Cryptojacking attacks have taken over the industry in the past few months. Researchers are even suggesting that nearly 90% of all remote code execution attacks in web applications are cryptojacking attacks. However, most of these attacks remain limited in their complexity with no persistence or evasion techniques. It appears that might change now as criminals have started using the infamous National Security Agency (NSA) exploit known as EternalBlue in their campaigns.
Researchers from Imperva released a report revealing that the security firm has spotted "a new generation of cryptojacking attacks aimed at both database servers and application servers." The firm has dubbed one of these attacks RedisWannaMine.
RedisWannaMine cryptojacking campaign: self-sufficient, persistent and evasive
Explaining how this sophisticated RedisWannaMine cryptojacking campaign works, security researchers wrote that after identifying a target server, the malware exploits CVE-2017-9805, which is an Apache Struts vulnerability that allows attackers to remotely execute code without authentication. Exploiting this flaw, attackers can run a shell command to download cryptocurrency mining malware.
The RedisWannaMine runs a script to masscan (a TCP port scanning tool) for publicly available Windows servers with the vulnerable SMB version (looking for EternalBlue vulnerability). "It does so by creating a large list of IPs, internal and external, and scanning port 445 which is the default listening port of SMB," researchers explained.
Once a vulnerable server is discovered, a process is run to infect it and proceeds to download an executable (admissioninit.exe) from an external location, which contains a well-known crypto miner malware.
Researchers said that this new RedisWannaMine attack targets servers to mine cryptocurrency and "demonstrates a worm-like behavior combined with advanced exploits to increase the attackers' infection rate and fatten their wallets."
As always, you can keep yourself safe by downloading patches of known security vulnerabilities. "The initial attack vector was introduced through a web application vulnerability," Imperva wrote. "A properly patched application or an application protected by a WAF should be safe."
- Technical details of this attack are available here.
