Cryptomining Worm MassMiner Exploits Multiple Vulnerabilities

Hijacking computing resources for cryptocurrency mining, or cryptomining, is one of the major attack trends this year and the threat is growing increasingly aggressive. Security researchers warn of a new worm that uses a variety of techniques and exploits to enslave servers over local networks and the internet.

“One family of mining malware, we’ve termed ‘MassMiner,’ stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers,” researchers from security firm AlienVault said in a blog post. “It surprised us how many different exploits and hacking tools it leverages in a single executable.”

MassMiner incorporates MassScan, a legitimate high-performance TCP port scanner that can analyze all IPv4 addresses on the internet in less than 5 minutes. This allows the worm to be very efficient at identifying new targets.

MassMiner bundles exploits for CVE-2017-0143, a vulnerability in the Windows SMB service known as EternalBlue that was used in the past by the WannaCry and NotPetya ransomware worms, as well as by other malware families; CVE-2017-5638, a critical vulnerability in the Apache Struts web framework that led to major data breaches at Equifax and other companies; and CVE-2017-10271, a critical vulnerability in Oracle’s WebLogic Java application server that’s used by many business-critical applications.

All of these exploits target software stacks that are commonly found on enterprise servers. Patches have been available for the underlying vulnerabilities for six months or more, but the sad reality is that internal servers in many corporate networks remain unpatched for years, as companies with limited IT resources focus on internet-facing servers first. And that’s a problem with worms such as MassMiner that also spread through local networks.

Once it has infected a server, the MassMiner will attempt to gain persistence and set up mechanisms to avoid detection. It will also disable the Windows firewall and search for other vulnerable servers that it can infect with an executable downloaded from a command-and-control server.

The malware will also download a configuration that specifies the Monero wallet and the mining pool it will send cryptocurrency to. While Monero mining is this worm’s primary purpose, the AlienVault researchers have seen one variant that downloaded and installed a version of the Gh0st backdoor program.

Cryptomining attacks are likely to continue, as there’s no short supply of new vulnerabilities that allow hackers to remotely break into servers. According to a report released this week by security firm Cylance, the number of cryptomining attacks has grown 504 percent in 2017 and 345 percent this year so far.

Windows 10 Patches for Meltdown Are Broken

It turns out that Microsoft’s Windows 10 patches for the Meltdown vulnerability have a serious bug that could allow attackers to bypass the protection.

The news comes from reputed Windows internals expert and kernel hacker Alex Ionescu, who went public with the issue on Twitter after Microsoft fixed the patch in the new Windows 10 major update released this week—Windows 10 April 2018 Update, also known as Redstone 4 or Windows 10 build 1803.

“Welp, it turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation,” Ionescu said on Twitter.

He pointed out that while the fix is present in Redstone 4, it hasn’t yet been backported to older Windows 10 builds, so systems that haven’t yet received the major update are still vulnerable.

Microsoft also botched the Meltdown patches for Windows 7 and Windows Server 2008, opening an even more severe vulnerability that has come to be known as Total Meltdown. The company pushed an out-of-band fix in late March to address that flaw.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin