Researchers warn about a new HolesWarm cryptominer campaign that has been able to break into over 1,000 cloud hosts since June. It exploited numerous known security weaknesses in unpatched Windows and Linux servers.
The cryptominer botnet has been able to interchangeably exploit over 20 different known vulnerabilities, making Tencent researchers refer to the malware as the “King of Vulnerability Exploitation.”
Tencent warned that the government and enterprise should immediately address known security issues in order to prevent them from being exploited by the next HolesWarm attack.
“As the HolesWarm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise,” Tencent analysts said in a report on Tuesday. “Tencent security experts recommend that the operation and maintenance personnel of government and enterprise organizations actively repair high-risk vulnerabilities in related network components to avoid servers (becoming) a broiler controlled by hackers.”
The HolesWorm botnet uses infected machines to mine for the Monero cryptocurrency. But with HolesWarm, attackers can not only mine for cryptocurrency but easily gain control over the victim’s server and provide them with various sensitive information, such as credentials.
The Tencent team has seen several high-risk flaws exploited in various office server components, including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB, and Zhiyuan.
The HolesWorm’s threat actors changed the module configuration data “rapidly” indicating the attacker frequently and constantly is updating their tactics.
“By pulling and updating other malicious modules, HolesWarm virus will record the version information in the configuration with the same name text while installing the malicious module,” Tencent said. “When the cloud configuration is newer, it will end the corresponding module process and update automatically.”
The quick evolution of the cryptominer malware indicates that a criminal group was just getting started with their criminal activities, according to New Net Technologies’ security expert Dirk Schrader.
“Collecting crypto-money is a necessary step for any cybercrime group to grow and later maintain capabilities, to acquire additional exploits traded in the Dark Web or to use some cybercrime-as-a-service,” Schrader told Threatpost.
We will likely see more campaigns from this actor in the future.