Hackers use a five-year-old vulnerability to infect Linux servers and earn money

The hacker group used the Cacti “Network Weathermap” plug-in for a five-year-old vulnerability to install Monero miners on Linux servers and made nearly $75,000.

Experts from US security company Trend Micro said that they have evidence that these attacks are related to past attacks on the Jenkins server: hackers used the CVE-2017-1000353 vulnerability to install Moner miners on the Jenkins device and obtained approximately $3 million.

This time, the attacker used Cacti’s CVE-2013-2618 leak. Cacti is a PHP-based open source network monitoring and graphics tool, and more specifically, it is responsible for visualizing web activities in its Network Weathermap plugin.

Just as in previous attacks, hackers exploited this vulnerability to obtain the code execution capabilities of the underlying server, on which they downloaded and installed a customized version of the legal Monero mining software XMRig.

The attacker also modified the local cron job to trigger the “watchd0g” Bash script every three minutes. This script checks if the Monero miner is still active and restarts XMRig’s process when it is stopped.

The attacker used this simple mode of operation to harvest approximately 320 XMR (US$75,000). All infected servers are running Linux. Most victims are in Japan (12%), China (10%), Taiwan (10%) and the United States (9%).

Because Cacti systems are usually designed to run and pay close attention to the internal network, such instances should not be accessed online.

Source: bleepingcomputer