A botnet known as WatchDog has been operating for two years with the goal of crypto-mining in private servers all around the world.
With the rising prices of different cryptocurrencies that are being easily traded right now, crypto-mining has become a very attractive illegal activity for cybercriminals. This discovery, made by Unit 42, reinforces the fact that crypto-mining has brought a new era for cybercrime, where parasitic agents are successfully using victims’ hardware to mine cryptocurrency to obtain great profit.
And while we all knew about this threat, it was difficult to imagine that such an operation was being conducted successfully at this scale.
What We Know
Unit 42 is the threat intelligent division of Palo Alto Networks, which is a cybersecurity corporation that offers high-end security solutions to large industries. This division recently discovered and reported the ongoing operation being conducted by the WatchDog botnet.
This malware, written in Go language, has been targeting Windows and Linux servers all around the world, exploiting vulnerabilities created by outdated enterprise applications. Some of the exploited software is Drupal, Redis, SQL Server, ThinkPHP, among others.
Exact details are still unknown to researchers at Unit 42 but it’s believed that around 500 and 1,000 systems were infected by WatchDog and used by malware operators to illegally mine cryptocurrency. The profits made by the criminals are currently estimated at $32,000, based on the 209 Monero coins initially identified as the product of their activity.
Nevertheless, Unit 42 stated that the impact, reach, and profits may all be exponentially greater.
A Lesser Threat
Before, we have seen other crypto-mining botnets operating in very destructive ways, which is not exactly the case with WatchDog. While this botnet successfully infected a large mass of Windows and Linux servers and profits from it, the damage seems to stop there.
However, other botnets such as TeamTNT and Rocke have shown how dangerous they may be. These botnets have the capabilities to steal AWS and Docker credentials from the victims’ servers, something that WatchDog is not doing… yet.
And because WatchDog botnet runs on the victim’s server with full admin privileges, it would be very simple for operators to update WatchDog to have this kind of capability. In fact, experts at Unit 42 recommend being prepared for this scenario, being common sense for threat agents to make the most of every situation.
What Can We Do?
When it comes to this type of threat and many others, businesses have plenty to do.
The first thing is to keep enterprise applications up to date. As we saw before, WatchDog exploits this type of app and successfully uses it as a point of entry. Knowing this, updating applications on Windows and Linux servers is a top priority for every single business.
Then, we would recommend implementing a robust cybersecurity solution such as Julie Security. Threat detection is key to counter potential attacks, even when we are taking the right steps in terms of cyber-hygiene and good practices.