Delaware, USA – May 4, 2018 – The early May has marked by two campaigns infected web servers with cryptocurrency-mining malware. Researchers from Alien Vault discovered a new family of malware they dubbed MassMiner, which exploits several known vulnerabilities for distribution and propagation and can even conduct brute-force attacks on Microsoft SQL Servers. The infected system scans the Internet using the MassScan tool and then exploits CVE-2017-10271, CVE-2017-0143, CVE-2017-5638 vulnerabilities or conducts a brute-force attack with SQLck. After the compromise, MassMiner gains persistence, disables Windows Firewall, installs Gh0st backdoor and XMRig to mine Monero. This campaign can be connected with Smominru botnet, which brought its creators more than $2 million.
Cryptocurrency miners continue to be one of the biggest threats in 2018. Malware and attacker techniques are rapidly evolving, so you need to monitor the release of updates and install them as quickly as possible. You can monitor the security of your servers with ArcSight and Web Application Security Framework. Also, you can leverage Brute Force Detection SIEM use case to detect attempts of password guessing to your resources.