Crooks hacked Microsoft servers to mine Monero, they earned $63K in 3 months
29.9.2017 securityaffairs CyberCrime

Experts from security firm ESET discovered cyber criminals exploiting Microsoft Servers to mine Monero and already earned $63,000 in 3 Months.
Mining cryptocurrencies is a profitable business, but it is also expensive because it needs significant investment in computing power. Crooks are using malicious code that steals computing resources of victims’ machine and the number of attacks aimed to mine cryptocurrencies continues to increase.

Security researchers at security firm ESET have discovered a malware campaign that infected hundreds of Windows web servers with a malicious cryptocurrency miner. According to the experts, the criminal gang behind the attack made more than $63,000 worth of Monero (XMR) in just three months.

monero botnet

Crooks modified a legitimate open source Monero mining code and exploited a known buffer overflow vulnerability (CVE-2017-7269) in Microsoft IIS 6.0 to deploy the miner on unpatched Windows servers.

“One such operation has been going on since at least May 2017, with attackers infecting unpatched Windows webservers with a malicious cryptocurrency miner. The goal: use the servers’ computing power to mine Monero (XMR), one of the newer cryptocurrency alternatives to Bitcoin.” states a report published by ESET.

“To achieve this, attackers modified legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to covertly install the miner on unpatched servers. Over the course of three months, the crooks behind the campaign have created a botnet of several hundred infected servers and made over USD 63,000 worth of Monero.”

The impact of the CVE-2017-7269 vulnerability is significant, according to data provided by the W3Techs, Microsoft’s IIS is currently the third most popular web server solution in the wild (11.4% of all websites). IIS 6.0 accounts for 11.3%, roughly 1.3% of all websites on the Internet. According to BuiltWith, IS 6.0 version is currently used by 2.3% of the entire Internet, over 8.3 million live websites are using IIS 6.0.

The vulnerability doesn’t affect newer versions of Microsoft Internet Information Services.

In order to mitigate the risk of cyber attacks, it is possible to disable the WebDAV service on IIS 6.0 installations.

Crooks are focusing their efforts on Monero cryptocurrency because of its focus on privacy and because it has a good mining profitability, it leverages on the proof-of-work algorithm called CryptoNight, which suits computer or server CPUs and GPU without requiring specific mining hardware.

Recently security experts have detected an increasing number of miners, in August a new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.

On May 2017 security experts at Proofpoint discovered that many machines weren’t infected by WannaCry because they were previously infected by the Adylkuzz cryptocurrency mining malware that uses the NSA EternalBlue exploit.to spread and infect machines to involve in a Monero botnet.

In the same month, GuardiCore malware experts discovered a new botnet malware, dubbed BondNet, that at the time infected an estimated 15,000 Windows server computers worldwide for mining Monero.