Created
September 14, 2018 13:51
-
-
Save nicdev/f703b9b0d1f0815017f1ffdc9e09023c to your computer and use it in GitHub Desktop.
[RFI] GET /collections/{collection_id}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "id": "5ed3139c-65f6-2849-cbcc-52e3c22ca2b4", | |
| "title": "Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers", | |
| "description": "Advisory Type,\n\n,\n\t,Cryptocurrency Mining Campaign,\n,\n\n,Overview,\n\n,TrendMicro reported on a cryptocurrency mining campaign targeting Linux servers. This campaign is currently active and affects multiple countries, primarily Japan, Taiwan, China , U.S., and India. The final payload is a modified XMRig miner. “XMRig is a legitimate, open-source XMR miner with multiple updated versions that supports both 32-bit and 64-bit Windows and Linux operating systems.” This campaign takes advantage of ,CVE-2013-2618, (exploit publicly available), which affects the Cacti's Network Weathermap plug-in. A patch that mitigates this vulnerability has been available for approximately 5 years. Cacti's Network Weathermap provides system administrators insight on the network activity. Cacti doesn't regularly report vulnerabilities affecting their products. Since June 2014, only two flaws have been publicly reported. “It’s possible these attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool.” Exploitation of the vulnerability is also reliant on several factors noted below in the \",Execution Procedures\" section. ,The report mentioned that as of March 21, 2018, the adversaries mined approximately 320 XMR (from two Monero wallets), which translates to $74,677. Other reports on the same campaign uncovered $3 million worth of XMR from one Monero wallet. An X-Force Exchange detection signature is available and our customers have been protected since 2014. Its important to note that indicators from this campaign have been seen previously on a cryptocurrency mining campaign which used the JenkinsMiner malware.,\n\n,Time Frame,\n\n,\n\t,March 21, 2018 -- TrendMicro's article published.,\n\t,March 27, 2018 -- XFE Collection created.,\n\t,March 28, 2018 -- Collection published in XFTAS.,\n,\n\n,Targets,\n\n,\n\t,Japan - 12%,\n\t,Taiwan - 10%,\n\t,China - 10%,\n\t,U.S. - 9%,\n\t,India - 7%,\n\t,South Korea - 6%,\n\t,Malaysia - 5%,\n\t,Turkey - 4%,\n\t,Brazil - 3%,\n\t,Others - 34%,\n,\n\n,Technical Description,\n\n,Execution Procedures,\n\n,The campaign’s attack chain requires the following:,\n\n,\n\t,A web server running Linux (x86-64), given the custom XMRig Miner 64-bit ELFs;,\n\t,The web server should be publicly accessible;,\n\t,Cacti (an open-source, web-based network monitoring and graphing tool) had to be implemented with the Plugin Architecture working and an outdated Network Weathermap (0.97a and prior);,\n\t,The web server hosting Cacti does not require authentication to access the web site resource; and,\n\t,For perfect execution, the web server should be running with ‘root’ (or equivalent) permissions (some of the commands in ,sh, require root privileges).,\n,\n\n,In addition, it should be noted that even the current (fixed) release version of Weathermap does not appear to run on Cacti 1.0 (released in January 2017) or later which would seem to further limit the number of vulnerable instances available to attackers.,\n\n,Indicators of Compromise,\n\n,Hashes,\n\n,\n\t,\n\t\t,\n\t\t\t,SHA256,\n\t\t\t,Description,\n\t\t,\n\t\t,\n\t\t\t,4a70da8ad6432d7aa639e6c5e0c03958eebb3728ef89e74c028807dd5d68e2b4,\n\t\t\t,Bourne-Again shell script ASCII text executable,\n\t\t,\n\t\t,\n\t\t\t,0adadc3799d06b35465107f98c07bd7eef5cb842b2cf09ebaeaa3773c1f02343,\n\t\t\t,ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for,\n\t\t\tGNU/Linux 2.6.32 BuildID[sha1]=7b9059fbf5f223af2bf1d83251d640e0f60bbe00 stripped,\n\t\t,\n\t\t,\n\t\t\t,d814bf38f5cf7a58c3469d530d83106c4fc7653b6be079fc2a6f73a36b1b35c6,\n\t\t\t,ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for,\n\t\t\tGNU/Linux 2.6.32 BuildID[sha1]=5722b052bfd047b57ec3710dd948bfc9ee7d7316 stripped,\n\t\t,\n\t\t,\n\t\t\t,7f30ea52b09d6d9298f4f30b8045b77c2e422aeeb84541bb583118be2425d335,\n\t\t\t,ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter/lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.32 BuildID[sha1]=9bc00ee0d5261d8bb29b753b8436a1c54bd19c94 stripped,\n\t\t,\n\t\t,\n\t\t\t,690aea53dae908c9afa933d60f467a17ec5f72463988eb5af5956c6cb301455b,\n\t\t\t,ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped,\n\t\t,\n\t\t,\n\t\t\t,1155fae112da3072d116f39e90f6af5430f44f78638db3f43a62a9037baa8333,\n\t\t\t,ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped,\n\t\t,\n\t\t,\n\t\t\t,2c7b1707564fb4b228558526163249a059cf5e90a6e946be152089f0b69e4025,\n\t\t\t,ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped,\n\t\t,\n\t\t,\n\t\t\t,48cf0f374bc3add6e3f73f6db466f9b62556b49a9f7abbcce068ea6fb79baa04,\n\t\t\t,ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped,\n\t\t,\n\t,\n,\n\n,IPs / URLs,\n\n,\n\t,222.184.79.11, ,\n\t,bbc.servehalflife.com,\n\t,190.60.206.11,\n\t,182.18.8.69,\n\t,jbos.7766.org,\n\t,115.231.218.38,\n,\n\n,CVE,\n\n,\n\t,CVE-2013-2618,\n,\n\n,References,\n\n,\n\t,https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/,\n\t,https://exchange.xforce.ibmcloud.com/vulnerabilities/83187,\n\t,https://exchange.xforce.ibmcloud.com/signature/Cross_Site_Scripting,\n\t,https://nvd.nist.gov/vuln/detail/CVE-2013-2618,\n\t,https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tesla-and-jenkins-servers-fall-victim-to-cryptominers,\n,\n", | |
| "can_read": true, | |
| "can_write": false, | |
| "media_types": [ | |
| "application/vnd.oasis.stix+json; version=2.0" | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment