2,000 Windows servers compromised for crypto-mining purposes

Jul 8, 2021 08:55 GMT  ·  By

Liad Mordekovitz and Ophir Harpaz uncovered a cyberattack that targeted several organizations and compromised servers to mine crypto or get data, says Israel Hayom

Approximately 2,000 companies were attacked and had their servers as a launching pad to carry out attacks on more organizations. Since the attacks were decentralized, it made them harder to trace. The primary targets of the cyberattack were largely commercial and institutional servers within the media, tourism, health, and education industries, in India, Vietnam, and the United States.

What is the end goal of these cyberattacks on Windows Servers?

Bad actors took control of servers with the goal of mining digital money, infecting them with malware or Trojans, and stealing sensitive information stored. What's interesting is that hackers deleted malware from other malicious agents and employed more complex approaches to ensure their exclusive access the machines. Moreover, they were wise enough to erase their own Trojans and malware after using them as a precaution.

The servers were compromised by attacking the SMB protocol developed by Microsoft. The intrusions allowed cybercriminals to repeatedly access networks and subsequently sell the stolen credentials on the dark web. Each compromised Windows server is estimated to be worth approximately $300, thus multiplying this figure by 2,000 organizations results in a profit of $600,000, overall a sizable reward.

Researchers from Guardicore published a tool that would allow chiefs of cybersecurity to determine whether their organization's systems were vulnerable to a cyberattack and what actions they should take to protect their systems from similar cyberattacks.

The Guardicore cybersecurity solution is a software-based system that operates outside of a physical network. The security tool can break the ransomware chain and stop lateral movement on a network, as well as stop the rapid and wide spread of malware after ransomware attacks.