Cryptocurrency mining software is being remotely installed on Windows and Linux web servers via exploits targeting known vulnerabilities in Apache Struts and DNN (formerly DotNetNuke) content management system.
There has been a significant increase in the numbers of exploit attempts targeting two specific vulnerabilities: CVE-2017-5638 (a vulnerability in Apache Struts) and CVE-2017-9822 (a vulnerability in DotNetNuke).
Malicious HTTP requests are received which contain scripting code. The vulnerabilities execute this code on the server, which then downloads a Monero cryptocurrency miner.
The URL used to download this Monero miner differs between Windows and Linux versions. However, this URL is shared between both the Struts attacks and the DotNetNuke attacks as follows:
- Windows – hxxp://eeme7j[.]win/scv[.]ps1 leading to the download of a miner from hxxp://eeme7j[.]win/mule[.]exe (detected as TROJ_BITMIN.JU)
- Linux – hxxp://eeme7j[.]win/larva[.]sh leading to the download of a miner from hxxp://eeme7j[.]win/mule (detected as ELF_BITMIN.AK)
The following URLs are connected to this attack:
Apache Struts 2 – versions prior to 2.3.32 or 220.127.116.11
DNN – versions prior to 9.1.1