[BreachExchange] HolesWarm Malware Exploits Unpatched Windows, Linux Servers

[Sophia Kingsbury]

https://threatpost.com/holeswarm-malware-windows-linux/168759/

By leveraging more than 20 known vulnerabilities in Linux and Windows
servers, the HolesWarm cryptominer malware has been able to break into more
than 1,000 cloud hosts just since June.

The basic cryptominer botnet has been so successful at juggling so many
different known vulnerabilities between attacks, researchers at Tencent who
first identified HolesWarm refer to the malware as the “King of
Vulnerability Exploitation.”

Tencent warned that both government and enterprise should mitigate known
vulnerabilities as soon as possible to prevent from falling prey to the
next HolesWarm attack.

Infosec Insiders Newsletter

“As the HolesWarm virus has changed more than 20 attack methods in a
relatively short period of time, the number of lost cloud hosts is still on
the rise,” Tencnt analysts said in its Tuesday report.

Besides its cryptomining function, HolesWarm gives attackers password
information and even control of the victim’s server.

HolesWarm Exploits Known Vulns

The Tencent team observed HolesWarm using high-risk vulnerabilities in
various common office server components, including Apache Tomcat, Jenkins,
Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB and Zhiyuan.

“As the HolesWorm virus has changed more than 20 attack methods in a
relatively short period of time, the number of cloud hosts is still on the
rise,” the report said. “Tencent security experts recommend that the
operation and maintenance personnel of government and enterprise
organizations actively repair high-risk vulnerabilities in related network
components to avoid servers (becoming) a broiler controlled by hackers.”

The botnet uses infected systems to mine for Monero. Cryptominers audit
endless strings of blockchain in return for the promise they might
eventually be rewarded with cryptocurrency. This sort of thing is only
profitable if there are many machines counting many strings of blockchain.
Cryptominer malware takes over a victim’s system and puts it to work as
part of a more widespread criminal effort to mine Monero at scale, using
someone else’s resources.

The threat actors are constantly updating their tactics, according to
Tencent researchers.

“By pulling and updating other malicious modules, HolesWarm virus will
record the version information in the configuration with the same name text
while installing the malicious module,” Tencent said. “When the cloud
configuration is newer, it will end the corresponding module process and
update automatically.”

The researchers added the module configuration data has changed “rapidly,
indicating the attacker and frequently updating their attack methods.”

The apparent ease with which the cryptominer malware was detected along
with its rapid evolution indicates a threat group just getting their
criminal hacking enterprise off the ground, according to Dirk Schrader from
New Net Technologies.

“Collecting crypto-money is a necessary step for any cybercrime group to
grow and later maintain capabilities, to acquire additional exploits traded
in the Dark Web or to use some cybercrime-as-a-service,” Schrader told
Threatpost.

Of course, without unpatched servers lingering out there with known
security holes the virus wouldn’t have anywhere to spread. Yaniv Bar-Dayan,
EO of Vulcan Cyber told Threatpost leaving unmitigated vulnerabilities
exposed to hackers is “inexcusable.”

“It’s the reason why 76 percent of IT security executives we recently
surveyed said IT vulnerabilities impacted their business in the last year,”
Bar-Dayan added. “Organizations with exploitable known vulnerabilities
should feel lucky if the worst that happens to their digital estate is a
HolesWarm cryptominer deployment.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210818/550791cd/attachment.html>