Cryptojacking attacks have got on the industry during the past couple of months. Researchers are even suggesting that nearly 90% of the remote code execution attacks in web applications are cryptojacking attacks. However, the majority of attacks remain limited of their complexity without the need of persistence or evasion techniques. It would appear that might change now as criminals have started when using the infamous National Security Agency (NSA) exploit generally known as EternalBlue into their campaigns.
Researchers from Imperva released a study revealing that the security firm has spotted “a completely new generation of cryptojacking attacks directed at both database servers and application servers.” The firm has dubbed one example of these attacks?RedisWannaMine.
RelatedLeaked Tools Show How NSA Pulls Back from Target Computers If They’re Already Hacked by Other Nations
RedisWannaMine cryptojacking campaign: self-sufficient, persistent and evasive
Explaining how this sophisticated?RedisWannaMine cryptojacking campaign works, security researchers wrote that whenever identifying a target server, the malware exploits CVE-2017-9805, that\’s an Apache Struts vulnerability that?allows attackers to remotely execute code without authentication. Exploiting this flaw, attackers can run a?shell command to download cryptocurrency mining malware.
The RedisWannaMine runs a script to masscan (a TCP port scanning tool) for publicly published Windows servers using the vulnerable SMB version (searching for EternalBlue vulnerability). “It can so by resulting in a large list of IPs, internal and external, and scanning port 445 it is the default listening port of SMB,” researchers explained.
Once a vulnerable server was discovered,?an activity operates to contaminate it and proceeds to download an executable (admissioninit.exe) from a location, which contains a well-known crypto miner malware.
Researchers stated that this new RedisWannaMine attack?targets servers to mine cryptocurrency and “demonstrates a worm-like behavior mixed with advanced exploits to enhance the attackers’ infection rate and fatten their wallets.”
RelatedCryptocurrency Is “Super Risky” and “Is responsible for Deaths from a Fairly Direct Way” – Bill Gates Continually Warn
As always, you can maintain yourself safe by downloading patches of known security vulnerabilities. “The first attack vector was introduced via a web application vulnerability,” Imperva wrote. “A correctly patched application as well as application protected by way of WAF must be safe.”
–?Technical details of this attack can be purchased here.?