It's only been two weeks since a critical vulnerability in Apache Struts 2 was revealed to the public, but this did not stop cybercriminals from quickly adding proof-of-concept (PoC) code to their arsenal.
The security error, corrected by the Apache Software Foundation, is tracked because CVE-2018-11776 was caused due to insufficient validation of untrusted user data in the main Struts framework. If exploited, the bug can lead to remote code execution.
An updated build has been released that protects users from attacks.
Those who have not applied the security update, however, may find themselves vulnerable to a new cryptography campaign
F5 Labs researchers claim that the Apache bug is being used in a new cryptographic campaign that has an impact on Linux machines.
According to the team, threat actors are exploiting the PoC code for Apache Struts 2 remote code execution vulnerability sent to Pastebin to infiltrate Linux systems for the purpose of extracting Monero.
Mining for cryptocurrency, such as Bitcoin (BTC), Ethereum (ETH) and Monero (XMR), is a completely legitimate business that uses computing power to find virtual coins. However, when this power is taken without consent, such activities are considered as a cryptographic attack.
The most common tactic used by criminals in cryptojacking campaigns is the script of Coinhive, a legitimate system that is widely abused.
A massive cryptojacking campaign was discovered in which a botnet used MikroTik routers mined for Monero.
See also: Japan issues first prison sentence in the cryptojacking case
Nicknamed CroniX, the new attack uses the Apache bug to send a single HTTP request at the same time a & # is injected 39; Object Navigation Navigation Language (OGNL) expression containing malicious JavaScript.
TechRepublic: Why the cryptocurrency must become more user-friendly to achieve the mainstream success
This code then calls and downloads an additional file that initiates a Powershell command on the infected system.
The downloaded file is a bash script that sets s the number of "huge pages" in memory to 128 in preparation for the data mining operation. Cron jobs are therefore set for the purpose of persistence; downloading an update.sh file on a daily basis and a file called "anacrond" that can be invoked to restart the mining process if the original malicious files are removed.
To make sure that the cryptographic campaign is not having to fight for processor resources, the malware scans the system and deletes all binaries related to the previous cryptominer.
See also: Windows utilities used by malware in new information theft campaigns
Once the competition has been eradicated, the attacker downloads and runs the "XMRigCC" miner which contains configuration details including information about the portfolio and the location of the mining pool.
A process called XHide is also implemented to mask the miner as a Java service.
"Considering that it has been only two weeks since this vulnerability was discovered, it is worth noting how the kidnappers are arming vulnerabilities and how quickly researchers see them in the wild," F5 Labs says. "Companies must be increasingly careful to repair the affected systems immediately."
CNET: Someone just bought a cryptocurrency cat for $ 172,000
Last year, Equifax blamed its record data breach and exposure of data of 147 million of consumers on a vulnerability of Apache Struts. Failure to correct the months of error after issuing a security notice has cost the company over $ 439 million to date.