HolesWarm Botnet in Action

#BotNet #HolesWorm #Linux #Apache #Oracle #Windows #crypto #mining


A new botnet named HolesWarm has been slowly growing in the shadow exploiting more than 20 known vulnerabilities to break into Windows and Linux servers and then deploy cryptocurrency-mining malware.

While attacks have primarily been spotted across China, the botnet is expected to expand its reach, and target systems across the globe as its infrastructure and attack capabilities expand in the coming months.

Primarily operated from a command and control server located atm[.]windowsupdatesupport[.]org, the botnet has been seen exploiting vulnerabilities in software such as:

  • Docker
  • Jenkins
  • Apache Tomcat
  • Apache Struts (multiple bugs)
  • Apache Shiro
  • Apache Hadoop Yarn
  • Oracle WebLogic (CVE-2020-14882)
  • Spring Boot
  • Zhiyuan OA (multiple bugs)
  • Panwei OA
  • Yonyou GRP-U8

The entry vectors may vary per victim, once the malware gets a foothold on an infected system, HolesWarm dumps local passwords, expands to the local network, and then deploys an XMRig-based cryptocurrency mining tool.

Other botnet operators…

View original post 86 more words

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.