Crypto-Mining Campaign Targeting Apache Struts and DotNetNuke Vulnerabilities

Researchers at Trend Micro have reported a significant increase in attempts to exploit CVE-2017-5638 in Apache Struts – the vulnerability exploited in the 2017 Equifax breach – and CVE-2017-9822 in DotNetNuke. While patches are already available, these vulnerabilities are often present in web applications that are used to create websites and, as a result, it is likely that many servers are vulnerable. Trend Micro believes the threat actor behind this particular campaign is targeting vulnerable web servers to redirect visitors to a domain that downloads a Monero cryptocurrency miner. The miner is linked to only one Monero wallet address, which already has generated a balance of 30 Monero – equivalent to approximately $12,000. Exploitation of the Apache Struts vulnerability began around mid-December 2017, peaked in mid-to-late December, and is still ongoing. Both Windows and Linux systems are targeted in this campaign. The NJCCIC recommends administrators of Apache Struts and DotNetNuke review the Trend Micro report, patch the vulnerabilities exploited in this campaign as soon as possible, and keep all hardware and software up-to-date. Additionally, monitor system CPU usage for spikes in activity that may indicate the presence of a cryptocurrency miner.