Weekly Executive Summary for Week October 06, 2017

By Joseph Lorenz on October 6, 2017

What is it? Monero Mining | Crypto-mining

What is affected? [UNPATCHED] Windows Server 2003 R2

What does it do? 

Mining cryptocurrencies is expensive and takes a lot of computing power. Attackers use malware to steal computing resources of computers to make money in digital currency. Malware infected hundreds of Windows web servers, with modified cryptocurrency miner. Attacker made more than $63,000 in Monero (XMR), in three months. Exploited vulnerability in Microsoft IIS 6.0 to install the  modified miner on unpatched Windows servers. Attackers have been infecting unpatched Windows web servers since at least May 2017. Vulnerability exploited (CVE-2017-7269) resides in WebDAV service of Microsoft IIS version 6.0 – the web server in Windows Server 2003 R2. Attackers targeting unpatched machines running Windows Server 2003, making them part of a botnet. Monero uses a proof-of-work algorithm called CryptoNight, which can use computer server CPUs and GPUs, while Bitcoin mining requires specific hardware.

How does it do it?

Monero is a cryptocurrency, users can contribute in solo or pool mining, the Monero miner uses CPU and GPU resources, versus specific hardware that other cryptocurrencies like Bitcoin require. The CPU miner used in these attacks is an open-source CPU miner called xmrig, which was released on May 26, 2017, just two days before the first attacks were seen in the wild. According to researchers at eset, attackers didn’t change much of the original source code for the miner, they just added hardcoded CLI arguments of the attackers mining pool URL, and arguments to kill previously running versions of the miner (if they existed).

code with added hardcoded CLI arguments

Source: eset

The next phase of the attack required the malware to scan devices to see if they were vulnerable to CVE-2017-7269. There were two IP addresses identified as the source of brute-force scans which point to servers hosted on Amazon Web Services cloud. The vulnerability exists in the WebDAV service that is part of Microsoft IIS version 6.0, which is the web server in Windows Server 2003 R2. The bug comes from a buffer overflow in the WebDAV service, this overflow allows remote attackers to execute arbitrary code from a long header that starts with “if: <http://” in a specially crafted PROPFIND request.

screenshot of remote attackers to execute arbitrary code

Source: Javier  M. Mellid

The exploit is available in metasploit as Microsoft IIS WebDav ScStoragePathFromUrl Overflow, it affects unpatched Windows Server 2003 R2.

The payload is in the form of an alphanumeric string, experts say this wasn’t that sophisticated as online tools like alpha3 can help convert any shellcode into a desired string. Researchers at eset say the shellcode downloads “dasHost.exe” from “hxxt://postgre[.]tk/” into the %TEMP% folder. This is a well-known Windows 2003 exploit that was used by attackers to take advantage of vulnerable servers. 

payload in the form of an alphanumeric string

Source: eset

Conclusion:

There are a number of cryptocurrencies available to, from Bitcoin, Ethereum, Dash, Ripple, LiteCoin, Neo, and much more. Monero is a cryptocurrency that can be extremely attractive to criminals as it provides anonymity, by being a secure, private untraceable currency. By default, Monero transactions have sending and receiving addresses obfuscated as well as all transacted amounts. This type of anonymity can allow attackers to avoid detection and further prosecution by following a financial trail. Attackers used an open-source tool that is available to anyone, xmirg source code was easily manipulated to allow attackers to make a profit from vulnerable servers.

Attackers used a well-known exploit CVE-2017-7269 to exploit vulnerable servers, this isn’t the first time this has been seen in the wild. A cryptocurrency-mining botnet called Adylkuzz took advantage of vulnerable systems using EternalBlue, the exploit was apart of the NSA FuzzBunch leak and took advantage of Windows SMB Server. This is a clear indication that attackers are opportunistic and can use tools that already exist, this requires very little technical knowledge, but as seen by these attacks, criminals are able to make a substantial amount of money from them.

Sources:

https://thehackernews.com/2017/09/windows-monero-miners.html (HackerNews)

https://getmonero.org/get-started/mining/ (Monero)

https://blog.eset.ie/2017/09/28/money-making-machine-monero-mining-malware/ (eset)

https://javiermunhoz.com/blog/2017/04/17/cve-2017-7269-iis-6.0-webdav-remote-code-execution.html (Javier M. Mellid)