Home / Archive / Cryptojacking Campaign Uses Five-Year-Old Vulnerability to Rake in Monero

Cryptojacking Campaign Uses Five-Year-Old Vulnerability to Rake in Monero

Last Updated March 4, 2021 5:06 PM
Francisco Memoria
Last Updated March 4, 2021 5:06 PM

A nearly five-year-old vulnerability is reportedly being used to infect Linux servers with a crypto mining malware that’s allowing hackers to use them to mine privacy-centric cryptocurrency Monero (XMR), according to US-based cybersecurity firm Trend Micro .

Per the firm’s report, hackers are taking advantage of a vulnerability found in the Network Weathermap plugin for Cacti. The vulnerability being exploited is classified as CVE-2013-2618, and is allowing hackers to gain code execution ability on the underlying serves. This way, they’re able to install a customized version of XMRig, a legitimate, open-source Monero mining software.

Researchers detail that the attackers are able to guarantee maximum uptime through the vulnerability, by checking in on the mining malware every three minutes, in case anyone shuts down the system. To avoid detection, the attackers are instructing XMRig to perform discreetly, by limiting the maximum amount of CPU resources it will take advantage of to mine.

Notably a patch for the vulnerability has reportedly been available for about five years. Some users may still be unknowingly mining Monero for the hackers, despite being able to easily fix the problem. Trend Micro’s report reads:

“It’s also a classic case of reused vulnerabilities, as it exploits a rather outdated security flaw whose patch has been available for nearly five years.”

The flaw was initially identified five years ago, in April 2013, in the Weathermap plugin. The open-source plugin is used by ISPs, internet exchanges, Fortune 500 companies, and telecom network to map network activity.

The cryptojacking campaign is mainly targeting publicly accessible x86-64 Linux servers throughout the world, with the most affected countries being Japan, Taiwan, China, the United States, and India.

Cryptojacking campaign scope

Trend Micro researchers managed to discover two Monero wallets receiving the ill-gotten funds, and noted the campaign netted hackers 320 Monero (roughly $63,000) as of March 21. They noted, however, that this campaign is connected to one that used JenkinsMiner malware on Windows machines, and raked in at least $3 million worth of XMR.

Users can protect their machines by simply keeping their systems patched. Those running Cacti’s Network Weathermap plugin, researchers note, need to secure their data and keep it away from public servers. The firm’s report reads:

“Data from Cacti should be properly kept internal to the environment. Having this data exposed represents a huge risk in terms of operational security. While this allows systems or network administrators to conveniently monitor their environments, it also does the same for threat actors.”

Notable cryptojacking victims include Tesla, and Starbucks as its Wi-Fi was found using people’s laptops to mine. A malware campaign also managed to hijack millions of Android devices to mine earlier this year.

Featured image from Shutterstock.