After Oracle WebLogic attacks, Monero mining malware hits Kaseya enterprise users

Just weeks after cybercriminals targeted Oracle WebLogic users to install a cryptocurrency miner on enterprise servers, customers of enterprise software firm Kaseya have been hit by a similar attack. 

Kaseya, a vendor that offers remote server monitoring services to managed service providers and IT departments, has released new patches after discovering some of its partners’ PCs were infected with a variant of the xmrig software for mining the Bitcoin alternative Monero. 

Security firm esentire reported Monday that its customers were targeted with the Monero miner between 19 to 24 January and said it had “high confidence” the attack used a flaw in Kaseya’s Virtual Systems Administrator (VSA) “to gain unauthorized access to multiple customer assets.” 

"eSentire has observed an unknown threat actor attempting to deploy a Monero cryptocurrency miner to multiple eSentire customers. We assess with high confidence that the threat leveraged Kaseya Ltd’s Virtual Systems Administrator (VSA) agent to gain unauthorized access to multiple customer assets since January 19, 2018," the security firm said

Security researcher Kevin Beaumont urged any admins using Kaseya VSA to patch and remediate systems immediately.  

The attacks echo one discovered by Morphus Labs chief research officer Renato Marinho earlier this month. He found cybercriminals using a flaw in Oracle’s WebLogic software to install xmrig. 

Oracle released a patch in October but the exploit targeted systems that hadn’t been updated, allowing the attackers to quickly amass Monero by using the CPUs of compromised systems.   

As with the attack on WebLogic systems -- which are often connected to high value Oracle PeopleSoft servers -- the attackers could have stolen information from vulnerable Kaseya users, but instead only installed the Monero mining rig in the hope of raising revenue by using someone else’s hardware. 

According to Kaseya, the attackers have not used the flaw to do anything beyond installing the Monero miner.  

“We have seen no evidence to suggest that this vulnerability was used to harvest personal, financial, or other sensitive information.  However, we are aware of a small subset of our partners where Monero cryptocurrency mining software was deployed to endpoints.  Our initial estimates indicate that less than 0.1% of our customers have been affected by this issue,” Kaseya said in a support note. 

Monero is worth substantially less than its better known cryptocurrency cousin, Bitcoin, however the difficulty level of mining effort Monero is much less Bitcoin, which requires specialized hardware known as ASICs to mind. Monerao can be mined successfully with standard CPUs and GPUs.        

Tags OracleWebLogicpeoplesoftKaseya 7.0monero

Show Comments