A five-year-old vulnerability was apparently used to infect Linux servers with a crypto mining malware which enabled hackers to mine the privacy-centred cryptocurrency Monero (XMR), having been discovered by US-based cybersecurity company Trend Micro.
Unknowingly Mining Monero
In the tech firm’s report, hackers exploited a vulnerability found in the Network Weathermap plugin for Cacti. The vulnerability is categorised as CVE-2013-2618, and it lets hackers have control of the code execution of the underlying functions. This is how they managed to install a modified version of XMRig- a legitimate, open-source mining software for Monero.
Researchers say that the hackers were able to assure maximum uptime through the vulnerability, by verifying the mining malware every three minutes, in case the system was shut down. To avoid being discovered, the hackers instructed XMRig to run unnoticeably, by limiting the number of CPU resources that would be used for mining.
A patch for the vulnerability has apparently been around for about five years. Some users may still be mining Monero for the hackers even right now without them knowing, even though a quick fix for the problem is available.
“It’s also a classic case of reused vulnerabilities, as it exploits a rather outdated security flaw whose patch has been available for nearly five years,” read Trend Micro’s report.
Plugin Flaw Exploited
The flaw was first discovered five years ago, in April 2013, in the Weathermap plugin. The open-source plugin is utilized by internet exchanges, ISPs, Fortune 500 companies, and telecom network for mapping network activity.
The cryptojacking mainly infected publicly accessible x86-64 Linux servers from all around the world, the most targeted countries being China, India, Japan, the United States, and Taiwan.
The researchers succeeded to identify two Monero wallets that received the illegally- procured funds, and noted that the jacking obtained 320 Monero (roughly $63,000) as of March 21. They also observed that the campaign is linked to one that used JenkinsMiner malware on Windows machineries, and collected XMR worth of at least $3 million.
Users can safeguard their hardware by getting their systems updated with the latest patches. Those that used Cacti’s Network Weathermap plugin just had to protected their data and not leave it on public servers.
“Data from Cacti should be properly kept internal to the environment. Having this data exposed represents a huge risk in terms of operational security. While this allows systems or network administrators to conveniently monitor their environments, it also does the same for threat actors,” read the firm’s report.
Among the cryptojacking victims are Tesla, and Starbucks- its Wi-Fi being used to mine by using people’s laptops. A malware campaign also succeeded in hijacking millions of Android devices for mining Monero earlier this year.