According to latest reports, cryptojacking attacks are becoming more serious and complex, aiming at both database and application servers. The newest attack, named RedisWannaMine and spotted by security company Imperva, is probably just a start.
Cryptojacking has always been popular with cybercriminals as an easy way to fund their operations and with the recent spike in cryptocurrency value, both the popularity as well as the complexity of such attacks has been raised to a whole new level. These attacks usually use malware that installs cryptocurrency mining software on targeted systems.
According to a report published by the security company Imperva, the recent attack, named RedisWannaMine, which is based on on the open source Redis in-memory data structure store and EternalBlue exploit used by WannaCry, is a combination of worm-like attack and more advanced exploits in order to increase the infection rate and cryptocurrency mining.
According to the blog post, the RedisWannaMine uses a rather complex downloader with a shell script file which installs a lot of packages by using standard Linux package managers like apt and yum and then downloads, compiles and installs the Masscan tool from a Github repository, which is basically described as a tool which can be used as a “TCP port scanner, spews SYN packets asynchronously, scanning entire internet in under five minutes”.
The same script launches redisscan.sh process, which discovers and infects Redis servers and in some cases, it also launches redisrun.sh process which infects the system with transfer.sh cryptominer malware.
What makes it even more complex is that it launches another scanning process called ebscan.sh, which uses Masscan tool to infect publicly available Windows servers with a version of the SMB protocol. The version of this SMB vulnerability script was used to create the Eternal Blue exploit, used with the WannaCry attacks in May last year. When it finds the proper and vulnerable server, it uses ebrun.sh to infect it and create VBScript file which downloads a cryptominer malware admissioninit.exe executable and run it.
The Imperva also added that all is not that bad as there are ways that businesses can protect their servers by:
- Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe.
- Make sure you don’t expose your Redis servers to the world. This can be achieved with a simple firewall rule.
- Make sure you don’t run machines with the vulnerable SMB version in your organization. You can use this awesome tool to do check it.
You can check out the full report over at the Imperva.com blog post.