XMRig Miner Now Targeting Oracle WebLogic and Jenkins Servers to Mine Monero
- by nlqip
Last week, a malware campaign targeting Jenkins automation servers was reported by CheckPoint researchers.1 The attackers exploited a deserialization vulnerability2 in Jenkin’s bidirectional channel (CVE-2017-1000353)3 to deploy Monero cryptomining malware that generated an estimated profit of $3 million.
Following this disclosure, F5 researchers observed what appears to be the same threat actor group, as they are using the same drop zone server (222.184.79.11), targeting Windows-based Oracle WebLogic servers that are vulnerable to CVE-2017-10271.4 This vulnerability was first reported in October 2017. At the time, it was found that the Oracle WebLogic WLS Security Component was vulnerable to a remote code execution. Since then, this vulnerability has been used in numerous campaigns to install cryptocurrency mining malware on both Windows- and Linux-based servers.
This vulnerability occurs due to deserialization of untrusted data in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic. An unauthenticated attacker can exploit this vulnerability by sending a malicious serialized object in the form of XML to a vulnerable end point. This object is then deserialized by the Java XMLDecoder as part of the code flow in the vulnerable web service, which results in arbitrary code execution.
Once the server is successfully exploited, the attacker installs XMRig malware, which has remote access trojan (RAT) capabilities and mines Monero cryptocurrency using the web server’s CPU power. This is the same PowerShell payload that was published in the Jenkins campaign, with a slight change in the invocation process.
Source link
lol
Last week, a malware campaign targeting Jenkins automation servers was reported by CheckPoint researchers.1 The attackers exploited a deserialization vulnerability2 in Jenkin’s bidirectional channel (CVE-2017-1000353)3 to deploy Monero cryptomining malware that generated an estimated profit of $3 million. Following this disclosure, F5 researchers observed what appears to be the same threat actor group, as they…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA