WatchDog botnet targets Windows and Linux servers in cryptomining campaign

PaloAlto Network warns of the WatchDog botnet that uses exploits to take over Windows and Linux servers and mine cryptocurrency.

Security researchers at Palo Alto Networks uncovered a cryptojacking botnet, tracked as WatchDog, that is targeting Windows and Linux systems.

WatchDog is one of the largest and longest-lasting Monero cryptojacking operations uncovered by security experts, its name comes from the name of a Linux daemon called watchdogd. The WatchDog botnet has been active at least since Jan. 27, 2019 and already mined at least 209 Monero (XMR), valued to be around $32,056 USD.

Palo Alto experts determined that at least 476 systems were compromised by the botnet, mainly Windows and NIX cloud instances, which were involved in mining operations.

The botnet is written in the Go programming language, it is the work of skilled coders.

The bot targets outdated enterprise apps using 33 different exploits to exploit 32 vulnerabilities. Below the list of exploits used by the bot:

CCTV exploit
- It is currently unknown if the target is a CCTV appliance or if there is another moniker “cctv” could stand for.
Drupal
- Versions 7 and 8.
Elasticsearch
- CVE-2015-1427 (Elasticsearch sandbox evasion – version before 1.3.8 and 1.4.x before 1.4.3)
- CVE-2014-3120 (Elasticsearch before 1.2)
Apache Hadoop
PowerShell
- Encoded command-line operations.
Redis
Spring Data Commons
- CVE-2018-1273, versions prior to 1.13-1.13.10, 2.0-2.0.5
SQL Server
ThinkPHP
- Versions 5.x, 5.10, 5.0.23
Oracle WebLogic Server
- CVE-2017-10271 – versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0)

The analysis of the config.json files allowed the experts to identify three XMR wallet addresses:

43zqYTWj1JG1H1idZFQWwJZLTos3hbJ5iR3tJpEtwEi43UBbzPeaQxCRysdjYTtdc8aHao7csiWa5BTP9PfNYzyfSbbrwoR
82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4
87q6aU1M9xmQ5p3wh8Jzst5mcFfDzKEuuDjV6u7Q7UDnAXJR7FLeQH2UYFzhQatde2WHuZ9LbxRsf3PGA8gpnGXL3G7iWMv

The above XMR wallets addresses are used with at least three public mining pools and one private mining pool to process mining operations.

Maltego chart of the WatchDog miner operation (Palo Alto Networks)

“It is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations. While there is currently no indication of additional cloud compromising activity at present (i.e. the capturing of cloud platform IAM credentials, access ID, or keys), there could be potential for further cloud account compromise. It is highly likely these actors could find IAM-related information on the cloud systems they have already compromised, due to the root and administrative access acquired during the implantation of their cryptojacking software.” concludes Palo Alto.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.