HolesWarm Cryptominer Botnet Targets Unpatched Windows, Linux Servers


Researchers at Tencent have issued a warning regarding a HolesWarm cryptominer malware campaign that has exploited more than 20 known vulnerabilities in Linux and Windows servers. The cryptominer botnet has been so effective in interchanging so many different known vulnerabilities between attacks, making Tencent researchers refer to the malware as the “King of Vulnerability Exploitation.”

HolesWarm has been able to break into more than 1,000 cloud hosts just since June. Tencent warned that both government and enterprise should immediately address known security flaws in order to prevent them from falling prey to the following HolesWarm attack. The cryptominer botnet also provides hackers password information and full access to the victim’s server. 

“As the HolesWarm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise. Tencent security experts recommend that the operation and maintenance personnel of government and enterprise organizations actively repair high-risk vulnerabilities in related network components to avoid servers (becoming) a broiler controlled by hackers.” Tencent researchers said in their Tuesday report. 

HolesWarm targeting known security flaws 

Security analysts at Tencent noticed HolesWarm taking advantage of high-risk flaws in several common office server components, including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB, and Zhiyuan. 

The malware uses compromised systems to mine for Monero cryptocurrency. This sort of thing is only lucrative if there are several devices counting numerous strings of blockchain. Cryptominer malware gains full access to the victim’s system and puts it to work as an aspect of a much more common criminal effort to mine Monero at scale, utilizing anyone else’s assets. According to Tencent researchers, attackers are constantly updating their strategies. 

“By pulling and updating other malicious modules, HolesWarm virus will record the version information in the configuration with the same name text while installing the malicious module,” Tencent said. “When the cloud configuration is newer, it will end the corresponding module process and update automatically.”

According to Dirk Schrader from New Net Technologies, the rapid evolution of cryptominer malware suggests that a hacking group was just getting started with their criminal activities.

“Collecting crypto-money is a necessary step for any cybercrime group to grow and later maintain capabilities, to acquire additional exploits traded in the Dark Web or to use some cybercrime-as-a-service,” Schrader explained.