Vulnerabilities in Apache, Oracle and Redis servers exploited for Monero mining

The Rocke hacker group attacked a number of unpatched cloud servers using the new Pro-Ocean malware for covert cryptocurrency mining. The Palo Alto Networks researchers report this.

The malware exploits known vulnerabilities to take control of the Apache ActiveMQ message broker (CVE-2016-3088), the Oracle WebLogic application server (CVE-2017-10271), and the Redis database management system.

Before installing Pro-Ocean, it attempts to remove other malware and miners from the victim’s device, including Luoxk, BillGates, XMRig and Hashfish. It then disables all CPU-intensive applications, diverting the freed power to Monero mining.

It is also able to remove monitoring agents that could detect anomalous activity.

“Pro-Ocean is equipped with enhanced rootkit and worm features that allow it to hide activity and spread across the attacked subnet,” researchers noted.

According to Aqua Security, 95% of attacks on compromised cloud servers are aimed at covert cryptocurrency mining.

Back in October 2020, a new version of the Black-T malware for covert Monero mining was able to steal passwords and stop competing programs.

Subscribe to the ForkLog channel on YouTube.