ESET, a leading global cyber security company, has discovered a new threat whereby attackers infected vulnerable Windows web servers with a malicious cryptocurrency miner in order to mine Monero – a newer cryptocurrency alternative to Bitcoin. Microsoft has released the update, but many servers remain outdated to this day.
To achieve this, cyber-criminals modified legitimate, open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to covertly install the miner on unpatched servers. When creating the malicious mining software, the criminals did not apply any changes to the original open source codebase, apart from adding hardcoded command line arguments of the attacker’s wallet address and the mining pool URL. This, ESET states, could have taken the cyber-criminals just minutes to complete.
Malware experts at ESET have reason to believe this operation has been happening since May 2017. During this time, the cyber-criminals behind the campaign have created a botnet of hundreds of infected machines and made over $63,000 worth of Monero.
“While far behind Bitcoin in market capitalization, there are a number of reasons why attackers are mining for Monero,” said Peter Kálnai, ESET Malware Researcher. “Features such as untraceable transactions and a proof of work algorithm called CryptoNight, which favours computer or server central processing units, make the cryptocurrency an attractive alternative for cybercriminals. Bitcoin mining, in comparison, requires specialised mining hardware.”
This type of malicious activity is an example of how minimal skill and low operative costs can be sufficient for causing a significant outcome. In this case, it has been the misuse of legitimate open-source cryptocurrency mining software and the targeting of old systems likely to be left unpatched.
In July 2015, Microsoft ended its regular update support for Windows Server 2003 and did not release a patch for this vulnerability until June of this year, when several critical vulnerabilities for its older systems were discovered by malware authors.
Despite the end-of-life status of the system, Microsoft did patch these critical vulnerabilities in order to avoid large-attacks such as WannaCry occurring once again. However, it has been well-documented that the automatic updates do not always work smoothly and this could impact the ability to keep Windows Server 2003 up-to-date.
“As a significant number of systems are still vulnerable, users of Windows Server 2003 are strongly advised to apply the security update, KB3197835, and other critical patches as soon as possible,” said Michal Poslušný, ESET Malware Analyst. “If automatic updates fail, we encourage users to download and install the security update manually to avoid falling victim to malicious attacks.”