Nagios XI is a popular enterprise server and network monitoring solutions. The feature “Configuration Wizard: Windows Management Instrumentation (WMI)” is being exploited in Nagios XI.
On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296, a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coin miner on victims’ devices.
The XMRig coin miner is an open-source cross-platform cryptocurrency miner. If the attack is successful, the XMRig coin miner will be installed on the compromised devices. The vulnerability can be lessened by updating Nagios XI to the most recent update.
In order to understand if a device is compromised and running XMRig miner, users can either:
1.Execute commands ps -ef | grep 'systemd-py-run.sh|systemd-run.py|systemd-udevd-run.sh|systemd-udevd.sh|systemd-udevd.sh|workrun.sh|systemd-dev' and check the result. If the processes of the mentioned scripts are running, the device might be compromised.
2.Check the files in the folder /usr/lib/dev and /tmp/usr/lib to see if the mentioned scripts exist or not. If they exist, the devices might be compromised. If the system is discovered to be hacked, simply terminating the operation and deleting the scripts will remove the XMRig used in the attack.
The attacks try to execute a malicious bash script fetched from the malicious server 118[.]107[.]43[.]174. The bash script dropped by the attacker downloads the XMRig miner from the same server where the script is hosted and releases a series of scripts to run the XMRig miner in the background. Once the attack succeeds, ..