GhostMiner Cryptocurrency Miner

A new crypto-currency miner named GhostMiner has been observed exploiting a vulnerability in Oracle’s Weblogic Server. GhostMiner uses fileless execution to remain undetected by antivirus software.

Threat ID:: CC-2191
Category:
Threat Severity:: Low
Threat Vector:
Published:: 28 March 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new crypto-currency miner named GhostMiner has been observed exploiting a vulnerability in Oracle’s Weblogic Server. GhostMiner uses fileless execution to remain undetected by antivirus software.

Threat details

GhostMiner uses the known vulnerability CVE-2017-10271. This is a component of the Oracle WebLogic Server which allows an unauthenticated threat actor to compromise and take over the server. GhostMiner uses this vulnerability to establish itself on the targeted server and will begin its fileless operations to download a coin mining module.

Remediation steps

Type	Step
	User and administrators are encouraged to review Oracle’s Critical Patch Updates, Security Alerts and Bulletins webpage and apply the necessary updates at the earliest opportunity.

CVE Vulnerabilities

Status

CVE-2017-10271

Last edited: 17 February 2020 12:43 pm