Vulnerable Apache Solr, Redis, Windows servers hit with cryptominers

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

Vulnerable servers of all kinds are being targeted, compromised and made to mine cryptocurrencies for the attackers.

Apache Solr servers under attack

SANS ISC handler Renato Marihno warns about an active campaign aimed at compromising Apache Solr servers. The campaign infected 1777 victims from February 28 to March 8. Of those, 1416 are Solr servers.

vulnerable apache solr

The attackers are exploiting CVE-2017-12629 for gaining access to the vulnerable servers and delivering Monero-mining malware. The flaw dates back to October 12, 2017, and the first public exploit for it to October 17.

The source of the flaw is an incorrectly configured XML parser in the “queryparser” library, Marinho noted, and warned: “As we are dealing with a library flaw, it’s worth mentioning that it may affect other software which depends on ‘queryparser,’ like: IBM InfoSphere version 11.5; JBoss Data Grid verions 7.0.0, 7.1.0; JBoss Enterprise Application Platform (EAP) versions 6, 7, 7.0.8; JBoss Enterprise Portal Platform version 6, among others.”

RedisWannaMine attacks

Dubbed so due to one type of targets (Redis servers) and propagation/lateral movement method (the EternalBlue exploit used in WannaCry attacks), the RedisWannaMine attacks start with the attackers exploiting the CVE-2017-9805 Apache Struts 2 RCE vulnerability.

vulnerable apache solr

Image by Imperva

The attackers then download (via a script) crypto-mining malware from an external location, make sure to achieve persistency through new entries in crontab, and create a new ssh key entry in /root/.ssh/authorized_keys and new entries in the system’s iptables to achieve remote access to the machine.

They also download masscan, a publicly available, open source TCP port scanner, and use it to discover and infect with crypto-mining malware publicly available Redis servers.

The attack script then also launches a process called ebscan.sh, which uses masscan to discover publicly available Windows servers that are vulnerable to the EternalBlue exploit, and infect them – yes, you guessed it! – with crypto miner malware.

These attacks only serve to underscore the importance of keeping one’s servers updated and patched.