Insecure Apache Struts targeted by Monero-mining cyber crooks

'Zealot' campaign actively scanning the internet for insecure Apache servers to exploit

Cyber crooks are conducting a sophisticated "malware campaign" against Linux and Windows servers, according to researchers.

Security specialists at F5 Networks said hackers are targeting vulnerable IT systems to install malware with the sole purpose of mining the Monero cryptocurrency.

The organisation's security researchers identified the threat after discovering a number of suspicious files on a targeted server. They've branded the threat 'Zealot'.

"This new campaign is a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits", said the firm.

"We have dubbed the campaign 'Zealot' based on the name of the zip file containing the python scripts with the NSA-attributed exploits. As we continue to research this campaign, we will update this publication."

Maxim Zavodchik and Liron Segal, who work at F5 Networks, have been researching the campaign. They said the attackers are actively scanning the internet for servers.

The hackers are using two exploits in this process. One is for Apache Struts (CVE-2017-5638), while the other is for DotNetNuke ASP.NET CMS (CVE-2017-9822).

Apache Struts vulnerabilities aren't new. In the past, hackers have capitalised on the flaw in unpatched servers to breach Equifax's systems and get access to sensitive customer data, including the personal details of more than 15 million British citizens.

"The attack starts with the threat actor scanning the web and sending two HTTP requests. One of the requests is the notorious Apache Struts exploit via the Content-Type header," explained the firm.

"While most of the similar Apache Struts campaigns target either Windows or Linux platforms, Zealot is equipped with payloads for both."

The researchers claim that through these attacks, crooks have made around $8,500 mining the Monero cryptocurrency, which isn't exactly a massive payday. However, the sum could be a lot bigger.

Bob Rudis, chief data scientist at Rapid7, said: "Rapid7 is seeing increased scanning activity for port 443 (web, including Struts) and a spike in 139 (Windows).

"The counts reflect unique sources so this means more unique botnet nodes or other appropriated compute nodes were used to recently probe for the Struts weakness (and other web weaknesses)."

He added: "To protect themselves, organisations should have a solid knowledge of the technologies they've deployed internally and externally and monitor for patches for their software and appliances.

"They should apply patches as quickly as possible or use network and system access controls to isolate systems that cannot be patched. In this case, organisations should scan for systems that are vulnerable to CVE-2017-5638 and CVE-2017-9822 and patch them immediately."