Cyber-security firm Trend Micro has discovered a widespread vulnerability affecting Linux-based servers that have a program called Cacti installed, that offers a backdoor for hackers to inject malicious code that utilizes computer resources to mine the privacy-focused cryptocurrency Monero.
A patch has been available for vulnerability “CVE-2013-2618” for nearly five years now, but still hackers are able to find x86-64 Linux machines that use an unpatched version of the Network Weathermap plugin for Cacti – an open-source graphing and network monitoring program. Through the exploit, hackers are able to install a modified version of the completely legitimate XMRig mining software called “watchd0g.sh.”
The highly advanced malicious code is designed to stay under the radar by only running every three minutes each time the computer is turned on as to hide its strain on computer resources. If for some reason the code is deleted, it is designed to automatically re-install itself.
Trend Micro says that much of the globe has been affected by the cryptojacking campaign, with Japan, the United States, Taiwan, and China seeing the bulk of the compromised servers. The firm was able to track the software back to two Monero wallets which appear to show just under $75,000 in Monero being mined using this strategy.
Monero is often the cryptocurrency being mined in cryptojacking campaigns, both due to the fact it is more easily mined than other cryptos, but also because of the privacy aspects of Monero, it is difficult to tie any hacks or other criminal activities to the owners of the wallets or coins.
Cryptojacking is becoming more widespread, affecting both regular users by hijacking their web browsers or computer resources, and major businesses like Tesla – who a few weeks back had their cloud hacked to mine Monero. Trend Micro and other cyber-security firms urge users to pay close attention to changes in computer resources, and to patch and update any software or programs as soon as the patches are released.