Cryptocurrency Miner Distributed via Weathermap Plugin

A cryptocurrency miner has been distributed via a PHP tool exploiting a vulnerability in the Weathermap network monitoring tool.

Threat ID:: CC-2168
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 22 March 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A cryptocurrency miner has been distributed via a PHP tool exploiting a vulnerability in the Weathermap network monitoring tool.

Threat details

It targets web servers running both Linux and Windows with the Cacti plugin architecture installed.

The threat actors have been exploiting CVE-2013-2618, a cross-site scripting vulnerability.

The primary target is Linux servers, but Windows servers with the plugin can also be affected. This plugin allows administrators to conveniently monitor their environments, however if compromised it allows the same access for threat actors. A patch has been available for nearly five years, however some systems have not been updated and the attack takes advantage of this patch lag that occurs in some organisations.

On Linux, the malware writes code in /etc/rc.local, meaning that watchd0g.sh is executed each time the system is restarted. It also modifies /etc/crontab, which results in _watchd0g.sh _being run every three minutes. It then modifies and manipulates Linux kernel parameters.

Remediation steps

Type	Step
	Later versions of the plugin are not vulnerable. User should update immediately. Servers should be hardened and secured with appropriate countermeasures. Data from Cacti should be kept internal to the environment.

CVE Vulnerabilities

CVE-2013-2618

Last edited: 19 January 2022 1:56 pm