Cybercriminals Exploit XWiki Vulnerabilities
A recent investigation has revealed that cybercriminals are taking advantage of vulnerabilities in XWiki, an online platform used for content management, enabling them to operate unauthorized programs on external computers. The identified flaw resides within XWiki’s template configuration, allowing these bad actors to illegally mine Monero (XMR), a type of cryptocurrency, on unknowing victims’ devices.
How the Malicious Process Works
The malicious process begins with hackers sending a request that unwittingly installs a small program named x640 onto the victim’s computer. This is followed by another request that activates x640, which subsequently downloads two additional scripts, x521 and x522. These scripts facilitate the installation and operation of a Monero miner, known as tcrond, while also disabling other mining software that may already be present on the compromised machine. The Monero that is mined through this illicit method is then transferred to c3pool.org.
Additional Vulnerabilities Identified
In addition to the threats targeting XWiki, a report from Hacker News, referencing insights from the Cybersecurity and Infrastructure Security Agency (CISA), highlighted similar vulnerabilities within DELMIA Apriso, which also allowed hackers to execute code remotely.
Recommendations for Victims
For those who suspect they may have become victims of these cryptojacking activities, it is advisable to:
- Block relevant IP addresses
- Monitor for connections linked to c3pool.org
- Search for and eliminate any files associated with the unauthorized miner that may be found on their systems.
