Cryptominers targeting Oracle’s patched WebLogic vulnerability from 2017 has caused a spike in malicious traffic targeting Port 7001.
Trend Micro researchers noticed a large uptick in the number of devices scanning the internet for port 7001/TCP from April 27 to May 9, which the company attributed to increased activity from cybercriminals engaging in cryptomining via exploiting CVE-2017-10271.
Between April 8 and April 26, researchers only spotted 155 events but that number surged to 2,640 events over the next couple weeks from attackers with IP addresses mostly based in Russia and China.
The vulnerability allows remote attackers to execute arbitrary code on unpatched servers but was patched back in October 2017. The uptick in exploits marks the second time attackers exploited the vulnerability to launch cryptominers this year
Hackers exploited the vulnerability in February 2018 to deliver 64-bit and 32-bit variants of an XMRig Monero miner.
Threat actors exploited the CVE-2017-10271 vulnerability which allows for remote code execution, in order to deliver both a 64-bit variant and a 32-bit variant of an XMRig Monero miner, and both of the malicious payloads were capable of starting automatically and daily to provide more chances to infect more machines.
Once successfully exploited and the Bourne shell script logo8.sh is injected, the malware will secure assets by killing other possible unrecognized mining activities, download and execute cryptomining executables and configurations, remove drops after execution to cover the attacker’s tracks and maintain persistence by installing scheduled “cron jobs,” researchers said.
To prevent infections, users should regularly update their devices, change their devices’ default credentials, and that IT professionals use application whitelisting and other security features to help detect suspicious activity and prevent malicious programs from running or installing.