Hackers are exploiting Windows IIS 6.0 CVE-2017-7269 vulnerabilities to mine cryptocurrencies

by do son ·

Windows IIS 6.0 CVE-2017-7269

Researchers at F5 Research recently discovered a new hacking campaign aimed at exploiting a vulnerability in IIS 6.0 to hijack Windows servers and install malicious software for mining Electroneum cryptocurrencies.

The vulnerability exploited by hackers is traced to CVE-2017-7269, a buffer overflow vulnerability that was discovered by two domestic researchers in March 2017 and affects IIS WebDAV services. Successful exploitation can lead to remote code execution.

This loophole has existed since June 2016, which means that it has existed for nearly 9 months until it was discovered, and it was already exploited in certain attack activities when it was discovered.

IIS 6.0 was released in November 2010 and is usually provided along with Windows Server 2003 and Windows XP. Microsoft initially stated that it does not intend to fix this loophole. Because two years before the vulnerability was disclosed, Microsoft has placed IIS 6.0 in the “end of support” state.

However, due to the common features of the EXPLODINGCAN NSA exploit that was disclosed by Shadow Brokers (shadow brokers) in April 2017, the vulnerability was eventually repaired in mid-June 2017.

Although it has been fixed, since its disclosure, this vulnerability has been exploited by at least one hacker organization to hijack a Windows server that is still running IIS 6.0 to deploy cryptocurrency miners. ESET, a cybersecurity company, reported in 2017 that the vulnerability was misused to dig Monero.

Researchers in the F5 research office stated that in the new attack activity, the attacker almost copied the proof of concept (POC) code issued by the researchers, but embedded a different shellcode to execute the commands it issued.

The attacker uses CVE-2017-7269 to provide an ASCII shellcode that includes a return-oriented programming (ROP) exploit chain that installs a reverse shell on a vulnerable server. The attacker then uses this reverse shell to download the miner (XMRig 2.5.2) and begin the mining process.

 

Not only that, the attacker also used an attack technique called “Squiblydoo” to disguise the miner as a legitimate lsass.exe (Local Security Authority Subsystem Service) process to cover the infection process.

According to the information displayed by the attacker’s encrypted currency wallet, this activity does not seem too successful. As of last week, the attacker earned only about $99. Researchers at the F5 Research Office stated that this could be due to two reasons: First, the attacker will often change the wallet address, and second, there are not many IIS 6.0 servers available.

Although the attacker has not been able to make much money in this attack activity, it still at least allows us to see that even if some software or service has reached the “end of life,” they will still be attacks that the attacker gains value for. aims.

Although it is not easy for some companies to eliminate obsolete equipment, it is installed immediately after the patch is released. We believe that this is something that all companies can do and that such a simple operation can avoid many potential Security threats. Even if it cannot be repaired in time, creating a firewall rule or putting critical devices on a private network should be the security measure that should be considered by the enterprise network administrators.

Source, Image: F5

Tags: Windows IIS 6.0 CVE-2017-7269