The botnet crypto-miner has already compromised 1,000-plus clouds since June.
By using more than 20 known vulnerabilities in Linux & Windows servers, the Holes Warm crypto-miner malware has been able to break into more than 1,000 cloud hosts just since June.
The basic crypto-miner botnet has been so successful at juggling so many different known vulnerabilities between attacks, researchers at Tencent who 1st identified Holes Warm refer to the malware as the “King of Vulnerability Exploitation.”
Mitigate Known Vulnerabilities
Tencent warned that both government & enterprise should mitigate known vulnerabilities as soon as possible to prevent from falling prey to the next Holes Warm attack.
“As the Holes Warm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise,” Tencent analysts said in its Tues. report.
Besides its crypto-mining function, Holes Warm gives attackers password information & even control of the victim’s server.
Holes Warm Exploits Known Vulns
The Tencent team saw Holes Warm using high-risk vulnerabilities in various common office server components, including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB & Zhiyuan.
“As the Holes Worm virus has changed more than 20 attack methods in a relatively short period of time, the number of cloud hosts is still on the rise,” the report stated.
“Tencent security experts recommend that the operation & maintenance personnel of government & enterprise organisations actively repair high-risk vulnerabilities in related network components to avoid servers becoming a broiler controlled by hackers.”
Mine for Monero
The botnet uses infected systems to mine for Monero. Crypto-miners audit endless strings of blockchain in return for the promise they might eventually be rewarded with crypto-currency. This is only profitable if there are many machines counting many strings of blockchain.
Crypto-miner malware takes over a victim’s system & puts it to work as part of a more widespread criminal effort to mine Monero at scale, using someone else’s resources.
The threat players are constantly updating their tactics, states Tencent researchers.
“By pulling & updating other malicious modules, Holes Warm virus will record the version information in the configuration with the same name text while installing the malicious module,” Tencent described.
“When the cloud configuration is newer, it will end the corresponding module process & update automatically.”
Module Configuration Data
The researchers added the module configuration data has changed “rapidly, indicating the attacker & frequently updating their attack methods.”
The apparent ease with which the crypto-miner malware was detected along with its rapid evolution indicates a threat group just getting their criminal hacking enterprise off the ground, according to Dirk Schrader from New Net Technologies.
“Collecting crypto-money is a necessary step for any cybercrime group to grow & later maintain capabilities, to acquire additional exploits traded in the Dark Web or to use some cybercrime-as-a-service,” Schrader explained.
Unmitigated Vulnerabilities
Without unpatched servers lingering with known security holes the virus wouldn’t have anywhere to spread. Yaniv Bar-Dayan, EO of Vulcan Cyber commented that leaving unmitigated vulnerabilities exposed to hackers is “inexcusable.”
“It’s the reason why 76% of IT security executives we recently surveyed said IT vulnerabilities impacted their business in the last year,” Bar-Dayan added.
“Organisations with exploitable known vulnerabilities should feel lucky if the worst that happens to their digital estate is a Holes Warm crypto-miner deployment.”
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
