New HolesWarm Botnet Exploiting 20 Known Vulnerabilities To Attack Windows & Linux Servers

The cybersecurity researchers at Tencent Cloud Firewall have recently detected a new highly volatile botnet which is dubbed as HolesWarm. 

They reported that this new botnet exploiting more than 20 known vulnerabilities to hack Windows and Linux servers so that the operator of this botnet can install malware into those hacked servers for cryptocurrency mining.

Due to its high volatility, the security analysts at Tencent Cloud Firewall have attributed this “HolesWarm” botnet as the “King of Vulnerability Exploitation.”

That’s why to stay safe and stop getting a victim of this HolesWarm botnet the researchers at Tencent have strongly recommended both government and private organizations take all the necessary security measures immediately to mitigate all the known vulnerabilities.

While apart from the crypto mining feature, this highly volatile botnet also gives access to sensitive information like server credentials and even the admin rights as well to its operators.

HolesWarm exploits Known security flaws

According to the report, a command and control server that is located at m[.]windowsupdatesupport[.]org has been primarily operating this HolesWarm botnet.

And here, the experts have identified and tracked that this botnet has been exploiting all the known security flaws in the following software:-

  • Docker
  • Jenkins
  • Apache Tomcat
  • Apache Struts (multiple bugs)
  • Apache Shiro
  • Apache Hadoop Yarn
  • Oracle WebLogic (CVE-2020-14882)
  • Spring Boot
  • Zhiyuan OA (multiple bugs)
  • Panwei OA
  • Yonyou GRP-U8

Not only that even they have also asserted that all these attacks were mainly tracked throughout China, and it clearly indicates that very soon the threat actors will begin their cyberattacks around the world to hack into the affected systems.

Moreover, the attackers are frequently renewing their attack methods, since the researchers were identified that the module configuration data has changed rapidly.

For this type of advancements and modifications, since June HolesWarm has been able to crack into more than 1,000 cloud hosts.

HolesWarm resets local passwords, spreads to the local network, and then settles the XMRig crypto miner, once into the infected system the malware gets attached. But, here the attack vectors may differ a lot since it actually depends on the victim.

In a long line of crypto-mining botnets that are becoming the headlines nowadays, the HolesWarm botnet is just the latest one. 

Here, the operators of this latest botnet are targeting the servers that are running out-of-date software, since they were the latest malware coders, and that’s why they are taking easy advantage of this.

In general, the operators of other botnets try to hide their presence on the infected systems, but, in this case, the HolesWarm operators don’t seem to resort to such methods.

What they do here is usually it overloads the server processors, simply to show its presence in the infected systems to get detected.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.