability (CVE-2017-12149) to run remote code exploits against vulnerable Linux hosts to fetch base64 encoded python scripts and execute them.  These scripts in turn connect to remote Command and Control servers to fetch additional python scripts. Interestingly, this botnet appears to be using pastebin resources as C&C servers. [6]

Basic characteristics of an attack

1. Attackers launch a remote code execution exploit targeting one of the following vulnerabilities in the target host:

    a. WebLogic server Remote Code Execution vulnerability. (CVE-2017-10271)
    b. JBoss Remote Code Execution vulnerability (CVE-2017-7504, CVE-2017-12149: used by a new python-based crypto miner)
    c. Apache Struts Jakarta Multipart parser Remote Code Execution vulnerability (CVE-2017-5638)

2. The exploit request includes the payload to fetch the cryptominer from a remote url create a crontab entry to make it run persistently and execute via the local shell depending on the operating system (e.g. cmd.exe for Windows and /bin/bash/ for Linux systems).

3. Additional Shell scripts are fetched from remote servers. These scripts have the function of:

    a. Killing competing processes that consume large CPU loads (>20%)
    b. Kill competing xmrig cryptocurrency mining processes
    c. Create crontab entries and/or rc.local files to ensure the miner is executed at regular intervals or on system reboot
    d. Modify file permissions to allow the miner to be executed by users with any privilege level
    e. Generate log files
     f. Communicate the miner’s execution progress to a remote HQ.
    g. Determine the CPU type and number of CPU cores in a host and then branching to fetch an appropriate miner.

4.  The miner regularly communicates execution progress to a remote mining pool (or hq).

Actual miner files carry different names based on the attack. AusCERT has currently sighted miners as 64-bit ELF files with the following names:
    a. fs-manager
    b. sourplum
    c. kworker
    d. kworker_na

Factors differentiating miners

1. Maximum CPU threshold.
2. Dependence on an external config file. Some miner require an external config file (example, kworker.conf or config.json) to execute correctly. The config file typically contains:
    a. The username and password to access the remote mining pool
    b. URL of the remote mining pool
    c. Mining algorithm used (e.g. Cryptonight)
    d. the “nice” level of the mining process
3. Homing to different HQs or mining pools

Mitigation Recommendations

1. Patch systems against commonly targeted vulnerabilities for this type of attack.

2. Set ACLs and Firewalls to block outbound and inbound access to and from known Bitcoin mining pool IPs (unless your organisational policy allows the use of computing resources for bitcoin mining!).

3. Set IDS/IPS to detect requests and responses to and from payload delivery and network activity URLs.

4. Block resolution of domains known to be C&C and mining pools for cryptocurrency miners (e.g. via DNS firewalls).

5. Check Host files systems for dropped files (representing crypto miners) and corresponding hashes (e.g. using a Host-based IDS like OSSEC).

See Indicators section below for a list of indicators of compromise.

References

1. https://github.com/xmrig/xmrig

2. https://otx.alienvault.com/pulse/5a4e1c4993199b299f90a212/?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

3. http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html.

4. https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/

5. http://www.morihi-soc.net/?p=910

6. https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar

Indicators

Network-based indicators

Host-based indicators