The Cryptojacking botnet named Kingminer is trying to keep exclusive access to computers they’ve broken into by applying hotfixes from Microsoft in infected systems to lock out other attackers. Kingminer has been around for about two years and uses brute force attacks to access SQL servers to install the XMRig cryptocurrency miner. In recent campaigns, the operators starting using the EternalBlue exploit to break into unpatched systems and then applied the patch to shut the door on remote access to their compromised system. Other recent attacks have started by brute-forcing an exposed Microsoft SQL Server until they guess the system administrator’s SQL Server account password. Once that is complete, scripts are downloaded to the server which allows the attacker full control over the server by using the “xp_cmdshell” SQL command to run arbitrary commands through SQL queries. Yet another technique used by the attackers is to compromise unpatched Remote Desktop Protocol (RDP) servers that are vulnerable to the BlueKeep exploit and then either apply the patch to mitigate BlueKeep or disable the Remote Desktop Protocol (RDP) if the patch cannot be applied, to shut off systems from other crypto mining botnets.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.