The malicious actors who installed and ran a cryptocurrency mining operation on hacked Tesla ASW servers and Jenkins servers is now targeting servers running Linux and has so far generated more than $74,000 in Monero.
The new campaign uses the legitimate, open-source XMRig cryptominer in conjunction with exploiting the old vulnerability CVE-2013-2618, which is found in Cacti's Network Weathermap plug-in, according to a Trend Micro Cyber Safety Solutions Team report. The vulnerability is a cross-site scripting vulnerability in editor.php in Network Weathermap before 0.97b and allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
This active campaign is hitting targets primarily in active campaign, primarily affecting Japan, Taiwan, China, the U.S., and India.
“As to why they're exploiting an old security flaw: Network Weathermap only has two publicly reported vulnerabilities so far, both from June 2014. It's possible these attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool” the team wrote.
Trend Micro was able to trace the activity back to two usernames associated with two Monero wallets where $74,677 has been deposited as of March 21. However, Trend's team noted that the people behind this campaign have made in excess of $3 million when the Tesla hack and Jenkins server vulnerability exploitation are included. In each of these cases XMRig was also used.
The attackers do need to look for targets with a very specific set up in order to be successful.
This includes having a web server running Linux (x86-64) and the server has to be publicly accessible. The Cacti plug-in has to be present and implemented with the Plugin Architecture working and an outdated Network Weathermap (0.97a and prior), the web server should not require authentication and finally the web server should be running with root permissions.
The Trend researchers could understand why the first two issues might be present, but “why would one want to share network data publicly (Cacti)? Is the web server really being run as root?”
They theorized that the server operator might have this set up in place in order might make it easier to monitor the servers, through say a basic browser bookmark, but it also makes it easier for any threat actors to find and gain access.
Because turning a Linux server into a mining operation does require that an older vulnerability be left unpatched the best way to protect against such an attack is to keep systems updated with the latest patches, Trend suggested.