Light Dark
October 2, 2017 By Larry Loeb 2 min read

Security firm ESET has sounded the alarm about a malware threat that has been very profitable for threat actors since around May 2017: mining cryptocurrency.

Exploiting Vulnerable Servers

According to We Live Security, a legitimate open source Monero central processing unit (CPU) miner called xmrig was released in May. Threat actors then copied the code and made very few changes to develop the malware. They added some hardcoded command-line arguments representing the attacker’s wallet address as well as the mining pool URL. The fraudsters also shut down any other xmrig that may have been running to eliminate competition for CPU resources.

The threat actors then scanned the web for unpatched servers vulnerable to CVE-2017-7269. This vulnerability enables attackers to cause a buffer overflow in the WebDAV service that is part of Microsoft IIS version 6.0, the web server in Windows Server 2003 R2.

Microsoft ceased supporting ISS in 2015, but an update designed to stop WannaCry outbreaks was made available in June 2017 for older systems. However, it is impossible to ensure that all users will patch the vulnerable servers because the automatic update mechanism may not always work smoothly.

The payload in the malware is an alphanumeric string that simply replaces the one that came with xmrig. This string executes the miner rather than the calculator that is launched in the legitimate version.

Attacks Coming in Waves

As noted by SecurityWeek, attacks on these servers seem to come in waves, possibly indicating that the threat actors are regularly scanning for vulnerable servers. These scans have been linked to two IP addresses located in an Amazon cloud.

At the end of August, the attack was still active, but things slowed down greatly in the beginning of September. No new infections have been observed since the beginning of the month. There is no persistence method in the code and the cryptocurrency miner botnet has been gradually losing worker machines.

Patching the vulnerable servers is the obvious mitigation here, but due to the age of the systems, users may not be able to or know how.

 |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 15, 2024

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government. The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature