By leveraging more than 20 known vulnerabilities in Linux and Windows servers, the HolesWarm cryptominer malware has been able to break into more than 1,000 cloud hosts just since June.
The basic cryptominer botnet has been so successful at juggling so many different known vulnerabilities between attacks, researchers at Tencent who first identified HolesWarm refer to the malware as the “King of Vulnerability Exploitation.”
Tencent warned that both government and enterprise should mitigate known vulnerabilities as soon as possible to prevent from falling prey to the next HolesWarm attack.
“As the HolesWarm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise,” Tencnt analysts said in its Tuesday report.
Besides its cryptomining function, HolesWarm gives attackers password information and even control of the victim’s server.
HolesWarm Exploits Known Vulns
The Tencent team observed HolesWarm using high-risk vulnerabilities in various common office server components, including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB and Zhiyuan.
“As the HolesWorm virus has changed more than 20 attack methods in a relatively short period of time, the number of cloud hosts is still on the rise,” the report said. “Tencent security experts recommend that the operation and maintenance personnel of government and enterprise organizations actively repair high-risk vulnerabilities in related network components to avoid servers (becoming) a broiler controlled by hackers.”
The botnet uses infected systems to mine for Monero. Cryptominers audit endless strings of blockchain in return for the promise they might eventually be rewarded with cryptocurrency. This sort of thing is only profitable if there are many machines counting many strings of blockchain. Cryptominer malware takes over a victim’s system and puts it to work as part of a more widespread criminal effort to mine Monero at scale, using someone else’s resources.
The threat actors are constantly updating their tactics, according to Tencent researchers.
“By pulling and updating other malicious modules, HolesWarm virus will record the version information in the configuration with the same name text while installing the malicious module,” Tencent said. “When the cloud configuration is newer, it will end the corresponding module process and update automatically.”
The researchers added the module configuration data has changed “rapidly, indicating the attacker and frequently updating their attack methods.”
The apparent ease with which the cryptominer malware was detected along with its rapid evolution indicates a threat group just getting their criminal hacking enterprise off the ground, according to Dirk Schrader from New Net Technologies.
“Collecting crypto-money is a necessary step for any cybercrime group to grow and later maintain capabilities, to acquire additional exploits traded in the Dark Web or to use some cybercrime-as-a-service,” Schrader told Threatpost.
Of course, without unpatched servers lingering out there with known security holes the virus wouldn’t have anywhere to spread. Yaniv Bar-Dayan, EO of Vulcan Cyber told Threatpost leaving unmitigated vulnerabilities exposed to hackers is “inexcusable.”
“It’s the reason why 76 percent of IT security executives we recently surveyed said IT vulnerabilities impacted their business in the last year,” Bar-Dayan added. “Organizations with exploitable known vulnerabilities should feel lucky if the worst that happens to their digital estate is a HolesWarm cryptominer deployment.”