Firefox to Get an Ad Filtering System The AVCrypt Ransomware Tries To Uninstall Your AV Software City of Atlanta IT Systems Hit by SamSam Ransomware CoinMiner Campaigns Move to the Cloud via Docker, Kubernetes The Week in Ransomware – March 23rd 2018 – Govt Infections, Zenis, and More Rapid 2.0 Ransomware Released, Will Not Encrypt Data on PCs with Russian Locale InsaneCrypt (desuCrypt) Decrypter Remove the This Build of Windows 7 is Corrupted Tech Support Scam Remove the Something went wrong with your Internet Service Scam Remove Security Tool and SecurityTool (Uninstall Guide) How to remove Antivirus 2009 (Uninstall Instructions) How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller Locky Ransomware Information, Help Guide, and FAQ CryptoLocker Ransomware Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ Restrict What Personal Data Is Shared on the Facebook API Platform How to Delete Your Facebook Account How to Deactivate a Facebook Account How to Backup Your Facebook Posts, Images, and Data How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows A hacker group has made nearly $75,000 by installing a Monero miner on Linux servers after exploiting a five-year-old vulnerability in the Cacti “Network Weathermap” plugin. Experts from US security firm Trend Micro said they found evidence connecting these attacks to past attacks on Jenkins servers —during which a hacker group made around $3 million installing a Moner miner on Jenkins installations by exploiting the CVE-2017-1000353 vulnerability.
This time around, attackers leveraged CVE-2013-2618, a vulnerability in Cacti, a PHP-based open-source network monitoring and graphing tool, and more specifically in its Network Weathermap plugin, responsible for visualizing network activity. Just like in the previous attacks, hackers exploited the flaw to gain code execution ability on the underlying servers, where they downloaded and installed a customized version of XMRig, a legitimate Monero mining software.
Attackers also modified the local cron jobs to trigger a “watchd0g” Bash script every three minutes, a script that checked to see if the Monero miner was still active and restarted XMRig’s process whenever it was down. Attackers made approximately 320 XMR ($75,000) using this simple mode of operation.
All infected servers were running Linux, and most of the victims were located in Japan (12%), China (10%), Taiwan (10%), and the US (9%). Since Cacti systems are usually designed to run and keep an eye on internal networks, such instances shouldn’t be accessible online to begin with.
Running unpatched systems for almost five years is also a big security slip up on the part of the owners. Get patchin’, server admins! Read more from bleepingcomputer.com…
thumbnail courtesy of bleepingcomputer.com