Windows Server, Apache Solr, and Redis servers have been targeted this week by cyber-criminals looking to take over unpatched machines and install malware that mines cryptocurrency (known as a coinminer).
Two separate campaigns have been spotted, both very active this week. One by the Imperva crew, targeting Redis and Windows Servers, and another by the ISC SANS team, targeting Apache Solr installations.
Campaign targeting Redis and Windows Server
The most active of the two was a campaign that Imperva nicknamed RedisWannaMine. This campaign is ongoing, and according to Imperva, cyber-criminals have been compromising servers by mass-scanning the Internet for systems running outdated Redis versions that are vulnerable to the CVE-2017-9805 exploit.
Once criminals gain access to a host, their typical infection chain is to drop the ReddisWannaMine malware that later installs a scond-stage cryptocurrency miner.
But the ReddisWannaMine campaign also displays the classic behavioral pattern of a self-propagating worm. This is because attackers also use the same infected servers to mass-scan and later exploit other targets.
However, the ReddisWannaMine attackers aren’t only targeting other Redis servers, but are also looking for Windows Servers with exposed SMB ports.
For these latter Windows Servers instances, attackers deploy the now classic leaked NSA exploit EternalBlue. In these infections, too, they also drop a coinminer on the Windows Server machines they compromise, showing that cryptocurrency is the primary objective of these attacks.
This isn’t the first time that a coinminer campaign has targeted…