Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday April 10, @06:54PM   Printer-friendly [Skip to comment(s)]
from the gold-digger dept.

https://arstechnica.com/gadgets/2021/04/windows-and-linux-devices-are-under-attack-by-a-new-cryptomining-worm/

A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.

Research company Juniper started monitoring what it's calling the Sysrv botnet in December. One of the botnet's malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.

The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.
[...]
"Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal," Juniper researcher Paul Kimayong said in a Thursday blog post.

Straight from the above blog post, the malware's exploits include:

Exploit Software
CVE-2021-3129 Laravel
CVE-2020-14882 Oracle Weblogic
CVE-2019-3396 Widget Connector macro in Atlassian Confluence Server
CVE-2019-10758 Mongo Express
CVE-2019-0193 Apache Solr
CVE-2017-9841 PHPUnit
CVE-2017-12149 Jboss Application Server
CVE-2017-11610 Supervisor (XML-RPC)
Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE) Apache Hadoop
Brute force Jenkins Jenkins
Jupyter Notebook Command Execution (No CVE) Jupyter Notebook Server
CVE-2019-7238 Sonatype Nexus Repository Manager
Tomcat Manager Unauth Upload Command Execution (No CVE) Tomcat Manager
WordPress Bruteforce WordPress


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: -1, Troll) by Anonymous Coward on Saturday April 10, @07:32PM (2 children)

    by Anonymous Coward on Saturday April 10, @07:32PM (#1135767)
    Oh well, stupid is as stupid does.
    • (Score: 1, Funny) by Anonymous Coward on Saturday April 10, @08:02PM

      by Anonymous Coward on Saturday April 10, @08:02PM (#1135775)

      A lot of people use WordPress. According to https://w3techs.com/technologies/details/cm-wordpress, [w3techs.com] 41% of all websites run WordPress.

    • (Score: 2, Insightful) by Anonymous Coward on Saturday April 10, @08:35PM

      by Anonymous Coward on Saturday April 10, @08:35PM (#1135790)

      For a lot of people WiX instant-mix or WordPress is the (only/easiest) way to make a website. Hand coding from the ground up is for a small elite.

      My opinion - frameworks and big complex 3rd party code just increases the attack surface exponentially.

  • (Score: 0) by Anonymous Coward on Saturday April 10, @09:01PM (6 children)

    by Anonymous Coward on Saturday April 10, @09:01PM (#1135805)

    There is no other way to make the internet secure

    • (Score: 0) by Anonymous Coward on Saturday April 10, @09:07PM (5 children)

      by Anonymous Coward on Saturday April 10, @09:07PM (#1135807)

      Huh? Maybe you meant ASCII where you said HTML.

      Otherwise it is like: ban Coca Cola and let's go back to pure wooden wagon wheels.
      *** Error - unrelated objects. Null-pointer encountered, core dumped.

      • (Score: 3, Touché) by khallow on Saturday April 10, @11:25PM (1 child)

        by khallow (3766) Subscriber Badge on Saturday April 10, @11:25PM (#1135840) Journal
        Don't try to confuse me with your facts and reason. Let's do this! Let's protect the internets!
        • (Score: 2) by EEMac on Sunday April 11, @11:48AM

          by EEMac (6423) on Sunday April 11, @11:48AM (#1135999)

          Won't somebody PLEASE think of the children?!

      • (Score: 0) by Anonymous Coward on Sunday April 11, @02:29AM (1 child)

        by Anonymous Coward on Sunday April 11, @02:29AM (#1135883)

        Maybe you meant ASCII where you said HTML.

        No, ASCII goes without mentioning. But you can still write CSS and Java with ASCII, so we have to ban them too and go back to pure HTML on the interwebs. Print to screen should be the only function allowed.

        • (Score: 2) by Azuma Hazuki on Sunday April 11, @02:41AM

          by Azuma Hazuki (5086) on Sunday April 11, @02:41AM (#1135885) Journal

          Come on now, it's the internet, not Gnome :V

          --
          I am "that girl" your mother warned you about...
      • (Score: 2) by engblom on Monday April 12, @10:48AM

        by engblom (556) on Monday April 12, @10:48AM (#1136309)

        No, standard HTML itself is evil. It gives too much freedom. What I want is this:

        Each page consist of two things: a menu file and a content file. No scripts, CSS, tags for changing fonts, etc. The content is just plain text/links/tables/pictures/forms with a simple markup. As it would be without scripts it would have a few special items like a checkbox for checking all other checkboxes (as in select all mails).

        What the site would look like is completely up to the reader program. There you make your settings and there you decide what colors/fonts/etc different items should have.

  • (Score: 3, Informative) by krishnoid on Saturday April 10, @09:38PM (2 children)

    by krishnoid (1156) on Saturday April 10, @09:38PM (#1135818)

    The table cells are explicitly restricted to 312px width in the HTML source. Not a huge deal, but it forced a little wrapping in my browser window.

    Maybe the next time a table is put in the summary (and it would be helpful to hide large tables in a spoiler tag), a little validation could be used to make sure there aren't arbitrary formatting limits like this.

    • (Score: 4, Informative) by martyb on Sunday April 11, @11:46PM (1 child)

      by martyb (76) Subscriber Badge on Sunday April 11, @11:46PM (#1136166) Journal

      The table cells are explicitly restricted to 312px width in the HTML source. Not a huge deal, but it forced a little wrapping in my browser window.

      Ooops! I noticed that when I copy/pasted from the source, but forgot to clean it up before saving. My bad! And... fixed!

      Maybe the next time a table is put in the summary (and it would be helpful to hide large tables in a spoiler tag), a little validation could be used to make sure there aren't arbitrary formatting limits like this.

