Nagios XI Security Vulnerabilities Exploited to Run Cryptomining Malware

11 security vulnerabilities have been discovered in Nagios in the past 5 months. The miscreants have exploited the network monitoring software to run crypto-mining malware, resulting in an average score of 7.8. While Nagios had 22 vulnerabilities in 2020, the average CVE base score has increased by 1.04 in 2021.

Threat actors have been actively targeting the Nagios XI application to exploit the vulnerability CVE-2021-25296, a remote command injection vulnerability impacting Nagios XI version 5.7.5. The end goal is to conduct a cryptojacking attack, thereby deploying the XMRig coin miner on victims’ machines. It is to be noted that the attack is still in the wild.

Demystifying Nagios security vulnerability

Nagios XI is a widely used software and provides comprehensive IT infrastructure monitoring of all mission-critical components, including servers, networks, operating systems, applications, network protocols, services, and systems metrics. The vulnerability lies in the “Configuration Wizard: Windows Management Instrumentation (WMI)” feature in the Nagios XI.

The XMRig miner is an open-source cross-platform cryptocurrency miner. Upon successfully exploiting the Nagios XI vulnerability, an XMRig coin miner will be deployed on the compromised devices.

Upgrading Nagios XI to the latest available version will mitigate this vulnerability. However, users who cannot use the latest version can update the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php file to mitigate the command injection vulnerability.

How to find out whether you are compromised?

To find out if a device is compromised and running XMRig cryptocurrency miner, users can try either of the following:

• Execute the command ps -ef | grep ‘systemd-py-run.sh\|systemd-run.py\|systemd-udevd-run.sh\|systemd-udevd.sh\|systemd-udevd.sh\|workrun.sh\|systemd-dev’ and analyze the output. If the processes of the mentioned scripts are running, there can be chances that the device is compromised.
• Check the files in the folder /usr/lib/dev and /tmp/usr/lib to see if any of the mentioned scripts exist or not. If they do, the devices might be compromised.

If the device is compromised, then delete the scripts and kill the running processes to clean the deployed attack vector.

Overview of the Nagios attack

As the first step of the attack process, threat actors attempt to execute a malicious shell script which is fetched from the malicious server 118[.]107[.]43[.]174 under attacker’s control. Next, the dropped bash script downloads the XMRig miner from the same server where the script was originally hosted. It releases a series of scripts to run the XMRig cryptocurrency miner as a background process ultimately. Finally, if the attacks succeed and the miner is successfully deployed, the victims will be compromised for cryptojacking.

CVE-2021-25296- OS command injection

A remote command injection vulnerability in Nagios XI allows attackers to inject random characters or arbitrary commands and the original command to execute the injected commands. For example, when the original command is ping $target_ip and the variable $target_ip is controlled by users, threat actors can set the $target_ip variable to 127[.]0[.]0[.]1; sleep 5 which will result in the following command being executed at the server side: ping 127[.]0[.]0[.]1; sleep 5.

As evident, the sleep command will also be executed along with the ping command. Because of the lack of proper sanitization of the user input in the configuration of the “Configuration Wizard: Windows WMI” component, the version 5.7.5 of Nagios XI is vulnerable to CVE-2021-25296, a command injection vulnerability. Any authenticated user can append their commands to the configuration data, and when the actual command is processed in the backend server, the attack payload will be executed.

Nagios XI provides an interface for users to set up devices, servers, applications and services. After selecting a wizard, users can set up the target for monitoring with a defined configuration. The vulnerability lies in the Windows WMI configuration wizard, which accepts a few user inputs to configure the WMI.

Code analysis for Nagios vulnerability

Once compromised, the threat actor tries to download and execute a malicious bash script called run.sh, which does the following things:

1. Checks for current user privileges and creates a workspace folder.
2. Downloads the archive file xmrig.tar.gz, from the server 118[.]107[.]43[.]174 and extracts it to the destination workspace folder.
3. Updates the config.json file of XMRig.
4. Creates Bash and Python scripts to ensure that the XMRig miner process always runs in the background.

The run.sh does not fill the wallet address with a valid address. This, in turn, will cause a bookkeeping failure. However, it is under the attacker’s control to update the config.json on the malicious Command & Control server to make it valid and start instructing the compromised miners to work. Also, the script will try to download the latest run.sh from the attacker’s server every time so that the attacker can update it to execute any other scripts or commands.

Conclusion:

The attack, which is going in the wild and is targeting the Nagios XI 5.7.5 exploits CVE-2021-25296 to drop a cryptocurrency miner, threatens the security of the systems that have potential out-of-date Nagios XI software deployments.

The compromised devices with cryptojacking malware will experience performance degradation. Moreover, there are possibilities that the attacker may change the script online from C2 server and the new script will be automatically downloaded to the victim’s machines, and once executed, can lead to further security concerns.

Indicators of Compromise

URL

• http://118.107.43.174/upload/files/xmrig.tar.gz
• http://118.107.43.174/upload/files/xmrig
• http://118.107.43.174/upload/files/run.sh
• http://118.107.43.174/upload/files/config.json

IPv4

• 118.107.43.174

SHA-1

• 89c618b8231ff82c680367238d520995bb5e49bb
• f69151c0327317bbb0ad084a9fab24b29bcb5658
• 1b18a16b8e2950332b8f47f4af6de254fa2313aa

SHA-256

• c711bb6cf918b1f140f4162daab37844656eba2e16c25c429606e4c69c990f99
• 54b45e93cee8f08a97b86afa78a78bc070b6167dcc6cdc735bd167af076cb5b3
• 4079b3b34caa86dce0edc923a3292f5814dd555f28e8e6ec4c879a2c50a80787
• 2c923d8b553bde8ce3167fe83f35a40a712e2bed2b76ebaf5e3e63642d551389

MD5

• db16ac0127852a9495ed88220d3bf530
• 672700cc3665ce9cc0cd42d9aa61e6dd
• 61def7b3b98458a40fffa42a19ddf258

CVE-2021-25296 References

• https://unit42.paloaltonetworks.com/nagios-xi-vulnerability-cryptomining/
• https://nvd.nist.gov/vuln/detail/CVE-2021-25296
• https://portswigger.net/daily-swig/vulnerability-in-nagios-xi-exploited-by-cryptojacking-crooks-to-hijack-systems
• https://otx.alienvault.com/pulse/6087286dff40660f7ee69ebc