Nagios XI is a popular enterprise server and network monitoring solutions. The feature “Configuration Wizard: Windows Management Instrumentation (WMI)” is being exploited in Nagios XI.
On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296, a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coin miner on victims’ devices.
The XMRig coin miner is an open-source cross-platform cryptocurrency miner. If the attack is successful, the XMRig coin miner will be installed on the compromised devices. The vulnerability can be lessened by updating Nagios XI to the most recent update.
In order to understand if a device is compromised and running XMRig miner, users can either:
1.Execute commands ps -ef | grep ‘systemd-py-run.sh|systemd-run.py|systemd-udevd-run.sh|systemd-udevd.sh|systemd-udevd.sh|workrun.sh|systemd-dev’ and check the result. If the processes of the mentioned scripts are running, the device might be compromised.
2.Check the files in the folder /usr/lib/dev and /tmp/usr/lib to see if the mentioned scripts exist or not. If they exist, the devices might be compromised. If the system is discovered to be hacked, simply terminating the operation and deleting the scripts will remove the XMRig used in the attack.
The attacks try to execute a malicious bash script fetched from the malicious server 118[.]107[.]43[.]174. The bash script dropped by the attacker downloads the XMRig miner from the same server where the script is hosted and releases a series of scripts to run the XMRig miner in the background. Once the attack succeeds, the devices will be compromised for cryptojacking.
The attack targeting Nagios XI 5.7.5, exploits CVE-2021-25296 and drops a cryptocurrency miner, jeopardizing the security of systems running out-of-date Nagios XI applications.
Cryptojacking malware-infected devices can experience performance degradation. Furthermore, the attacker could modify the script online, causing the new script to be automatically downloaded and executed on the compromised computers, resulting in additional security risks.
Security subscriptions protect Palo Alto Networks Next-Generation Firewall customers from the vulnerability:
1.Threat Prevention can block attacks with Best Practices through Threat Prevention signature 90873.
2. Static signature detections in WildFire can avoid malware.
3.Malicious malware domains can be blocked using URL filtering.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.