Past few year Crypto currency mining is a very easy method for cybercriminals to Generating the huge revenue by hijacking the Web- browser and injecting the malicious script and taking control of the CPU Usage from the Victims.
Mining cryptocurrencies in a legitimate way are quite resource consuming process, so attackers demanding ransom payments and infecting other computers to mine the cryptocurrencies.
Vulnerabilities Exploited – Cryptocurrency Mining Malware
Attackers targetted the patched vulnerabilities CVE-2017-12635 (Apache CouchDB JSON Remote Privilege Escalation Vulnerability) and CVE-2017-12636 (Apache CouchDB _config Command Execution).
Researchers said “exploitation of these vulnerabilities can provide attackers with duplicate keys that allow them access control — including administrator rights — within the system. The attackers can then use these functions to execute arbitrary code.”
CouchDB is one of the popular database management systems and is ranked 27th out of 309 according to DB-engines. By default, it looks like TCP port 5984 and the peak periods of monero mining activity in the first part of February.
By exploiting the vulnerability CVE-2017-12635 attackers can create a CouchDB account with admin privileges and later used the admin account to run the remote code by exploiting the vulnerability CVE-2017-12636.
Cryptocurrencies attack’s are in uprise starting from 2018, mining cryptocurrency requires a computational power. Due to these difficulties, attackers use exploits flaws in organizations that contains huge resources.
Mitigations – Cryptocurrency Mining Malware
As long as your server has RCE vulnerability attackers take an advantage of it and include malicious scripts. The cryptocurrency attacks not only compromise the system, it consumes all the system resources.
Trend Micro Suggested Few Mitigation
1. Regular system updates can prevent exploiting the vulnerabilities.
2. Don’t use default system credentials.
3. By placing Intrusion detection system these attacks can be mitigated.
Hash Detected as HKTL_COINMINE.GE 63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017 Hash Detected as HKTL_COINMINE.GP 8bf1def5479b39376b3790a83380831d288c57dd4fbad8e64abc3a9062eb56bb Hash Detected as HKTL_COINMINE.GQ 5bb66a5e9a7f6c76325a55b7a4a3128fc8631805676bbd3315ce2ac04ac2937b