New cryptojacking attack uses WannaCry exploit to mine on Windows servers

RedisWannaMine infects both database and application servers to fraudulently mine cryptocurrency.

How cryptocurrency powers cybercrime
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Security researchers discovered RedisWannaMine, an attack that uses the EternalBlue exploit found in WannaCry attacks to fraudulently mine cryptocurrency.
  • Cryptojacking, an attack that typically uses a form of malware to mine cryptocurrency, is a growing risk in the enterprise.

Another cryptojacking attack has been discovered, and it uses the EternalBlue exploit that powered the massive WannaCry attack that took out systems around the world. RedisWannaMine, discovered by Imperva security researchers, targets vulnerable Windows servers with the leaked NSA exploit.

Imperva initially noted its findings in a Thursday blog post. Therein, it explained that the attack targets both database servers and application servers, and exhibits worm-like behavior that increases the infection rate and makes more money for the attackers who are using it.

RedisWannaMine isn't the first cryptocurrency mining scam to use EternalBlue. In early 2018, the Smominru miner botnet used EternalBlue to steal millions of dollars worth of Monero cryptocurrency from Windows servers and other machines. This could mean the enterprise will see more cyrptojecking atempts made with this exploit.

SEE: Cybersecurity in 2018: A roundup of predictions (Tech Pro Research)

To start, RedisWannaMine exploits the vulnerability CVE-2017-9805. This is a particular Apache Struts vulnerability that goes after the Struts REST plugin with XStream handler, as noted by Charlie Osborne of our sister site ZDNet.

Once exploited, it will run as shell command, drop RedisWannaMine, and run a cryptominer (admissioninit.exe) program, the post said. After that it will scan for vulnerable Redis servers and drop RedisWannaMine as well. It will also scan for vulnerable Windows SMB servers and exploit EternalBlue to drop the cryptominer, the post noted. Once the miner is up and running, it will mine cryptocurrency and funnel the funds into a wallet owned by the hackers.

As noted by Osborne, the existence of attacks like RedisWannaMine is a clear indication that attackers will always go after older, well-known vulnerabilities to make some cash. As such, IT leaders should always have a proper system update and patch schedule in place to prevent their organization from becoming a victim.

According to the post, as these attacks get more sophisticated, it's a sign that "cryptojacking attackers have upped their game and they are getting crazier by the minute!"

Also see

Image: iStockphoto/MaYcaL