Cryptojacking Takes a New Turn in CryptoSink Campaign

Researchers from F5 Labs reported on March 14 that they have discovered a new cryptojacking campaign that is abusing unpatched Elasticsearch servers. Unauthorized cryptocurrency mining, commonly referred to as "cryptojacking," is an attack trend that started in 2017 and hit a peak in mid-2018. With a cryptojacking attack, a hacker makes use of a system or server resources to help mine cryptocurrency. F5 Labs is dubbing the cryptojacking campaign it discovered "CryptoSink" as the attackers are identifying systems that have already been compromised by cryptojacking and are "sinkholing" or redirecting the competitive mining effort. When the competitive cryptojacking effort is sinkholed, it is effectively shut down in favor of the new CryptoSink effort. In the CryptoSink campaign, F5 Labs discovered that attackers are making use of a vulnerability in the open-source ElasticSearch application that is widely deployed on Linux servers. The ElasticSearch vulnerability is a 5-year-old issue identified by F5 Labs as CVE-2014-3120, which can enable an attacker to execute arbitrary code.