Researchers have uncovered what they said is one of the biggest malicious currency mining operations ever, with more than $3 million worth of digital coin. Now, the operators are gearing up to make more.
The unknown criminals generated the windfall over the past 18 months. The campaign has mainly exploited critical vulnerabilities on Windows computers and then, once gaining control over them, installing a modified version of XMRig, an open-source application that mines the digital coin known as Monero. While the group has used a variety of mining services, it has continued to dump the proceeds into a single wallet. As of last week, the wallet had received payouts of almost 10,829 Monero, which, at current valuations, are worth more than $3.4 million.
"The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows and has already secured him over $3 million worth of Monero cryptocurrency," researchers at security firm Check Point wrote in a blog post. "As if that wasn't enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins."
The Jenkins Continuous Integration server is open-source software written in Java for deploying and automating all kinds of tasks. With more than 1 million users, it's one of the most widely used open-source automation servers. In January, independent researcher Mikail Tunç estimated that as many as many as 20 percent of Jenkins servers are misconfigured in ways that make serious hacks possible. The compromises cause slower performance and potential denial-of-service failures on compromised machines.
The new rash of hijackings work by exploiting CVE-2017-1000353, a vulnerability in the Jenkins deserialization implementation that stems from a failure to validate serialized objects. As a result, any serialized object can be accepted by vulnerable systems. Jenkins maintainers fixed the bug last week with the release of version 2.54.
Separately, researchers from security firm FireEye said attackers, presumably with no relation to the one reported by Check Point, are exploiting unpatched systems running Oracle's WebLogic Server to install cryptocurrency-mining malware. Oracle patched the vulnerability, indexed as CVE-2017-10271, in October.
The attackers observed by Check Point combine the XMRig miner with a remote-access trojan. Their miner runs on a variety of platforms, although most of the victims so far appear to be personal-computer users. The malware undergoes regular updates. The operation—and others like it—shows no signs of slowing down or dying out anytime soon.
"Despite the fact that some crypto-currencies have fallen in value over the past month, they are still a prized asset and definitely valuable enough for this threat actor to 'upgrade' his capability of exploiting others to mine them," Check Point researchers wrote in a separate blog post. "For sure it won't be long before he has secured his next ill-gotten million!"