HolesWarm Botnet Exploits Unpatched Windows, Linux Servers By The Thousands

HolesWarm Botnet Exploits Unpatched Windows, Linux Servers By The Thousands

Researchers warn about a new HolesWarm cryptominer campaign that has been able to break into over 1,000 cloud hosts since June. It exploited numerous known security weaknesses in unpatched Windows and Linux servers.

The cryptominer botnet has been able to interchangeably exploit over 20 different known vulnerabilities, making Tencent researchers refer to the malware as the “King of Vulnerability Exploitation.”

Tencent warned that the government and enterprise should immediately address known security issues in order to prevent them from being exploited by the next HolesWarm attack.

“As the HolesWarm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise,” Tencent analysts said in a report on Tuesday. “Tencent security experts recommend that the operation and maintenance personnel of government and enterprise organizations actively repair high-risk vulnerabilities in related network components to avoid servers (becoming) a broiler controlled by hackers.”

The HolesWorm botnet uses infected machines to mine for the Monero cryptocurrency. But with HolesWarm, attackers can not only mine for cryptocurrency but easily gain control over the victim’s server and provide them with various sensitive information, such as credentials.

The Tencent team has seen several high-risk flaws exploited in various office server components, including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB, and Zhiyuan.

The HolesWorm’s threat actors changed the module configuration data “rapidly” indicating the attacker frequently and constantly is updating their tactics.

“By pulling and updating other malicious modules, HolesWarm virus will record the version information in the configuration with the same name text while installing the malicious module,” Tencent said. “When the cloud configuration is newer, it will end the corresponding module process and update automatically.”

The quick evolution of the cryptominer malware indicates that a criminal group was just getting started with their criminal activities, according to New Net Technologies’ security expert Dirk Schrader.

“Collecting crypto-money is a necessary step for any cybercrime group to grow and later maintain capabilities, to acquire additional exploits traded in the Dark Web or to use some cybercrime-as-a-service,” Schrader told Threatpost.

We will likely see more campaigns from this actor in the future.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.