Another day, another Monero cryptomining campaign and this time attackers exploited a security flaw in Oracle Fusion Middleware.
Latest SANS Technology Institute report published on 7 January is more like a bombshell for cryptocurrency industry. It reveals the findings of Morphus Labs researcher Renato Marinho, according to which a new globally active cybercrime campaign is underway attacking Monero cryptocurrency.
Marinho explains that Monero miners are being deployed on hundreds of computers by exploiting a flaw that is present in Oracle Fusion Middleware’s supported and unsupported versions. There are multiple attackers involved and prime targets happen to be PeopleSoft and WebLogic servers.
The attackers leverage a Web application server flaw (CVE-2017-10271) that Oracle claims was patched in October 2017. The proof-of-concept exploits for this vulnerability was published by Chinese security expert Lian Zhang in December 2017, which has probably been leveraged by the attackers to launch this campaign. That’s because as soon as the proof-of-concept was published, reports of installation of cryptominers started pouring in; these reports came from diverse servers some of which were already compromised servers. These servers were hosted by Athenix, GoDaddy, and Digital Ocean.
This exploit is quite easy to execute since a Bash script is used to make scanning for potential targets easy and effective. Reportedly, the vulnerability is affecting four supported versions of Oracle Fusion Middleware including 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 along with one unsupported and unpatched version 10.3.3.0. Marinho notes that the dropper script that downloads the miner in this campaign kills the WebLogic services on the targeted device, which alerted some of the victims. It is also revealed that the attacks started in December, soon after Zhang’s proof-of-concept was made public.
“Lian’s post may not be the first, but this looks like the exploit that was used in the attack discussed here, and the post appears to have started an increased interest in this flaw,” wrote Ulrich.
Currently, there is no evidence of loss of data from the compromised machines and it seems that the exploit’s primary purpose is to mine cryptocurrencies. As per the analysis of Johannes B. Ulrich, SANS’ Dean of Research, at least 611 Monero coins were obtained by an attacker, approx. $226,000.
Ulrich noted that the scope of this campaign is quite wide and this means the victims are also distributed worldwide. However, Ulrich doesn’t think that this is a targeted campaign because after the exploit’s proof-of-concept made it to the internet, anyone having some sort of scripting skills could attack WebLogic/PeopleSoft servers.
The attacker installs a legit Monero mining software package dubbed as xmrig on nearly 722 vulnerable PeopleSoft and WebLogic systems, most of which run on public cloud services, whereas over 140 systems were in Amazon Web Services public cloud. There are other smaller servers 30 of which are on Oracle’s public cloud service.
Ulrich suggests that victims need to patch their servers so as to end their response to intrusions and deleting the miner.