In December 2017, Secureworks® incident response (IR) analysts responded to multiple incidents where threat actors compromised vulnerable Internet-facing Oracle WebLogic servers on Linux and Windows systems to deploy cryptocurrency software. The unauthorized activity significantly impacted the performance of business-critical and client-facing applications. The continued inquiries about this activity in January 2018 suggest that many organizations have been affected.
Triage of the available data from compromised Linux systems revealed binary files in the /tmp directory consuming processing power and causing performance degradation. When analyzing infected hosts, IR analysts discovered a series of POST requests to /wls-wsat/CoordinatorPortType11 that resulted in an HTTP error code 500 (internal server error). The POST requests attempted to exploit WebLogic vulnerability CVE-2017-10271, which Oracle addressed in October 2017. According to the vulnerability description, this "easily exploitable" issue allows an "unauthenticated attacker with network access via HTTP to compromise [an] Oracle WebLogic Server."
Examination of client environments revealed at least two variations of a Bash script downloaded after successful exploitation. The first variation (see Figure 1) instructs the impacted system to use Wget to download "72 . 11 . 140 . 178/files/l/default" (MD5: faca70429c736dbf0caf2c644622078f) and save it to /tmp/rcp_bh. Once downloaded, rcp_bh is executed to run in the background on the compromised system.
Figure 1. Bash function to download cryptocurrency software. (Source: Secureworks)
The second script variation creates two persistence mechanisms based on the impacted service account name. As shown in Figure 2, the Bash script prints the name of the user account running the script. If the account is root, then root.sh is downloaded to /etc/root.sh and executed. If the user account is anything else, lower.sh is downloaded to the /tmp directory and executed.
Figure 2. Bash script identifying user. (Source: Secureworks)
If root.sh is executed, it downloads and executes “nativesvc” from 207. 246 . 68 . 21. The script then establishes persistence on the compromised server by creating a cron job and modifying the rc.local file to continually check for the miner and download a new copy if the check fails. If lower.sh is executed, it downloads and executes a cryptocurrency mining binary file named “river” from 207 . 246. 125 . 40 but does not create a persistence mechanism.
Windows hosts running vulnerable Oracle WebLogic servers have also been targeted. Observed attacks have downloaded open-source miners such as XMRig.
These incidents are representative of broader campaigns by financially motivated threat actors to deploy cryptocurrency mining software to large numbers of infected hosts. The market valuation of various cryptocurrencies and the ability to outsource resource costs associated with mining make this kind of activity attractive to threat actors. This type of activity will likely continue as long as cryptocurrency mining provides a return on investment for generating funds.
In addition to reviewing and applying the Oracle security update as appropriate, network defenders should implement the following mitigations. These mitigations also protect systems against other types of threats.
- Disable unnecessary services, including internal network protocols such as SMBv1 if possible. Remove applications that do not serve a legitimate business function, and consider restricting access to integral system components such as PowerShell that cannot be removed but are unnecessary for most users.
- Review and apply appropriate security updates for operating systems and applications in a timely manner.
- Apply the principle of least privilege for system and application credentials, limiting administrator-level access to authorized users and contexts. For Windows systems, consider a solution such as Microsoft’s Local Administrator Password Solution (LAPS) to simplify and strengthen password management.
- If possible, implement endpoint and network security technologies and centralized logging to detect, restrict, and capture malicious activity. Managing outbound network connections through monitored egress points can help to identify outbound cryptocurrency mining traffic, particularly unencrypted traffic using non-standard ports.
The indicators in Table 1 are associated with this threat. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.
Indicator |
Type |
Context |
faca70429c736dbf0caf2c644622078f |
MD5 hash |
Linux cryptocurrency miner |
f79a2ba735a988fa6f65988e1f3d39684727bdc4 |
SHA1 hash |
Linux cryptocurrency miner |
bbc6f1e5f02b55fab111202b7ea2b3ef7b53209f6ce53f27d7f16c08f52ef9ac |
SHA256 hash |
Linux cryptocurrency miner |
9d4356274ca394807ae0a6ad82afe2a2 |
MD5 hash |
Linux cryptocurrency miner |
b19ca7fec674543311214c25078ad7a4e1916253 |
SHA1 hash |
Linux cryptocurrency miner |
5a788286f82fc78d01dbe2e11776aed1e90b604c12eb826986973e412e0714de |
SHA256 hash |
Linux cryptocurrency miner |
/tmp/rcp_bh |
Filename |
Linux cryptocurrency miner on disk |
/tmp/nativesvc |
Filename |
Linux cryptocurrency miner on disk |
/tmp/river |
Filename |
Linux cryptocurrency miner on disk |
/tmp/watch-smartd |
Filename |
Linux cryptocurrency miner on disk |
/tmp/Carbon |
Filename |
Linux cryptocurrency miner on disk |
pool . minexmr . com |
Domain name |
Associated with cryptocurrency mining activity |
pool . supportxmr . com |
Domain name |
Hosting cryptocurrency mining software |
72 . 11 . 140 . 178 |
IP address |
Hosting cryptocurrency mining software |
207 . 246 . 68 . 21 |
IP address |
Hosting cryptocurrency mining software |
191 . 101 . 180 . 84 |
IP address |
Hosting downloader scripts for cryptocurrency mining software |
207 . 246 . 125 . 40 |
IP address |
Hosting cryptocurrency mining software |
Table 1. Indicators for this threat.