A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.
Research company Juniper started monitoring what it's calling the Sysrv botnet in December. One of the botnet's malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.
The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.
"Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal," Juniper researcher Paul Kimayong said in a Thursday blog post.
Straight from the above blog post, the malware's exploits include:
Exploit Software CVE-2021-3129 Laravel CVE-2020-14882 Oracle Weblogic CVE-2019-3396 Widget Connector macro in Atlassian Confluence Server CVE-2019-10758 Mongo Express CVE-2019-0193 Apache Solr CVE-2017-9841 PHPUnit CVE-2017-12149 Jboss Application Server CVE-2017-11610 Supervisor (XML-RPC) Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE) Apache Hadoop Brute force Jenkins Jenkins Jupyter Notebook Command Execution (No CVE) Jupyter Notebook Server CVE-2019-7238 Sonatype Nexus Repository Manager Tomcat Manager Unauth Upload Command Execution (No CVE) Tomcat Manager WordPress Bruteforce WordPress