Cryptomining malware now targeting older Windows servers
The Monero-mining malware is believed to have been in the wild since May and is targeting servers running Windows Server 2003 via CVE-2017-7269, a known Buffer Overflow vulnerability in Microsoft Internet Information Services 6.0. A report in March noted that remarkably some 8 million web servers were vulnerable to being attacked.
ESET spol. s r.o, who first discovered the malware, said in a blog post that over the course of three months, the hackers behind the campaign have created a botnet of several hundred infected servers and made over $63,000 worth of Monero.
The malware used to mine for Monero is described as a fork of a legitimate open-source Monero central processing unit miner. The people behind it made minor changes, including adding their wallet address, mining pool URL and a “few arguments to kill all previously running instances of itself.”
Addressing why hackers have started to focus on mining Monero, the researchers explained that the cyptocurrency has several features that make it more attractive than mining bitcoin, including “untraceable transactions and a proof of work algorithm called CryptoNight, which favors computer or server CPUs and GPUs [graphics processing units], in contrast to specialized mining hardware needed for bitcoin mining.”
Those who are running Windows Server 2003 with IIS 6.0 are urged to immediately update their servers with the available patch to avoid having their processing power hijacked for Monero mining.
“We see that minimal know-how together with very low operating costs and a low risk of getting caught – in this case, misusing legitimate open-source cryptocurrency mining software and targeting old systems likely to be left unpatched – can be sufficient for securing a relatively high outcome,” they concluded. “Sometimes it takes very little to gain a lot, and this is especially true in today’s world of cybersecurity, where even well-documented, long-known and warned about vulnerabilities are still very effective due to the lack of awareness of many users.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.