HolesWarm Cryptomining Malware Found in Windows Vulnerabilities Since June

Security researchers have warned organizations across enterprise and government are at risk from the HolesWarm cryptominer malware. The caution comes following the successful exploitation of over 20 vulnerabilities in Windows and Linux. This lead to over 1,000 cloud hosts being compromised since June.

A security team at Tencent points out the HolesWarm cryptominer botnet is dangerous because it is adept at targeting numerous vulnerabilities in a single attack. In fact, the company is calling the malware the “King of Vulnerability Exploitation” since discovering it.

“As the HolesWarm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise,” Tencent confirmed this week.

Advertisement

HolesWarm does more than cryptomining, it can also provide threat actors with password details for target servers. The virus was exploiting dangerous flaws in server components. For example,  Jenkins, Spring boot, UFIDA, Apache Tomcat, Shiro, Weblogic, Structs2, Zhiyuan, and XXL-JOB.

“As the HolesWorm virus has changed more than 20 attack methods in a relatively short period of time, the number of cloud hosts is still on the rise,” the report adds. “Tencent security experts recommend that the operation and maintenance personnel of government and enterprise organizations actively repair high-risk vulnerabilities in related network components to avoid servers (becoming) a broiler controlled by hackers.”

Monero Mining

Despite being able to fulfil other attack goals, HolesWorm malware focuses on Monero crypto. It infects a system, takes control, and puts the equipment to use in mining for Monero. The more successful infections, the more resources for mining.

Tencent says attackers are adapting to security tools to remain successful:

“By pulling and updating other malicious modules, HolesWarm virus will record the version information in the configuration with the same name text while installing the malicious module,” says the company. “When the cloud configuration is newer, it will end the corresponding module process and update automatically.”

While this is a dangerous malware, it seems its use so far has been by a relatively new group. Tencent says the virus was relatively easy to locate and organizations should update and patch where necessary to avoid attacks.

Tip of the day: Thanks to the Windows Subsystem for Linux (WSL) you can run complete Linux distributions within Windows 10. In our tutorial, we show you how to install Ubuntu or other Linux packages and how to activate the bash shell.

Advertisement