In a Wednesday blog post, researchers from Intezer said the worm spreads across the network to run XMRig Miner – a monero cryptocurrency miner – on a large scale. The malware then targets both Windows and Linux servers and can easily maneuver from one platform to the other. It targets public-facing services such as MySQL, Tomcat admin panel and Jenkins that have weak passwords. In an older version, the worm has also attempted to exploit WebLogic’s latest vulnerability: CVE-2020-14882.
During their analysis, the researchers found that the attacker kept updating the worm on the command and control server, which indicates that it’s active and might be targeting additional weak configured services in future updates.
The attack uses three files: a dropper script (bash or powershell), a Golang binary worm, and an XMRig Miner—all of which are hosted on the same command and control server.
Security teams have been advised to use complex passwords, limit login attempts and use two-factor authentication. Intezer also says to minimize the use of public- facing services and keep software updated with the latest security patches. Finally, they recommend using a cloud workload protection platform to gain full runtime visibility over the code in the company’s system and for getting alerted on any malicious or unauthorized code.
Dirk Schrader, global vice president at New Net Technologies, said that miners on servers are often viewed as a nuisance, something that security pros have to manage. However, for the attackers, especially in this case, Schrader said the potential number of systems is staggering: According to Shodan, there are 5.5 million MySQL, Tomcat, Jenkins, and WebLogic devices connected to the internet.
“It’s simple math, if only 0.1 percent of the systems are prone to the attack, there’s plenty of server power to use for mining and money generation, later to be used for other nefarious work by the cyber criminals,” Schrader said. “Protection against that kind of attack is done in the same way as with other types of attacks. Organizations should monitor their systems for vulnerabilities to patch them in time, control any changes happening to a server like a file being dropped and have a strong password policy in place.”
Chad Anderson, senior security researcher at DomainTools, said this new worm uses well-known exploits and password-spraying techniques to find new hosts to spread and infect. Anderson said as long as security teams are keeping their machines up-to-date, using good authentication practices, and limiting public exposure of their infrastructure this should not pose a huge threat.
"While it’s certainly alarming that there were no detections for this worm's initial sample, that's not surprising as Golang malware analysis tooling has still been playing a bit of catch up in the automation space," said Anderson, adding that Golang has been on the rise for malware this last year, which he expects will continue. "We would expect that with the rise in cryptocurrency prices over the last few weeks that actors looking to cash in for a few extra dollars would cause a surge in mining malware."