Windows Server, Apache Solr, and Redis servers have been targeted this week by cyber-criminals looking to take over unpatched machines and install malware that mines cryptocurrency (known as a coinminer).
Two separate campaigns have been spotted, both very active this week. One by the Imperva crew, targeting Redis and Windows Servers, and another by the ISC SANS team, targeting Apache Solr installations.
Campaign targeting Redis and Windows Server
The most active of the two was a campaign that Imperva nicknamed
RedisWannaMine. This campaign is ongoing, and according to Imperva, cyber-criminals have been compromising servers by mass-scanning the Internet for systems running outdated Redis versions that are vulnerable to the CVE-2017-9805 exploit.
Once criminals gain access to a host, their typical infection chain is to drop the ReddisWannaMine malware that later installs a scond-stage cryptocurrency miner.
But the ReddisWannaMine campaign also displays the classic behavioral pattern of a self-propagating worm. This is because attackers also use the same infected servers to mass-scan and later exploit other targets.
..
..
..
..
