Hidden cryptocurrency mining is a problem to take into account, since it can take our equipment to the extreme and affect not only performance, but also hardware components. It is a type of threat that has increased considerably in recent years due to the rise of digital currencies. After all, hackers are looking for a way to profit. They create new attack techniques, look for flaws that can exploit and ultimately infect victims’ computers. With Sysrv-hello they manage to sneak a botnet to mine cryptocurrencies on both Windows and Linux. Specifically, it is in charge of mining Monero, one of the most popular cryptocurrencies.
This botnet affects enterprise servers by infecting them with malware miner (XMRig) payloads. Sysrv-Hello was detected in February of this year, taking greater strength in March, apparently and through deeper analysis, it is presumed that the threat began in December 2020.
This threat uses a single binary that has the capabilities to automatically release the malware to the different compromised computers, then it spreads through the network through brute force attacks using SSH keys that have been collected from the affected servers.
According to security researchers, they are based on vulnerabilities found in remote code execution in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts. It should be borne in mind that once it has successfully hacked the server, this malware is capable of spreading through the network through brute force attacks using SSH private keys that it collects from infected servers.
It is known that the mainly six exploited vulnerabilities are:
▸Mongo Express RCE (CVE-2019-10758)
▸XML-RPC (CVE-2017-11610)
▸Saltstack RCE (CVE-2020-16846)
▸Drupal Ajax RCE (CVE-2018-7600)
▸ThinkPHP RCE (without CVE)
▸XXL-JOB Unauth RCE (without CVE)
Undoubtedly the most important thing to avoid being victims of this problem is to have updated equipment. We have seen that in this case you need vulnerable systems, without updating. Therefore, the main advice is to always keep the equipment updated. It does not matter what operating system we are using.
Check also:
KashmirBlack – A Botnet that attacks servers
Simps Botnet, a threat that executes DDoS attacks
[…] reads:Sysrv hello botnet looking for vulnerabilitiesLemon Duck – Botnet that Attacks Linux and […]