Security

How one hacker stole $226K worth of cryptocurrency from Oracle servers

An Oracle vulnerability published in December allowed attackers to mine the Monero cryptocurrency, but they don't seem to be stealing data.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • An Oracle server vulnerability allowed hackers to place cryptominers on PeopleSoft and WebLogic servers, netting one attacker $226,000 worth of Monero coins.
  • The attacks are happening worldwide, and could be used to gain a foothold for other types of attacks in the future.

Leveraging a recently-discovered flaw in Oracle's PeopleSoft and WebLogic servers, one hacker was able to deploy a cryptocurrency miner and rake in 611 Monero coins worth roughly $226,000 dollars, according to a report from the SANS Institute.

The official name of the vulnerability is CVE 2017-10271, and it could "allow an unauthenticated remote attacker to execute remote arbitrary commands with the privileges of the WebLogic server user," according to the report. Since the exploit allows such a broad scope of potential attacks, it's fairly lucky for the victim that they only found a miner placed on their systems.

With the skyrocketing price of Bitcoin, cryptocurrency mining has grown in popularity among cybercriminals, who must hijack a victim's CPU to perform the compute-intensive task. One Android Trojan for mining nearly blew up a smartphone, and some browsers have begun blocking cryptocurrency mining scripts in the same way they block ads.

SEE: Network security policy template (Tech Pro Research)

The good news is that Oracle patched the flaw last year. However, firms that aren't regularly updating may still be at risk. According to the report, the vulnerability affects versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0, and 10.3.3.0.

In a separate report, a SANS researcher noted that PeopleSoft is often used for HR purposes and could have contained a treasure trove of personally identifiable information (PII). That goes to show the potential value attackers place on cryptocurrency, in that they're willing to forgo valuable data to mine Monero.

In the second report, the author noted that the miner being used was xmrig. Interestingly enough, xmrig isn't a form of malware, but is a legitimate miner for Monero. This allowed the author to determine that, at the time of this writing, 611 Monero coins were mined by this user, currently equalling about $226,070.

The attacks seem to be distributed worldwide, meaning the initial attacks likely weren't targeted. For indicators that a server may be being used to mine cryptocurrency, and for more information about this vulnerability, check out this post by the SANS Institute.

Also see

cryptohack.jpg
Image: iStockphoto/PRImageFactory

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox