Cryptocurrency is, most definitely, one of the most valuable currencies of the century. For example, Bitcoin, the most popular cryptocurrency, is currently almost $10,000! Due to the immense price per Bitcoin, hackers always try to get more of them for making money by cryptojacking.
Any cryptocurrency has to be mined. This mining process must be performed via intense calculations, suitable for processors to do the job. For example, the maximum possible number of Bitcoin is 21 million. In order to get all of them into the system, all of them must be mined. There are other cryptocurrencies as well. Recently, security researchers spotted 2 cryptojacking campaigns that target Windows Server, Apache Solr, and Redis servers.
The spotted campaigns are found very active this week. One of them is detected by Imperva that targets to infect Windows Servers and Redis servers. Another one targets Apache Solr and is detected by ISC SANS team.
The most active one of these two is “RedisWannaMine”, named by Imperva. This campaign is running very hard. It looks out for the outdated version of Redis servers that aren’t patched properly. The other one targeting Apache Solr also uses outdated server software that doesn’t have the security patch for specific vulnerabilities.
The vulnerable servers
According to the researchers, “RedisWannaMine” is using the exploit (CVE-2017-9805) of outdated Redis servers. Once the hacker(s) is able to compromise a Redis server, “RedisWannaMine” is loaded into the system. The injected malware then installs a secondary mining software that starts mining cryptocurrency. This campaign also shows the signatures of a self-propagating worm as the attacker then uses the infected server as a source for searching and infecting other servers.
RedisWannaMine not only infects Redis but also exposed SMB ports and Windows Servers. For infecting Windows Servers, this worm uses the infamous NSA exploit – EternalBlue. In such instances, it also drops a cryptocurrency miner in the system. That ensures that the primary target of this campaign is to mine cryptocurrency at a massive level.
The second one uses Apache Solr vulnerability (CVE-2017-12629). Those which didn’t receive patches for this flaw are at risk of getting infected by the campaign (not RedisWannaMine). Just like the previous one, this one is also focused on mining cryptocurrency.
ISC SANS researchers didn’t notice any type of self-propagating behavior in this one. However, they managed to estimate the number of affected servers – around 1,777. The time range of the infection is in-between February 28 to March 8.
This isn’t the first time we’re seeing such cryptojacking. Earlier in February this year, such attack was able to earn about $1 million by infecting OrientDB & Redis servers with such mining tools.
How to stay secured
For servers, the only solution is to upgrade their server software to the latest version and install all the available patches. It’s quite simple to patch up Redis and Windows Servers, but Apache Solr is a critical one. Make sure to have a backup of all the files, as Solr tends to be broken when patches installed.
You may also want to secure your browsers from cryptojacking.