Hacker Targets WebLogic Server and Docker API to Mine Cryptocurrencies

Hackers are taking advantage of recently disclosed and older vulnerabilities in Oracle WebLogic Server to spread cryptocurrency mining malware.

Cybersecurity company Trend Micro said that it has discovered a group of financially motivated hackers taking advantage of the vulnerability to insert Python scripts capable of disabling operating system (OS) security features such as: Security-Enhanced Linux (SELinux) and other features.

The guys behind the Kinsing malware have a history of scanning vulnerable servers to introduce them into a botnet. The targeted vulnerabilities include Redis, SaltStack, Log4Shell, Spring4Shell, and Atlassian Confluence (CVE-2022-26134).

The people behind Kinsing also joined the campaign to target container environments through misconfigured open Docker Daemon API ports to launch a cryptocurrency miner, which then spread malicious code to the containers. and other servers.

In the latest wave of attacks, hackers exploited CVE-2020-14882 (CVSS score: 9.8), a two-year-old remote code execution (RCE) bug, that targeted unpatched servers to gain control. control the server and add malicious payloads.

Notably, in the past, this vulnerability has been exploited by many botnets to distribute Monero miners and Tsunami backdoors on infected Linux systems.

Successfully exploiting the vulnerability, the hacker deploys a shell script responsible for a series of actions: Delete system log /var/log/syslog, disable security features and cloud service agents from Alibaba and Tencent, while eliminating competing mining processes.

The shell script then downloads the Kinsing malware from a remote server and takes steps to make it persistent.

"Successful exploitation of this vulnerability could lead to RCE, allowing attackers to perform a wide variety of malicious activities on affected systems," Trend Micro said. "This can range from executing malicious code [...] to stealing critical data and even taking full control of a compromised machine."

TeamTNT is back with new attacks

Researchers from Aqua Security identify three new attacks that are linked to another "active" crypto-attack group called TeamTNT.

“TeamTNT scanned for misconfigured Docker Daemon and alpine deployment, with the command line to download shell scripts (k.sh) to the C2 server,” said Aqua Security researcher Assaf Morag.

What's remarkable about the attack chain is that it appears to be designed to break the SECP256K1 encryption, which, if successful, could give the hacker the ability to compute the keys for any crypto wallet. In other words, the idea is to take advantage of the targets' high computational power but illegitimate to run the ECDLP solver and get the key.

Two other TeamTNT attacks involved exploits of exposed Redis servers and misconfigured Docker APIs for deploying coin miners and Tsunami binaries.

TeamTNT's targeting of Docker REST APIs has been well documented over the past year. Trend Micro also detected credentials associated with two of the DockerHub accounts controlled by the attacker.

The accounts - alpineos and sandeep078 - are believed to have been used to deliver a variety of malicious payloads such as rootkits, Kubernetes mining kits, credential stealing, XMRig Monero miner and even Kinsing malware.

Trend Micro recommends that organizations configure REST APIs exposed to TLS to mitigate AiTM attacks, as well as use credential stores and helpers to store user credentials.