Thursday, April 18, 2024

Cybercriminals Exploit PHP Weathermap Vulnerability to Install Cryptocurrency Miner on Linux Servers

By Guru baran

An active cryptocurrency mining campaign targeting Linux servers via PHP Weathermap Vulnerability to deploy cryptocurrency mining malware. The campaign uses an outdated security flaw with “Network Weathermap” that allow a remote attacker to inject arbitrary codes in the server.

In the current campaign, cybercriminals deploy the XMRig miner as final payload in the target server. The attack primarily focuses on Japan, Taiwan, China, the U.S., and India.

cryptocurrency mining campaign

Security researchers from TrendMicro detected the active campaign cryptocurrency-mining campaign, according to researchers it associates with previous JenkinsMiner malware campaign.

How Cryptocurrency Mining Campaign Infects

With the cryptocurrency mining campaign attackers exploiting the outdated vulnerability CVE-2013-2618 in Cacti’s Network Weathermap plug-in that used by system administrators to visualize the network activity.

The persistent cross-site scripting vulnerability resides with “/plugins/weathermap/configs/conn.php” and attackers uses the vulnerability to execute the scripts remotely and downloads the watchd0g.sh file from attackers server. 

The main purpose of watchd0g.sh is to download the final payload dada.x86_64 from the same server where the watchd0g.sh is downloaded. The final payload is the modified XMRig miner.

Also Read Linux Backdoor that Creates Fully Encrypted Reverse Shell and Attack Unsecured Linux Systems

The configuration file “config.json” that executed along with XMRig contains the algorithm used for mining, maximum CPU usage, mining server, and login credentials of Monero wallets.

Researchers found two unique usernames matching Monero wallets and they said as of March 21, 2018, attackers mined approximately 320 XMR or about $74,677 based on the two wallets.

Attack Execution Requirements

A publicly accessible Linux web server running (x86-64), given the custom XMRig Miner 64-bit ELFs and Cacti needs to be implemented with the Plugin Architecture working and an outdated Network Weathermap 0.97a and prior is used.

The web server hosting Cacti does not require authentication to access the web site resource. For perfect execution, the web server should be running with ‘root’ permissions.

IP address and Domains used in the attack

222[.]184[.]79[.]11
bbc[.]servehalflife[.]com
190[.]60[.]206[.]11
182[.]18[.]8[.]69
jbos[.]7766[.]org
115[.]231[.]218[.]38

Managed WAF Protection

Website

Latest articles

Cyber Attack

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...
cyber security

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...
CVE/vulnerability

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...
Cyber Crime

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...
Cyber Security News

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...
Computer Security

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...
cyber security

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]