Jump to content
Sign in to follow this  
Scorpion

Coinminer Campaigns Target Redis, Apache Solr, and Windows Servers

Recommended Posts

 

ReddisWannaMine.png

Windows Server, Apache Solr, and Redis servers have been targeted this week by cyber-criminals looking to take over unpatched machines and install malware that mines cryptocurrency (known as a coinminer).

Two separate campaigns have been spotted, both very active this week. One by the Imperva crew, targeting Redis and Windows Servers, and another by the ISC SANS team, targeting Apache Solr installations.

Campaign targeting Redis and Windows Server

 

The most active of the two was a campaign that Imperva nicknamed RedisWannaMine. This campaign is ongoing, and according to Imperva, cyber-criminals have been compromising servers by mass-scanning the Internet for systems running outdated Redis versions that are vulnerable to the CVE-2017-9805 exploit.

Once criminals gain access to a host, their typical infection chain is to drop the ReddisWannaMine malware that later installs a scond-stage cryptocurrency miner.

But the ReddisWannaMine campaign also displays the classic behavioral pattern of a self-propagating worm. This is because attackers also use the same infected servers to mass-scan and later exploit other targets.

However, the ReddisWannaMine attackers aren't only targeting other Redis servers, but are also looking for Windows Servers with exposed SMB ports.

For these latter Windows Servers instances, attackers deploy the now classic leaked NSA exploit EternalBlue. In these infections, too, they also drop a coinminer on the Windows Server machines they compromise, showing that cryptocurrency is the primary objective of these attacks.

RedisWannaMine-mo.png

This isn't the first time that a coinminer campaign has targeted Redis servers. Earlier in February made almost $1 million by infecting Redis and OrientDB servers with similar coinminer malware.

Campaign targeting Apache Solr

 

But besides the ReddisWannaMine crew, there was another very active cyber-criminal group this week. This second one targeted Apache Solr servers that hadn't received patches for the CVE-2017-12629 vulnerability.

Just like in the ReddisWannaMine incidents, attackers focused on infecting victims with a cryptocurrency miner.

ISC SANS researchers didn't notice any self-propagation mechanism, meaning scans and infections were taking place from a central location, but they did manage to determine an approximate number of affected servers —1,777— infections that appear to have taken place between February 28 and March 8.

But while Redis and Windows Servers are standalone systems that are easier to patch, Apache Solr (search servers) are in many cases embedded in other more complex software, and patching isn't as easy at it sounds because updating Solr might sometimes breaking internal systems that depend on it.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...