Unpatched Windows and Linux Servers Actively Attacked by HoleWarm Malware
HolesWarm cryptominer malware broke into more than 1,000 cloud hosts since June by exploiting more than 20 known Windows and Linux vulnerabilities. Because the cryptominer botnet has been so successful, researchers at Tencent refer to it as the "King of Vulnerability Exploitation." The HolesWarm virus has changed more than 20 times in a short period of time and the number of infected hosts are still on the rise. As icing on the cake, HolesWarm gives hackers password information and control of the victim's server.
HolesWarm exploits high-risk vulnerabilities in several server components including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB and Zhiyuan. The botnet uses infected systems to mine Monero. Cryptominers audit strings of blockchain in return for a reward in cryptocurrency. This is only profitable if there are several machines counting strings of blockchain. Cryptominer malware takes over a victim's system and makes it a part of a criminal effort to mine Monero using someone else's resources.
By updating modules, HolesWarm records the version information in the configuration with the same name text while installing the malicious module. When the cloud configuration is newer, it will end the corresponding module process and update automatically. The module configuration data changes rapidly, indicating that the hackers behind it are frequently updating their attack methods.
HoleWarm wouldn't work without unpatched servers with known security holes. The virus couldn't spread without these unpatched servers. 76 percent of IT security executive said IT vulnerabilities have impacted their business in the last year. Security experts recommend that organizations actively patch high-risk vulnerabilities in related network components to avoid their servers becoming a broiler controlled by hackers.