Likely based on an exploit discovered by a Chinese researcher, a new distributed bitcoin mining hack is an ongoing worldwide problem.
Back in December 2017, Chinese researcher, Lian Zhang, published a proof-of-concept exploit on unpatched Oracle Web application servers, that allows the installation of potentially malicious code. On January 7, SANS Technology Institute reported the existence of an apparent global distributed hack against WebLogic and PeopleSoft servers for the purpose of mining Monero cryptocurrency. Both WebLogic and PeopleSoft servers are based on the Oracle Web application.
In its current manifestation, the code maximizes its reach through automatically scanning for unpatched systems. When if finds an exposed server, it installs malicious code and silently installs a legitimate Monero mining application. It also scans infected systems for earlier crypto mining installations and removes them. Another feature of this infection is that it will initiate a reinstallation of its own mining software if new mining code is detected in the infected system. While patching the Oracle software will close the gap and prevent new illicit installations, there remains the real threat of the hackers including a reinfection algorithm in the code that would allow the secret mining to continue.
This current attack, as documented by SANS Technology, involves 722 WebLogic and PeopleSoft systems. Many of these systems are running public cloud services, including Amazon Web Services. Approximately 30 of Oracle’s own public cloud servers were infected with the code.
Its likely the code writers chose the Monero cryptocurrency due to the enhanced security features it provides over rival coins. Law enforcement has, as of late, been more adept at blockchain data mining that allows them to trace transaction patterns and identify individual coin owners using less security conscious coin types.
While the hack appears to only be a secret crypto mining operation for now, the real world application of the recent proof-of-concept discovered in December opens the door for more malicious activity in the near future. Should the hackers decide to mine for data instead of cryptocurrency, this exploit will enter a totally new phase of destructiveness.
IT administrators should act immediately to patch all outdated Oracle systems and maintain regular updates to protect from this and future discovered vulnerabilities. If an infection is suspected, immediate steps should be taken to remove the installation, and if necessary, a third party cyber security firm should be engaged to assist in the removal and mitigation of reinfection.