A security vulnerability that is nearly 5 years old has now become the favorite tool of hackers as they are using it to infect Linux servers with crypto mining malware. The vulnerability that is being exploited in this cryptojacking campaign is classified as CVE-2013-2618. The miner is an altered XMRig tool, which is a legitimate, open-source Monero miner.
It is basically a flaw that was identified years ago (in April 2013), in Cacti’s Network Weathermap plug-in. This open-source tool is used by network admins to visually evaluate network activity. The malicious new use of the vulnerability was identified by Trend Micro researchers and they claim that this campaign is still active.
The key targets of this campaign are publicly accessible x86-64 Linux webservers, while the scope of the attack is not limited to any single destination since webservers across the globe are being targeted. Japan, China, Taiwan and the US are identified as the top targets.
Patch for this vulnerability has been available for about five years however, even today cybercriminals are able to utilize it for mining cryptocurrency. It is indeed surprising that such an important flaw hasn’t been patched in years despite the availability of the patch.
The exploit is used for initiating a request for viewing the code on the webserver; the vulnerability allows attackers to modify the code to install crypto-miner on the machine. The same procedure is repeated after every three minutes to make sure the server restarts the mining process in case someone shuts down the system.
XMRig tool is instructed for performing the actions discreetly so that the attackers evade detection. Hackers even can modify the maximum CPU usage of the mining malware simply by decreasing the percentage of power used to reduce the chances of detection.
The wallets being used by the miners have also been identified by the researchers. One of the attackers received 320 Monero (approx. $75,000), claims Trend Micro. It is worth noting that this is just a small proportion of what attackers are actually making through this campaign. Researchers opine that attackers must have mined $3 million in cryptocurrency.
To protect your computer from being used as a cryptomining tool, it is a good idea to keep the system patched. Those who run Cacti’s Network Weathermap plug-in must secure their data and keep it away from public servers. In the company’s official blog post, Trend Micro researchers noted:
“Data from Cacti should be properly kept internal to the environment. Having this data exposed represents a huge risk in terms of operational security. While this allows systems or network administrators to conveniently monitor their environments, it also does the same for threat actors.”