Hackers Made $63,000 Mining Monero Exploiting Unpatched Windows Servers

As previously covered by Core Media, malicious actors are increasingly using cryptocurrency miners to get paid using computer resources of other people’s machines. This year, over 1.65 million computers were infected with crypto miners, while in 2013 the number of infections was of 205,000.

Recently, according to a report published by Slovakian security software firm ESET, hackers have been found to have infected hundreds of Windows serves with a cryptocurrency miner and managed to make over $63,000 in Monero over three months.

According to ESET, the infected machines were in Thailand, Germany, Taiwan, and Morocco, among other countries. These were running Windows Server 2003 and, as such, the hackers managed to exploit them using relatively unsophisticated attacks. In fact, the firm’s report points to widely available techniques, and simple modifications were done to open-source software.

To create a Monero mining botnet, the hackers exploited a vulnerability in Microsoft IIS 6.0, a type of web server software, that was discovered in March. Unpatched machines didn’t close the loophole and, as such, remain vulnerable. ESET’s researchers wrote:

“This vulnerability is especially susceptible to exploitation since it’s located in a web server service, which in most cases is meant to be visible from the internet and therefore can be easily accessed and exploited by anyone”

Researchers said they first observed the Monero mining botnet on May 26, with several waves of attacks being conducted until September 1. The botnet, according to Quartz, is currently performing very little mining activity, which researchers say is typical behavior before more attacks are launched.

Using people’s CPUs to mine Monero

Earlier this month, Core Media covered the Pirate Bay’s Monero mining experiment, in which the piracy website ran a cryptocurrency miner that used visitors’ computer resource to mine Monero as a way to experiment alternative revenue sources.

More recently, CBS-owned Showtime websites – Showtime.com and Showtimeanytime.com – were found running similar Monero mining code without telling its users about it. Who put the code on the websites isn’t clear, but someone made money off of it, and involved companies refused to comment.

Hackers mine Monero because it allows them to get away with it, as transactions are completely anonymous and the cryptocurrency uses proof-of-work algorithm called CryptoNight, which allows them to make a profit while mining the cryptocurrency using people’s CPUs.