Video: Cryptocurrency mining raises GPU prices, causes shortage.
Hackers hit over 1,400 Apache Solr servers at the end of February to install once again, not ransomware, but a cryptocurrency miner.
The attack on Apache Solr servers bears some resemblance to a campaign discovered in January that exploited unpatched Oracle WebLogic instances to install a mining rig and earn attackers Bitcoin alternative Monero.
According to Renato Marinho, chief research officer at Morphus Labs, the Apache Solr attackers are using the critical remote code execution vulnerability tagged as CVE-2017-12629. The Apache Software Foundation released a fix for this in October.
Solr is a widely used Apache program for building search functionality into websites.
Marinho reckons the Solr attackers are the same group who installed Monero miners on vulnerable Oracle WebLogic servers to generate the equivalent of $226,000 in Monero.
“Now that most Oracle WebLogic servers are fixed, miscreants had to move to another target,” Marinho wrote on the SANS Internet Storm Center forum.
“Within nine days, from February 28 to March 8, this single campaign exploited 1,416 vulnerable Apache Solr servers to deploy Monero XMRig miners across the globe.”
It’s not known how much Monero the attackers have generated from compromised Solr servers because they’re using a proxy to access Monero miner pools, which allows them to hide their Monero wallet addresses, Marinho told ZDNet.
However, there were only 722 WebLogic servers compromised, suggesting the Solr vulnerability has given the attackers twice as many servers to mine the cryptocurrency.
Servers, as opposed to PCs, are an attractive target for cryptomining in general because they’re more likely to be running on powerful CPUs.
The attackers are scanning the internet for available Solr servers and using a publicly known exploit that was released in October.
After compromising a machine, the attackers load a bash script that deploys the XMRig miner and sets up tasks to ensure the miner is chugging away day and night.
Admins will be able to see a process called ‘fs-manager’ running on affected machines connected to the miner pool through the address ‘pool-proxy.com’ on port 8080.
Marinho notes that IBM InfoSphere version 11.5, JBoss Data Grid versions 7.0.0, 7.1.0, JBoss Enterprise Application Platform (EAP) versions 6, 7, 7.0.8, and JBoss Enterprise Portal Platform version 6 may also be vulnerable to this attack because it exploits a vulnerability in a shared library.
Previous and related coverage
Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.
An advertising network has come up with a way to ignore ad blockers in order to serve cryptocurrency mining scripts to visitors.
Attack techniques usually reserved for advanced campaigns have helped a cybercriminal scheme exploit hacked PCs for a big payday.