      1.) Added a spoiler tag as suggested. Good idea!

      2.) The UI for editing stories is — how to put this graciously — excruciatingly useful.

      3.) There is already so much stuff for editors to mentally track that we have a policy of trying to have another editor review a story before it goes live on the site. Doesn't always happen, but we do strive for it and do succeed the vast majority of the time. We'll add this to the collection.

      --
      Wit is intellect, dancing.
      • (Score: 2) by krishnoid on Monday April 12, @12:06AM

        by krishnoid (1156) on Monday April 12, @12:06AM (#1136178)

        I was thinking of programmatic validation on tables specifically for extra stuff in the tags (since most of the rest of the articles are pretty much text and quotes). Thanks!

  • (Score: 5, Funny) by Anonymous Coward on Saturday April 10, @09:48PM (1 child)

    by Anonymous Coward on Saturday April 10, @09:48PM (#1135819)

    If your computer runs normal grown-up software you're OK, it's only retarded millennial apps like Mondo, Hadoop and Jupyter that are included here... and idiots who can't write and compile their own code but have to link in a Ruby gem to wipe their ass deserve every exploit they get.

    • (Score: 0) by Anonymous Coward on Tuesday April 13, @12:10AM

      by Anonymous Coward on Tuesday April 13, @12:10AM (#1136761)

      Well i have web apps that use Laravel, but if you're running a production web app with debug on, you're going to get your ass handed to you in some way. I uninstall Ignition and use whoops in dev environ. Ignition has stupid priorities on first glance..

  • (Score: 1) by melyan on Saturday April 10, @10:18PM (1 child)

    by melyan (14385) on Saturday April 10, @10:18PM (#1135830) Journal

    The worm could be buggy and not generate enough money.

    • (Score: 3, Touché) by Dr Spin on Saturday April 10, @10:54PM

      by Dr Spin (5239) on Saturday April 10, @10:54PM (#1135835)

      Fortunately I still have my buggy-whip - it is very useful for maintaining PHP.

      --
      Guns don't kill thousands, presidents kill thousands.
  • (Score: 2) by istartedi on Saturday April 10, @11:34PM (5 children)

    by istartedi (123) on Saturday April 10, @11:34PM (#1135844) Journal

    My machine sucks and would have to grind hashes for a million years to make a satoshi. If this thing starts up on my machine, I'll know right away. Yeah, they're hoping to hash across millions of machines, I get that; but even so, any worthwhile cycle-stealing from this box seems like it'd be pretty obvious.

    So take that, miners! Crappy, slow, old hardware FTW!

    • (Score: 2) by Rosco P. Coltrane on Sunday April 11, @06:03AM (4 children)

      by Rosco P. Coltrane (4757) on Sunday April 11, @06:03AM (#1135955)

      The problem is, while your shitty hardware sticks it to the rogue miners, it also kind of freezes on you while the crypto-mining software attempts to max out your CPU.

      Or are you banking on the malware having a nice benchmarking test before running that goes "Oh, this machine is kinda lame. Better not attempt any mining here to avoid detection!"?

      • (Score: 2) by Unixnut on Sunday April 11, @11:43AM (2 children)

        by Unixnut (5779) on Sunday April 11, @11:43AM (#1135997)

        > Or are you banking on the malware having a nice benchmarking test before running that goes "Oh, this machine is kinda lame. Better not attempt any mining here to avoid detection!"?

        I don't know, I'm not a malware developer, but it sounds like a decent idea. Each machine you infect increases the chances of being noticed and shut down, so if your goal is to make money, you want to keep your profile low.

        This means not impacting the machines you infect. Even in nature, a parasite that kills its host is out competed by those that don't. So logically a malware dev wants their malware to infect and run on machines that can provide decent compute power without impacting the machine enough so that the admins/owners notice.

        They also would want to concentrate on fewer more powerful machines, as it reduces the chance of people noticing machines becoming crippled and investigating.

        So yes, doing a quick benchmark and deciding that the machine would take 6 months to generate 0.00001 of some crypto coin, all while cripping it to the point it gets rebuilt or someone notices and busts your botnet, is a risk not worth the effort, seems like not a bad idea.

        • (Score: 0) by Anonymous Coward on Tuesday April 13, @02:31AM

          by Anonymous Coward on Tuesday April 13, @02:31AM (#1136812)
          There's no need to do a benchmark. The crypto miners could just add some "sleeps" or throttling to not max out the CPU.
        • (Score: 2) by TheRaven on Tuesday April 13, @11:57AM

          by TheRaven (270) on Tuesday April 13, @11:57AM (#1136949) Journal

          So yes, doing a quick benchmark and deciding that the machine would take 6 months to generate 0.00001 of some crypto coin

          That's not really how it works. The 'mining' is probabilistic. If you're trying a lot fewer hashes per second than another machine, you may still find the right one early, you're just a lot less likely to. If you're not paying for power, it's always worth adding more compute, even if it's only a small amount.

          It's also not clear to me that you'd be more likely to be noticed on slower machines. People with slow machines already expect things to be slow, people who buy fast machines are likely to notice if they're not getting what they paid for.

          All of that said, normally this kind of malware cloaks itself so that it doesn't show up in process monitors and runs at the equivalent of idle priority, so it shouldn't actually slow things down except by maybe making thermal throttling kick in earlier.

          --
          sudo mod me up
      • (Score: 2) by istartedi on Sunday April 11, @05:59PM

        by istartedi (123) on Sunday April 11, @05:59PM (#1136069) Journal

        I was going for +Funny mods. I think it ought to be obvious that I don't want *any* malware on my machine, because if the malware decides that mining isn't worthwhile, it might have additional code that keylogs or something.

(1)