Mining cryptocurrencies is a profitable business, but it is also expensive because it needs significant investment in computing power. Crooks are using malicious code that steals computing resources of victims’ machine and the number of attacks aimed to mine cryptocurrencies continues to increase.
Security researchers at security firm ESET have discovered a malware campaign that infected hundreds of Windows web servers with a malicious cryptocurrency miner. According to the experts, the criminal gang behind the attack made more than $63,000 worth of Monero (XMR) in just three months.
Crooks modified a legitimate open source Monero mining code and exploited a known buffer overflow vulnerability (CVE-2017-7269) in Microsoft IIS 6.0 to deploy the miner on unpatched Windows servers.
“One such operation has been going on since at least May 2017, with attackers infecting unpatched Windows webservers with a malicious cryptocurrency miner. The goal: use the servers’ computing power to mine Monero (XMR), one of the newer cryptocurrency alternatives to Bitcoin.” states a report published by ESET.
“To achieve this, attackers modified legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to covertly install the miner on unpatched servers. Over the course of three months, the crooks behind the campaign have created a botnet of several hundred infected servers and made over USD 63,000 worth of Monero.”
The impact of the CVE-2017-7269 vulnerability is significant, according to data provided by the W3Techs, Microsoft’s IIS is currently the third most popular web server solution in the wild (11.4% of all websites). IIS 6.0 accounts for 11.3%, roughly 1.3% of all websites on the Internet. According to BuiltWith, IS 6.0 version is currently used by 2.3% of the entire Internet, over 8.3 million live websites are using IIS 6.0.
The vulnerability doesn’t affect newer versions of Microsoft Internet Information Services.
In order to mitigate the risk of cyber attacks, it is possible to disable the WebDAV service on IIS 6.0 installations.
Crooks are focusing their efforts on Monero cryptocurrency because of its focus on privacy and because it has a good mining profitability, it leverages on the proof-of-work algorithm called CryptoNight, which suits computer or server CPUs and GPU without requiring specific mining hardware.
On May 2017 security experts at Proofpoint discovered that many machines weren’t infected by WannaCry because they were previously infected by the Adylkuzz cryptocurrency mining malware that uses the NSA EternalBlue exploit.to spread and infect machines to involve in a Monero botnet.
In the same month, GuardiCore malware experts discovered a new botnet malware, dubbed BondNet, that at the time infected an estimated 15,000 Windows server computers worldwide for mining Monero.
(Security Affairs – mining, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.