[TheRecord] New HolesWarm botnet targets Windows and Linux servers

A new botnet named HolesWarm has been slowly growing in the shadows since June this year, exploiting more than 20 known vulnerabilities to break into Windows and Linux servers and then deploy cryptocurrency-mining malware.

While attacks have primarily been spotted across China, with reports from security firm Tencent and various IT bloggers, the botnet is expected to expand its reach, and target systems across the globe as its infrastructure and attack capabilities expand in the coming months.

Primarily operated from a command and control server located at m[.]windowsupdatesupport[.]org, the botnet has been seen exploiting vulnerabilities in software such as:

DockerJenkinsApache TomcatApache Struts (multiple bugs)Apache ShiroApache Hadoop YarnOracle WebLogic (CVE-2020-14882)Spring BootZhiyuan OA (multiple bugs)UFIDAPanwei OAYonyou GRP-U8

While the entry vectors may vary per victim, Tencent Security says that once the malware gets a foothold on an infected system, HolesWarm dumps local passwords, expands to the local network, and then deploys an XMRig-based cryptocurrency mining tool.

While other botnet operators try to hide their presence on infected systems by tethering the crypto-mining process, HolesWarm doesn’t appear to employ this safety mechanism, and per several reports, the botnet often maxs out server CPUs, leading to its discovery.

Image: enp4s0

Right now, the botnet is just the latest in a long line of crypto-mining botnets that are popping up online on a regular basis. Nothing in its make-up screams technical sophistication, and the HolesWarm operators are just the latest malware coders taking advantage of the large number of servers running out-of-date software.

IOCs are available in the reports linked above, and in the Twitter thread below, from security firm Intezer Labs, which also saw some of the botnet’s earlier attacks.

[1/5] 🆕 XMRig miner dropper, written in Golang, targets both Windows and Linux. The Linux dropper has no detections in VirusTotalhttps://t.co/CiZEG2vUXk

Upon execution, the dropper creates persistence and queries the C&C for extra payload over windowsupdatev1.json
->> pic.twitter.com/wV0BhJA5tw

— Intezer (@IntezerLabs) June 8, 2021

The post New HolesWarm botnet targets Windows and Linux servers appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Cyberattack Forces Shutdown of Major U.S. Pipeline

All posts

Colonial Pipeline halts all fuel pipeline operations in response to ransomware attack read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ESET] Booking your next holiday? Watch out for these Airbnb scams

All posts, ESET feed

With vacations in full swing, cybercriminals will be looking to scam vacationers looking for that perfect accommodation. The post Booking your next holiday? Watch out for these Airbnb scams appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[HackerNews] Details Disclosed On Critical Flaws Affecting Nagios IT Monitoring Software

All posts, HackerNews

Cybersecurity researchers disclosed details about 13 vulnerabilities in the Nagios network monitoring application that could be abused by an adversary to hijack the infrastructure without any operator intervention. “In a telco setting, where a telco is monitoring thousands of sites, if a customer site is fully compromised, an attacker can use the vulnerabilities to compromise […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.