A hacker group has made nearly $75,000 by installing a Monero miner on Linux servers after exploiting a five-year-old vulnerability in the Cacti "Network Weathermap" plugin.

Experts from US security firm Trend Micro said they found evidence connecting these attacks to past attacks on Jenkins servers —during which a hacker group made around $3 million installing a Moner miner on Jenkins installations by exploiting the CVE-2017-1000353 vulnerability.

This time around, attackers leveraged CVE-2013-2618, a vulnerability in Cacti, a PHP-based open-source network monitoring and graphing tool, and more specifically in its Network Weathermap plugin, responsible for visualizing network activity.

Just like in the previous attacks, hackers exploited the flaw to gain code execution ability on the underlying servers, where they downloaded and installed a customized version of XMRig, a legitimate Monero mining software.

Attackers also modified the local cron jobs to trigger a "watchd0g" Bash script every three minutes, a script that checked to see if the Monero miner was still active and restarted XMRig's process whenever it was down.

Attackers made approximately 320 XMR ($75,000) using this simple mode of operation. All infected servers were running Linux, and most of the victims were located in Japan (12%), China (10%), Taiwan (10%), and the US (9%).

Since Cacti systems are usually designed to run and keep an eye on internal networks, such instances shouldn't be accessible online to begin with. Running unpatched systems for almost five years is also a big security slip up on the part of the owners. Get patchin', server admins!

IOCs and file hashes are available here.