Hackers are exploiting CVE-2013-2618, a five-year-old security vulnerability in Cacti’s Network Weathermap plug-in to infect x86-64 Linux web servers with cryptocurrency-mining malware.
The Weathermap plug-in is an open source tool that network administrators use to visualize network activity in map form. The CVE-2013-2618 vulnerability was disclosed in April 2013, and a patch has been available since. However, attackers are still using it today, taking advantage of both the security flaw itself and patch lag that takes place in organizations that use the open-source tool.
Trend Micro researchers are responsible for discovering the still active campaign. They found the highest number of targets in Japan, followed by Taiwan, China and the U.S.
The miner is a modified legitimate, open-source Monero miner called a XMRig tool. Attackers can alter the miner’s maximum CPU usage if they want to lower the percentage of power used to help evade detection.
Researchers say that by using this miner, one attacker has managed to acquire 320 Monero, which is currently around $75,000. This is likely to only be a small fraction of the larger campaign, which may have mined around $3M worth of cryptocurrency.
In terms of fixing the problem, Trend Micro recommends immediately implementing the security patch if this has not already been done. They also advise for those running Cacti’s Network Weathermap plug-in to keep data secure and away from public servers.
“Data from Cacti should be properly kept internal to the environment. Having this data exposed represents a huge risk in terms of operational security. While this allows systems or network administrators to conveniently monitor their environments, it also does the same for threat actors,” Trend Micro researchers, said in a blog post.
Malicious cryptomining was the most detected network event in devices connected to home routers last year. Attacks can be successful over long periods because the malware remains hidden. One way to identify a potential attack is a greater demand for computer power and increased cooling fan activity. It doesn’t look set to go away any time soon as cryptomining has become as lucrative as ransomware. Kaspersky Lab noted in recent analysis that one of the most lucrative cryptocurrency schemes last year made the criminals behind it millions of dollars in the second half of 2017 alone.