A dangerous new “cryptojacking” exploit targeting the Linux operating system has been discovered by a Russian security company called Dr.Web, who have unceremoniously named it “Linux.BtcMine.174.” The name is (fittingly) misleading, as the malware surreptitiously mines monero (XMR) rather than bitcoin (BTC). Cryptojacking is the hijacking of a user’s computing power in order to secretly mine cryptocurrency.
The exploit depends on one of two Linux vulnerabilities being open to form an attack vector, which are CVE-2016-5195 and CVE-2013-2094. According to the widely referenced exploit tracking website cve.mitre.org, CVE-2013-2094 (as the “2013” name suggests) is only present on versions before 3.8.9; whereas CVE-2016-5195 affects versions before 4.8.3. (The current Linux version is 4.19.2.)
Linux.BtcMine.174 forces “root” access on the Linux-running device, which means it gains access to the entire file structure of the system. On most commercial computing devices, such primary access is either password-protected or completely sealed-off, even from the legal owner, as is the case with both iPhone and Android smartphones.
According to Dr.Web, the exploit then downloads several more utilities, in order to delete competing cryptojacking software and virus-scanning software, and to run the XMR mining script in perpetuity.
Update your software
As mentioned above, this exploit only affects older versions of Linux. This means that those running the latest software will not be vulnerable. This conclusion is consonant with a story CryptoGlobe reported on just days ago, in another case of cryptojacking resulting from leaving unupdated software vulnerable to known exploits.
Monero is the ideal cryptocurrency to mine in such cases of cryptojacking, because of its privacy features which almost completely obfuscate the identities and amounts involved in transactions.
Incidence of cryptojacking are on the wane overall, while incidence of data theft and ransomware targeting businesses is on the rise. Cryptojacking skyrocketed in late 2017/early 2018, presumably due to the exploding prices of cryptoassets at that time. However, it is clear enough that even amid today’s collapsing market, the threat is still real.