Couple of Minutes, Copy-Pasted Mining Tool & Unprotected Systems Make Hackers $63,000
A cybercriminal has made over $60,000 in the past three months by exploiting unpatched IIS 6.0 servers for mining monero (XMR) cryptocurrency. Discovered first by the security researchers at ESET, the hacker (or a group of them) used a vulnerability in IIS 6.0 - tracked as CVE-2017-7269 - to hijack machines and then install a monero miner.
In the past few months, several reports have revealed how cybercriminals are shifting their resources to take over computers for mining purposes. Cryptocurrency mining using hijacked computers can make criminals over tens of thousands of dollars a month. Following multiple similar reports, the latest report reveals a new malware strain where hackers infected hundreds of Windows servers with a secret cryptocurrency mining program, generating $63,000 over three months.
Monero mining: "Couple of minutes" of work and huge profits
While the attack is unsophisticated and uses outdated Windows servers, it has been working for the criminals as there is never a shortage of such machines. But why is there such a sudden focus on mining monero instead of bitcoin?
"While far behind Bitcoin in market capitalization, Monero has several features that make it a very attractive cryptocurrency to be mined by malware - untraceable transactions and a proof of work algorithm called CryptoNight, which favors computer or server CPUs and GPUs, in contrast to specialized mining hardware needed for Bitcoin mining," ESET researchers wrote in their report.
As the last few months have shown, feds can actually track bitcoin to take down both the dark web marketplaces and their biggest vendors. Monero, however, offers anonymous transactions, which means criminals will remain hidden from the officials until they discover new techniques to track them down.
Monero mining also doesn't require specialized hardware unlike bitcoin mining. A separate report had shown earlier how hackers were using CPUs to mine for monero cryptocurrency. Hijacking thousands of vulnerable machines (and even more in larger botnets), their chances at making huge profits increase substantially.
A zero-day helps criminals take over Windows servers
CVE-2017-7269 vulnerability in IIS 6.0 WebDAV service was categorized as a zero-day when it was first discovered in March. While the flaw has been patched, several machines remain vulnerable.
ESET's research also revealed how the hackers simply copy pasted a legitimate open source monero CPU miner called xmrig and added hardcoded command line arguments of the attacker’s wallet address and the mining pool URL.
"This couldn’t have taken the cybercrooks more than just couple of minutes as suggested by the fact that we saw it in-the-wild on the same day the base version of xmrig was released," ESET wrote.
Sysadmins are recommended to install the patches on their Windows Servers running IIS 6.0. Due to its severity, Microsoft had made the patch available for even the end-of-life products like Windows XP and Server 2003.
The reports shared in the past few months reveal how "minimal know-how together with very low operating costs and a low risk of getting caught" can make hackers hundreds of thousands of dollars in mining cryptocurrency.
"Sometimes it takes very little to gain a lot," ESET wrote. "This is especially true in today’s world of cybersecurity, where even well-documented, long-known and warned about vulnerabilities are still very effective due to the lack of awareness of many users."