Oracle Servers Vulnerable to Monero Mining Injection – Trend Micro

Trend Micro has found an Oracle vulnerability exploited by hackers in a new campaign to transform servers into mining farms for Monero.

Hacking servers to get them to mine cryptocurrency — or to get a website’s visitors to do it — is all the rage these days. Now there’s a new vulnerability culprits can play around with.

A vulnerability found in Oracle’s WebLogic suite allows hackers to inject systems with mining software, a report by Trend Micro shows. WebLogic is a necessary component in Oracle servers for those who want to deploy Java applications.

The attackers could deliver a payload of two instances of XMRig, a common Monero miner. One of the instances runs on a 32-bit architecture, and the second uses the 64-bit architecture.

Usually, there is no significant advantage to using two miners at the same time because the 64-bit version would use all of the higher registers of the CPU.

Instead, the malware checks if the system is compatible with 64-bit software. If it isn’t, it will download the 32-bit version and run it.

“A coin-mining malware tries to infect as many devices as possible since it takes an extraordinary amount of computing power to substantially mine any cryptocurrency. With two payload systems, both of which are capable of starting automatically and daily, the malware developers of this particular exploit have more chances to infect machines and use them for cryptomining,” Trend Micro explains in its report.

The new campaign makes sure the mining software starts along with the servers, making it impossible for administrators to solve the problem by just restarting the systems.

Most recently, hackers have also been targeting companies running Amazon Web Services (AWS).

Tesla fell victim when hackers used its password-free Kubernetes panel to access its AWS account to mine cryptocurrencies.

In that particular instance, the ambitious attackers created their own mining pool inside the third-party infrastructure.

The Los Angeles Times was also hit with a similar attack a few days ago. Its AWS cloud storage was compromised and hijacked to include a script from Coinhive that mined Monero through the website visitors’ computers.

This incident had a peculiar twist: the hacker left a friendly note, telling the newspaper its settings left it vulnerable and asking it to “please fix this before a bad guy finds it.”