An Army of Thousands of Hacked Servers Found Mining Cryptocurrencies

A new botnet consisting of more than 15,000 compromised servers has been used to mine various cryptocurrencies, earning its master around $25,000 per month.

Mining cryptocurrencies can be a costly investment, as it requires an enormous amount of computing power, but cybercriminals have found an easy money-making solution.

Dubbed BondNet, the botnet was first spotted in December 2016 by GuardiCore researchers, who traced back the botnet malware developer, using online handle Bond007.01, to China.

According to the GuardiCore researchers, Bond007.01 is currently using BondNet for mining cryptocurrencies — primarily Monero, but also ByteCoin, RieCoin, and ZCash — but they warn that the hacker could easily take full control of compromised servers for malicious purposes, like mounting Mirai-style DDoS attacks.

BondNet Attacks only Windows Server Machines

Since mining cryptocurrencies require large amounts of CPU/GPU power, the botnet master goes after Windows Server machines; instead of consumer IoT devices.

However, in order to compromise Windows Server machines, the botnet master relies on different attack techniques. Researchers say the hacker uses a combination of old vulnerabilities and weak user/password combinations to attack mostly old and unsupported Windows Server machines.

The most common flaws exploited by the botnet operator include known phpMyAdmin configuration flaws, exploits in JBoss, and bugs in Oracle Web Application Testing Suite, MSSQL servers, ElasticSearch, Apache Tomcat, Oracle Weblogic, and other services.

Once the hacker gain access to a Windows Server machine, he deploys Visual Basic files to gather information about the infected system and then install a Remote Access Trojan (RAT) and a cryptocurrency miner to make a huge profit from the hacked servers.

Read more…