[TheRecord] Crypto-mining botnet modifies CPU configurations to increase its mining power

A crypto-mining botnet is modifying CPU configurations on hacked Linux servers in order to increase the performance and output of its cryptocurrency mining code.

The attacks, detected by cloud security firm Uptycs, represent the first instances where a threat actor modifies a processor’s MSR to disable a CPU feature called hardware prefetcher.

Enabled by default on most CPUs, hardware prefetching allows a processor to load data in its cache memory based on the operations that are likely to be required in the near future.

When the CPU deals with repetitive computations, hardware prefetching can help improve performance.

Model-specific registers (MSR) are a set of control registers available on x86 CPUs that can be used to manage various features, including enabling and disabling hardware prefetching.

Someone read the documentation

In a report published last week, Uptycs researchers said they spotted a crypto-mining botnet in June 2021 that was breaching Linux servers, downloading the Linux MSR driver, and then disabling hardware prefetching before installing a version of XMRig, a common app used for cryptocurrency mining by both legitimate users and malware gangs.

Uptycs believes the attacker got the idea to disable hardware prefetching after reading the XMRig documentation, where it is claimed that XMRig can gain a 15% speed boost if the feature is disabled.

Right now, the attacks are limited to Linux servers, Uptycs said.

Per the company’s report, the botnet has been seen using exploits for CVE-2020-14882 and CVE-2017-11610 to gain access to Linux systems running Oracle WebLogic or Supervisord before disabling hardware prefetching and installing XMRig.

Prior to the attacks spotted this summer, Uptycs said the same botnet had been active since at least December 2020 and had previously targeted servers running MySQL, Tomcat, Oracle WebLogic, and Jenkins, suggesting that the botnet could easily switch targets and target other web-based technologies if it needed to.

The post Crypto-mining botnet modifies CPU configurations to increase its mining power appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2021-04-13

Microsoft April 2021 Patch Tuesday fixes 108 flaws, 5 zero-days www.bleepingcomputer.com/news/microsoft/microsoft-april-2021-patch-tuesday-fixes-108-flaws-5-zero-days/ Today is Microsoft’s April 2021 Patch Tuesday, and with it comes five zero-day vulnerabilities and more Critical Microsoft Exchange vulnerabilities. It has been a tough couple of months for Windows and Microsoft Exchange admins, and it looks like April won’t be any easier, so […]

Read More

Daily NCSC-FI news followup 2020-04-26

Hackers are exploiting a Sophos firewall zero-day www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/ Read also: community.sophos.com/kb/en-us/135412 and www.theregister.co.uk/2020/04/26/security_roundup_240420/. As well as: www.bleepingcomputer.com/news/security/hackers-exploit-zero-day-in-sophos-xg-firewall-fix-released/ Reopen Domains: Shut the Front Dorr www.domaintools.com/resources/blog/reopen-domains-shut-the-front-dorr Update: We noticed that while working on this piece Brian Krebs posted an excellent article on the same. What can we say, but great minds think alike? Since we dug into […]

Read More

[ZDNet] Fleets existence on Twitter was indeed fleeting

All posts, ZDNet

Rather than promoting discussion, the same engaged people simply posted more. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.