Windows servers running IIS 6.0 targeted by crypto-mining hackers
Attackers are using unpatched servers to mine Electroneum
HACKERS ARE EXPLOITING previously discovered - and patched - IIS 6.0 vulnerability to take control of Windows servers and mine Electroneum cryptocurrency.
First identified by two researchers in China in March 2017, the CVE-2017-7269 vulnerability allows hackers to install a malware strain on the IIS 6.0 service.
When they made the discovery, the exploit had been in circulation for around nine months. Crooks began tapping into the vulnerability in June 2016.
The researchers alerted Microsoft about the flaw, but the firm was initially hesitant to release a patch because IIS 6.0 had already been discontinued.
However, after the Shadow Brokers hacking group - believed to be a front for Russian intelligence - found similarities between the IIS 6.0 vulnerability and 'ExplodingCan' NSA exploit, Microsoft finally published a fix.
"Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269) due to an improper validation of an 'IF' header in a PROPFIND request," said security firm Trend Micro at the time.
"A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method.
"Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application."
Initially, hackers used the flaw to turn Windows servers running on IIS 6.0 into Monero miners. But now, F5 Labs believes that crooks are also using it to mine Electroneum.
They are targeting vulnerable servers with an ASCII shellcode that consists of a Return-Oriented Programming (ROP) vulnerability.
By tapping into the shellcode, the hackers are able to install mining software onto infected hardware.
Although this exploit is clearly lucrative for hackers, researchers explained that the server they investigated only contained $99 of the digital currency.
"F5 researchers recently noticed a new campaign exploiting a vulnerability in Microsoft Internet Information Services (IIS) 6.0 servers (CVE-2017-7269) in order to mine Electroneum crypto-currency," said the researchers.
"The ROP exploitation technique composes shellcode from instructions already loaded into memory, called "gadgets",
"Instead of writing and executing additional external code into memory. This allows attackers to bypass security mechanisms such as executable space protection, and code signing." µ
INQ Latest
India sets the bar for net neutrality with 'world's strictest' rules
Seems like a good place to buy a server innit
Intel's new Xeon E chips take aim at entry-level workstations
Ryzen-rivaling silicon packs up to six cores and twelve threads
Chrome 67 protects against Spectre hacks but gobbles more RAM
Render processes get split to avoid Spectre bug exploits
ZTE's long-running saga with the US government is almost over
Firm strikes a deal to end seven-year supply ban
Most read
