A new generation of crypto-jacking attacks is making the rounds, significantly improving on the unsophisticated campaigns that have characterized such attacks so far.
According to Imperva, the campaigns, one of which the firm dubbed RedisWannaMine, is aimed at both database servers and application servers. And where the first generation of crypto-jacking was limited in complexity and capability (the attacks contained malicious code that downloaded a crypto-miner executable file and ran it with a basic evasion technique or none at all), the new wave of threats are something else altogether. RedisWannaMine demonstrates a worm-like behavior, combined with advanced exploits to increase the attackers’ infection rate.
Crypto-jacking, in which a victim’s computer is infected with a coin-mining malware that surreptitiously steals compute power to mind for cryptocurrencies like Bitcoin and Monero, has spread significantly in the last few months as the value of virtual currencies continues to skyrocket. Imperva researchers have concluded that these attacks now account for roughly 90% of all remote code execution attacks in web applications.
In this case, the attackers are using a two-pronged infection campaign. First, it runs code to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, internal and external and scanning port 6379, which is the default listening port of Redis.
Secondly, it uses a script to scan for the same server message block vulnerability that was used by the NSA to create the infamous Eternal Blue exploit – the root vector behind WannaCry. When the script finds a vulnerable server, it launches the infection process for the crypto-miner malware.
Between the two prongs, RedisWannaMine is taking aim the attack surface from both the database and application sides.“In a nutshell, crypto-jacking attackers have upped their game and they are getting crazier by the minute,” researchers said in an analysis.