The hackers who installed and ran a cryptocurrency mining operation on hacked Tesla ASW servers and Jenkins servers is now targeting servers running Linux and has so far generated more than $74,000 in Monero.
The new campaign uses the legitimate, open-source XMRig cryptominer in conjunction with exploiting the old vulnerability CVE-2013-2618, which is found in Cacti’s Network Weathermap plug-in, according to an information security training researcher team report. The vulnerability is a cross-site scripting vulnerability in editor.php in Network Weathermap before 0.97b and allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
This active campaign is hitting primarily Japan, Taiwan, China, the U.S., and India.
“As to why they’re exploiting an old security flaw: Network Weathermap only has two publicly reported vulnerabilities so far, both from June 2014. It’s possible these attackers are taking advantage not only of a security flaw for which can exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool” the information security training researcher team wrote.
The team was able to trace the activity back to two usernames associated with two Monero wallets where $74,677 has been deposited as of March 21. However, the researchers team noted that the people behind this campaign have made in excess of $3 million when the Tesla hacks and Jenkins server vulnerability exploitation are included. In each of these cases XMRig was also used.
The attackers do need to look for targets with a very specific set up in order to be successful.
This includes having a web server running Linux (x86-64) and the server has to be publicly accessible. The Cacti plug-in has to be present and implemented with the Plugin Architecture working and an outdated Network Weathermap (0.97a and prior), the web server should not require authentication and finally the web server should be running with root permissions.
Because turning a Linux server into a mining operation does require that an older vulnerability be left unpatched the best way to protect against such an attack is to keep systems updated with the latest patches, the information security trainingprofessionals suggested.