[SingCERT] Alert on Digital Currency Mining Campaign "ZEALOT"

Published on Tuesday, 19 December 2017 18:31

Background

On 15 December 2017, security researchers detected a malicious cyber campaign, known as “Zealot”, that hijacks the computing power of compromised Internet-facing servers to mine for "Monero", a type of digital currency.

The campaign installs and executes Monero miner malware onto vulnerable servers by exploiting known vulnerabilities below:

  • Apache Struts Jakarta Multipart Parser (CVE-2017-5638) – This vulnerability has incorrect exception handling and error-message generation during file-upload attempts, allowing attackers to execute arbitrary commands remotely.
  • DotNetNuke (DNN) Content Management System (CVE-2017-9822) – This vulnerability allows the attacker to gain unauthorised access remotely via a cookie.
It also leverages known Server Message Block (SMB) "EternalBlue" and "EternalSynergy" exploits (CVE-2017-0143 to 0148) to self-propagate onto other vulnerable servers on connected networks.

Affected Systems

Internet-facing servers using the following vulnerable versions of software are affected:

Apache Struts 2
  • 2.3.x before 2.3.32
  • 2.5.x before 2.5.10.1
DotNetNuke (DNN) Content Management System
  • Before 9.1.1
Impact  

A successful attack can consume an enormous amount of computing resources which could result in services disruption. The attacker can also remotely perform a variety of malicious tasks after gaining control of a compromised server.

Recommendations

System administrators should upgrade their systems to the latest version immediately via the links below:

References

https://f5.com/labs/articles/threat-intelligence/cyber-security/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks

https://nvd.nist.gov/vuln/detail/CVE-2017-5638  

https://nvd.nist.gov/vuln/detail/CVE-2017-9822