Hackers target Windows servers running IIS 6.0 to mine Electroneum cryptocurrency

More hacking groups targeting exploits in unpatched IIS 6.0 servers to mine cryptocurrencies

Hackers are using a previously discovered - and patched - IIS 6.0 vulnerability to take control of Windows servers and mine the Electroneum cryptocurrency.

First identified by two researchers in China in March 2017, the CVE-2017-7269 vulnerability allows hackers to install a malware strain on the IIS 6.0 service.

When they made the discovery, the exploit had been in circulation for around nine months. Crooks began tapping into the vulnerability in June 2016.

The researchers alerted Microsoft about the flaw, but the firm was initially hesitant to release a patch because IIS 6.0 had already been discontinued.

However, after the Shadow Brokers hacking group - believed to be a front for Russian intelligence - found similarities between the IIS 6.0 vulnerability and 'ExplodingCan' NSA exploit, Microsoft finally published a fix.

"Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269) due to an improper validation of an ‘IF' header in a PROPFIND request," said security firm Trend Micro at the time.

"A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method.

"Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application."

Initially, hackers used the flaw to turn Windows servers running on IIS 6.0 into Monero miners. But now, F5 Labs believes that crooks are also using it to mine Electroneum.

They are targeting vulnerable servers with an ASCII shellcode that consists of a Return-Oriented Programming (ROP) vulnerability.

By tapping into the shellcode, the hackers are able to install mining software onto infected hardware.

Although this exploit is clearly lucrative for hackers, researchers explained that the server they investigated only contained $99 of the digital currency.

"F5 researchers recently noticed a new campaign exploiting a vulnerability in Microsoft Internet Information Services (IIS) 6.0 servers (CVE-2017-7269) in order to mine Electroneum crypto-currency," said the researchers.

"The ROP exploitation technique composes shellcode from instructions already loaded into memory, called "gadgets",

"instead of writing and executing additional external code into memory. This allows attackers to bypass security mechanisms such as executable space protection, and code signing."