An old vulnerability called “CVE-2013-2618” that allowed to infect computers with a script has been recently used again in Linux servers that were still vulnerable. The Script used is the XMRig though which some hackers have generated more than $ 75,000 in Monero (XMR).
What does the CVE-2013-2618 vulnerability do?
This vulnerability allows attackers to enter a script on the infected computer. In this case the script with which they have attacked the Linux servers is the Cryptominer XMRig, a legitimate and open source script that infects computers and makes them mine Cryptocurrencies without the user being aware of it.
It is not the first time that this vulnerability and script has been used to mine Monero with the absolute ignorance of those affected. Five years ago, it was already “patched” to avoid these attacks.
Surprisingly the Linux servers were not prepared, usually in these attacks a modified version of the XMRig called WaterMiner is also used.
This time the threat has been detected by the Trend Micro research team that through its blog has declared:
“Through our incident response-related monitoring, we observed intrusion attempts whose indicators we’ve been able to correlate to a previous cryptocurrency-mining campaign that used the JenkinsMiner malware. The difference: this campaign targets Linux servers. It’s also a classic case of reused vulnerabilities, as it exploits a rather outdated security flaw whose patch has been available for nearly five years.”
They have stated that this campaign is still active and the servers affected by the attack on Linux are mainly located in China, Japan, Taiwan, India and the USA.
They also claim that this attack is connected to the JenkinsMiner malware that was used on Windows computers, where hackers mined at least 3 million dollars in Monero (XMR).
As indicated by the Trend Micro team, the campaign’s attack chain requires the following:
- A web server running Linux (x86-64), given the custom XMRig Miner 64-bit ELFs.
- The web server should be publicly accessible.
- Cacti (an open-source, web-based network monitoring and graphing tool) had to be implemented with the Plugin Architecture working and an outdated Network Weathermap (0.97a and prior).
- The web server hosting Cacti does not require authentication to access the web site resource.
- For perfect execution, the web server should be running with ‘root’ (or equivalent) permissions (some of the commands in sh require root privileges).
Trend Micro is a leading cyber security company, founded in the United States and headquartered in Japan. They have over 25 years of experience, have more than 5000 employees in its workforce and invoices more than 1.1 billion dollars.