A Thousand Corporate Systems Infected With XMR Mining Malware
Hackers continue to inject malware through various means into computer systems of unwary individuals and organizations to mine cryptocurrencies. It seems a cryptocurrency mining malware has infected thousands of enterprise systems, based on the discovery of malware analysts from cloud security company Red Canary. The cryptocurrency mining malware is said to be operated by a group tracked under the codename of Blue Mockingbird.
The activities of the Blue Mockingbird group seem to have started since December last year, based on Red Canary’s report. According to the researchers, the attacks by Blue Mockingbird are focused on public-facing servers that run ASP.NET apps and utilize the Telerik framework for their user interface (UI) component.
To attack a server, Blue Mockingbird exploits the CVE-2019-18935 vulnerability and then plants a web shell. A version of the Juicy Potato technique is utilized in gaining admin-level access and modifying server settings to obtain (re)boot persistence.
After regaining full access to a system, a version of XMRRig (a renowned XMR mining app) is downloaded and installed to leverage the resources of the infected machines. The majority of the infected computers are for big firms but Red Canary did not mention them.
More recently, hackers launched similar ransomware attacks using Trojans, leveraging the flaw of the Remote Desktop Protocol in Windows to access systems.
According to Red Canary, these attacks happened within a short period despite the difficulty in quantifying the aggregated number of infections. Likewise, firms who think they are safe from such attacks are highly vulnerable to a breach by the malware infection, says Red Canary.
In recent times, a variety of groups of hackers used the XMRRig app for unauthorized cryptocurrency mining. In November last year, hackers used malware to target vulnerable Docker instances for the deployment of the Monero mining app.
Likewise in 2019, Symantec and BlackBerry Cylance released a report warning firms regarding the injection of the XMRRig app into computers via music files.