Researchers from F5 Networks Inc. have found that hackers are targeting a flaw in the popular rTorrent application to install crypto-mining software on computers running Unix-like operating systems. They have so far generated over $3,900.
This campaign exploits a previously undisclosed misconfiguration vulnerability and deploys a Monero (XMR) crypto-miner operation.
The attacks exploit XML-RPC, an rTorrent interface that uses XML and HTTP to access remote computers, and for which rTorrent doesn’t require any authentication. Shell commands can be executed directly on the OS rTorrent runs on.
The hackers identify the computers running RPC-enabled rTorrent apps on the internet and target them to install Monero, the digital coin mining software.
The malware downloaded doesn’t just run mining software but also scans for rival miners and removes them.
The vulnerabilities being exploited are in some respects similar to those reported through the Google Zero project in the BitTorrent client uTorrent. The difference lies in that the rTorrent flaw can be exploited without any user interaction rather than only by sites visited by the user.
The XML-RPC interface isn’t enabled by default and rTorrent recommends not using RPC over TCP sockets.
Below is an email rTorrent developer Jari Sundell wrote regarding the flaw:
Currently, the hackers generate about $43 per day using this exploit and have already generated $3,900 combined.
This campaign exploits a previously undisclosed misconfiguration vulnerability and deploys a Monero (XMR) crypto-miner operation.
The attacks exploit XML-RPC, an rTorrent interface that uses XML and HTTP to access remote computers, and for which rTorrent doesn’t require any authentication. Shell commands can be executed directly on the OS rTorrent runs on.
The hackers identify the computers running RPC-enabled rTorrent apps on the internet and target them to install Monero, the digital coin mining software.
The malware downloaded doesn’t just run mining software but also scans for rival miners and removes them.
The vulnerabilities being exploited are in some respects similar to those reported through the Google Zero project in the BitTorrent client uTorrent. The difference lies in that the rTorrent flaw can be exploited without any user interaction rather than only by sites visited by the user.
The XML-RPC interface isn’t enabled by default and rTorrent recommends not using RPC over TCP sockets.
Below is an email rTorrent developer Jari Sundell wrote regarding the flaw:
There is no patch as the vulnerability is due to a lack of knowledge about what is exposed when enabling RPC functionality, rather than a fixable flaw in the code. It was always assumed, from my perspective, that the user would ensure they properly handled access restriction. No 'default behavior' for rpc is enabled by rtorrent, and using unix sockets for RPC is what I'm recommending. The failure in this case is perhaps that I've created a piece of software that is very flexible, yet not well enough documented that regular users understand all the pitfalls.
Currently, the hackers generate about $43 per day using this exploit and have already generated $3,900 combined.