Security researchers have spotted a new multi-stage attack campaign using NSA exploits to infect victim machines with Monero mining malware.
The attack begins by scanning for vulnerable servers: specifically ones that are still open to the Apache Struts flaw (CVE-2017-5638) which led to the infamous Equifax breach, and CVE-2017-9822, a DotNetNuke (DNN) content management system vulnerability.
If a Windows machine is detected, the attackers deploy two NSA-linked exploits leaked by alleged Russian state hackers the Shadow Brokers earlier this year.
EternalSynergy and EternalBlue help them to move laterally and spread across target networks.
A “highly obfuscated” PowerShell agent is then deployed to install the final Monero-mining payload.
For Linux/OS X machines, a Python agent based on the EmpireProject post-exploitation framework is used to install the crypto-currency miner.
“Zealot seems to be the first Struts campaign using the NSA exploits to propagate inside internal networks. There were other malware campaigns like NotPetya and WannaCry ransomware, and also Adylkuzz cryptominer launching attacks by directly scanning the internet for SMBs to exploit with the NSA tools the ShadowBrokers released,” explained F5 Networks’ Maxim Zavodchik and Liron Segal.
“The Zealot campaign, however, seems to be opening new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities. The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders.”
Rapid7’s chief data scientist, Bob Rudis, warned organizations “there is a 100% guarantee” that hackers will be looking to launch similar attacks in the future.
“To protect themselves, organizations should have a solid knowledge of the technologies they've deployed internally and externally and monitor for patches for their software and appliances,” he added.
“They should apply patches as quickly as possible or use network and system access controls to isolate systems that cannot be patched. In this case, organizations should scan for systems that are vulnerable to CVE-2017-5638 and CVE-2017-9822 and patch them immediately.”