A cryptocurrency miner has been distributed via a PHP tool exploiting a vulnerability in the Weathermap network monitoring tool, targeting web servers running both Linux and Windows with the Cacti plugin architecture installed.
The threat actors have been exploiting CVE-2013-2618, a cross-site scripting vulnerability.
The primary target is Linux servers, but Windows servers with the plugin can also be affected. This plugin allows administrators to conveniently monitor their environments, however if compromised it allows the same access for threat actors. A patch has been available for nearly five years, however some systems have not been updated and the attack takes advantage of this patch lag that occurs in some organisations.
On Linux, the malware writes code in /etc/rc.local, meaning that watchd0g.sh is executed each time the system is restarted. It also modifies /etc/crontab, which results in _watchd0g.sh _being run every three minutes. It then modifies and manipulates Linux kernel parameters.
Affected Platforms / Versions
Network Weathermap plugin for Cacti – Version prior to 0.97a
Later versions of the plugin are not vulnerable. Users should update immediately.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.