XMRig Miner Now Targeting Oracle WebLogic and Jenkins Servers to Mine Monero
- by nlqip
Last week, a malware campaign targeting Jenkins automation servers was reported by CheckPoint researchers.1 The attackers exploited a deserialization vulnerability2 in Jenkin’s bidirectional channel (CVE-2017-1000353)3 to deploy Monero cryptomining malware that generated an estimated profit of $3 million.
Following this disclosure, F5 researchers observed what appears to be the same threat actor group, as they are using the same drop zone server (222.184.79.11), targeting Windows-based Oracle WebLogic servers that are vulnerable to CVE-2017-10271.4 This vulnerability was first reported in October 2017. At the time, it was found that the Oracle WebLogic WLS Security Component was vulnerable to a remote code execution. Since then, this vulnerability has been used in numerous campaigns to install cryptocurrency mining malware on both Windows- and Linux-based servers.
This vulnerability occurs due to deserialization of untrusted data in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic. An unauthenticated attacker can exploit this vulnerability by sending a malicious serialized object in the form of XML to a vulnerable end point. This object is then deserialized by the Java XMLDecoder as part of the code flow in the vulnerable web service, which results in arbitrary code execution.
Once the server is successfully exploited, the attacker installs XMRig malware, which has remote access trojan (RAT) capabilities and mines Monero cryptocurrency using the web server’s CPU power. This is the same PowerShell payload that was published in the Jenkins campaign, with a slight change in the invocation process.
Source link
lol
Last week, a malware campaign targeting Jenkins automation servers was reported by CheckPoint researchers.1 The attackers exploited a deserialization vulnerability2 in Jenkin’s bidirectional channel (CVE-2017-1000353)3 to deploy Monero cryptomining malware that generated an estimated profit of $3 million. Following this disclosure, F5 researchers observed what appears to be the same threat actor group, as they…
Recent Posts
- Security plugin flaw in millions of WordPress sites gives admin access
- Phishing emails increasingly use SVG attachments to evade detection
- Fake AI video generators infect Windows, macOS with infostealers
- T-Mobile confirms it was hacked in recent wave of telecom breaches
- GitHub projects targeted with malicious commits to frame researcher