Windows Servers Targeted for Cryptocurrency Mining via IIS Flaw

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,320
Hackers are leveraging an IIS 6.0 vulnerability to take over Windows servers and install a malware strain that mines the Electroneum cryptocurrency.

Attacks aren't widespread, as they target a quite old IIS version, but they are happening at scale.
Hackers using former IIS 6.0 zero-day

Hackers are using CVE–2017–7269 to take over servers. This is a vulnerability discovered by two Chinese researchers in March 2017 that affects IIS' WebDAV service. At the time it was discovered last year, the flaw was a zero-day, being under heavy exploitation for almost nine months, since June 2016.

Microsoft initially said it was not planning to fix the flaw because IIS 6.0 was end-of-life, and so were the operating systems that shipped with IIS 6.0 by default —Windows XP and Windows Server 2003.
.....
.....
Hackers using CVE-2017-7269 to install Electroneum miner

Now, F5 Labs says it found another hacker group using the same exploit, but deploying an Electroneum miner instead of Monero.

According to experts, the threat actor uses CVE–2017–7269 to deliver an ASCII shellcode which contains a Return-Oriented Programming (ROP) exploit chain that installs a reverse shell on vulnerable hosts.

Attackers then use the reverse shell to download the miner and start the mining process. The infection process is masked by the use of the Squiblydoo technique and by disguising the miner as the legitimate lsass.exe (Local Security Authority Subsystem Service) process.

F5 experts said the Electroneum address they found in attacks stored only $99, suggesting they either caught the campaign at its beginning, or crooks are rotating address IDs to avoid researchers from tracking their entire operation.
........
........
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top