Crypto Mining Malware Targeting Linux Servers

It has been reported that a coin-mining malware infection previously only seen on Arm-powered IoT devices has made the jump to Intel systems. Akamai senior security researcher Larry Cashdollar says one of his honeypot systems recently turned up what appears to be an IoT malware that targets Intel machines running Linux. It is fine-tuned for intel processors by establishing a SSH (port 22) connection and deliver it as a gzip archive. It creates three different directories with different versions of the same files. Each directory contains a variation of the XMrig v2.14.1 cryptocurrency miner in either x86 32bit or 64bit format and some of the binaries are named after popular UNIX utilities such as ps to make it harder to detect.

 


EXPERTS COMMENTS
Gavin Millard , VP of intelligence ,  Tenable
September 03, 2019
It's often said that when it comes to basic cyber hygiene that you don't have to run as fast as a bear.
As with other similar attacks, this latest malware capitalises on the abundance of low hanging fruit of default credentials and user names with simple passwords. As we’ve learned over the last 15 to 20 years, there are far too many systems connected to the internet with this type of access which will be easily popped and CPU cycles monetised. Admins must know the exposure of every externally facing asset that’s attached to the network or associated to the organisation and set the minimum bar of attack higher than something most script kiddies can take advantage of in their sleep. To thwart this particular coin-mining malware from abusing Linux servers all inbound SSH access should be restricted, monitored for unusual activity and most importantly have robust credentials for access. It's often said that when it comes to basic cyber hygiene that you don't have to run as fast as a bear, just slightly quicker than the person next to you, but in the case of Crypto Mining the organisations getting hit by this aren't running, they're laying down covered in honey.

Join the Conversation

Join the Conversation


In this article