Published on Tuesday, 19 December 2017 18:31Background
On 15 December 2017, security researchers detected a malicious cyber campaign, known as “Zealot”, that hijacks the computing power of compromised Internet-facing servers to mine for "Monero", a type of digital currency.
The campaign installs and executes Monero miner malware onto vulnerable servers by exploiting known vulnerabilities below:
- Apache Struts Jakarta Multipart Parser (CVE-2017-5638) – This vulnerability has incorrect exception handling and error-message generation during file-upload attempts, allowing attackers to execute arbitrary commands remotely.
- DotNetNuke (DNN) Content Management System (CVE-2017-9822) – This vulnerability allows the attacker to gain unauthorised access remotely via a cookie.
It also leverages known Server Message Block (SMB) "EternalBlue" and "EternalSynergy" exploits (CVE-2017-0143 to 0148) to self-propagate onto other vulnerable servers on connected networks.
Internet-facing servers using the following vulnerable versions of software are affected:
Apache Struts 2
DotNetNuke (DNN) Content Management System
- 2.3.x before 2.3.32
- 2.5.x before 22.214.171.124
A successful attack can consume an enormous amount of computing resources which could result in services disruption. The attacker can also remotely perform a variety of malicious tasks after gaining control of a compromised server.
System administrators should upgrade their systems to the latest version immediately via the links below: