Threat Watch

KingMiner Locks Out Competition

The Cryptojacking botnet named Kingminer is trying to keep exclusive access to computers they’ve broken into by applying hotfixes from Microsoft in infected systems to lock out other attackers. Kingminer has been around for about two years and uses brute force attacks to access SQL servers to install the XMRig cryptocurrency miner. In recent campaigns, the operators starting using the EternalBlue exploit to break into unpatched systems and then applied the patch to shut the door on remote access to their compromised system. Other recent attacks have started by brute-forcing an exposed Microsoft SQL Server until they guess the system administrator’s SQL Server account password. Once that is complete, scripts are downloaded to the server which allows the attacker full control over the server by using the “xp_cmdshell” SQL command to run arbitrary commands through SQL queries. Yet another technique used by the attackers is to compromise unpatched Remote Desktop Protocol (RDP) servers that are vulnerable to the BlueKeep exploit and then either apply the patch to mitigate BlueKeep or disable the Remote Desktop Protocol (RDP) if the patch cannot be applied, to shut off systems from other crypto mining botnets. 

ANALYST NOTES

As the attackers behind Kingminer have demonstrated, it is extremely important to apply security patches and OS upgrades to servers, especially if the servers are directly connected to the Internet. Patches for both EternalBlue and BlueKeep have been available for a long time and are widely recognized as critical to apply. The attackers know that if they don’t apply these patches or shut off RDP, other attackers will also easily find the servers through scanning and will break in right behind them. Although Internet-facing servers are most at risk, servers on internal networks are also vulnerable, because all an attacker has to do is convince one employee to open a malicious document on a workstation in order to use that workstation to scan and attack unpatched servers inside the network. There are several methods to defend from brute-force style attacks. One example would be to lock accounts after a set number of failed logins. Another method would be to block an IP address after a number of failed attempts. These methods do have some issues, it can make DDoS attacks easier for attackers that want to shut down a company’s servers. It is also advisable to monitor for attacks 24 hours a day and respond quickly when attacks are detected, or to employ a managed security service, such as the Binary Defense Security Operations Center, staffed by skilled security analysts who can detect and defend from attacks like these.

Original Article: https://www.bleepingcomputer.com/news/security/kingminer-patches-vulnerable-servers-to-lock-out-competitors/

Tips on preventing brute-force attacks: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks