Cryptominer malware and Tomcat

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Cryptominer malware and Tomcat

Pete Helgren
I have a situation where I have had "Kinsing" crypto-mining software get
installed twice on a VM that runs Liferay and Tomcat.  Based on what I
have read about this cryto-miner, it seems to target Linux VM's running
Docker images and/or an open redis port.  I have none of that on this VM.

The VM is running CentOS 8.   The tomcat version I am running is 8.0.32,
java openjdk version "1.8.0_252" OpenJDK Runtime Environment (build
1.8.0_252-b09) OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode). 
It is hosting  Liferay 7.0.4 GA5.

The VM running Tomcat/Liferay is served through reverse proxy listening
on port 443 and passes traffic back to the Tomcat instance listening on
7080.  The VM has ONLY ports 7080, 7009, and 7005 open (firewalld)  I am
trying to sort out how the crypto miner has installed itself. 
Originally, I had a CentOS 7 VM but after the first episode, I started
from scratch, locked down the VM and re-installed the Liferay bundle
with Tomcat 8.0.32.  After about 2 weeks, the miner was back.  I can't
figure out how it is installing itself.  I read through the CVE's on
this version of Tomcat and nothing jumped out at me.  We don't use JMX
or AJP. It's just Tomcat with Liferay.

I am starting here since it's only the TC port that is open and yes,
it's possible that Liferay may have a vulnerability.  I just need ideas
on where to start looking.  I am going to try to jump to the latest
Liferay/Tomcat bundle but it isn't an easy upgrade and may take a bit....

--
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek  IBM_i_Geek


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Cryptominer malware and Tomcat

Pete Helgren
I am going to guess that it is one of these two known vulnerabilities:

CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981)
The JSONDeserializer of Flexjson allows the instantiation of arbitrary
classes and the invocation of arbitrary setter methods.

CST-7205: Unauthenticated Remote code execution via JSONWS
(LPS-97029/CVE-2020-7961)
The JSONWebServiceActionParametersMap of Liferay Portal allows the
instantiation of arbitrary classes and invocation of arbitrary setter
methods.

Found the signature in the logs and it's pretty clear that that is what
we are up against.  However, if something else comes to mind, feel free
to post back.  I  did come across a couple of other posts where the OP
said there was nothing but Tomcat and they also ended up with the miner.

I have some updating to do....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek  IBM_i_Geek

On 6/17/2020 2:21 PM, Pete Helgren wrote:

> I have a situation where I have had "Kinsing" crypto-mining software
> get installed twice on a VM that runs Liferay and Tomcat.  Based on
> what I have read about this cryto-miner, it seems to target Linux VM's
> running Docker images and/or an open redis port.  I have none of that
> on this VM.
>
> The VM is running CentOS 8.   The tomcat version I am running is
> 8.0.32, java openjdk version "1.8.0_252" OpenJDK Runtime Environment
> (build 1.8.0_252-b09) OpenJDK 64-Bit Server VM (build 25.252-b09,
> mixed mode).  It is hosting  Liferay 7.0.4 GA5.
>
> The VM running Tomcat/Liferay is served through reverse proxy
> listening on port 443 and passes traffic back to the Tomcat instance
> listening on 7080.  The VM has ONLY ports 7080, 7009, and 7005 open
> (firewalld)  I am trying to sort out how the crypto miner has
> installed itself.  Originally, I had a CentOS 7 VM but after the
> first episode, I started from scratch, locked down the VM and
> re-installed the Liferay bundle with Tomcat 8.0.32.  After about 2
> weeks, the miner was back.  I can't figure out how it is installing
> itself.  I read through the CVE's on this version of Tomcat and
> nothing jumped out at me.  We don't use JMX or AJP. It's just Tomcat
> with Liferay.
>
> I am starting here since it's only the TC port that is open and yes,
> it's possible that Liferay may have a vulnerability.  I just need
> ideas on where to start looking.  I am going to try to jump to the
> latest Liferay/Tomcat bundle but it isn't an easy upgrade and may take
> a bit....
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Cryptominer malware and Tomcat

Olaf Kock
Hi Pete,

On 17.06.20 23:44, Pete Helgren wrote:

> I am going to guess that it is one of these two known vulnerabilities:
>
> CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981)
> The JSONDeserializer of Flexjson allows the instantiation of arbitrary
> classes and the invocation of arbitrary setter methods.
>
> CST-7205: Unauthenticated Remote code execution via JSONWS
> (LPS-97029/CVE-2020-7961)
> The JSONWebServiceActionParametersMap of Liferay Portal allows the
> instantiation of arbitrary classes and invocation of arbitrary setter
> methods.
>
> Found the signature in the logs and it's pretty clear that that is
> what we are up against.  However, if something else comes to mind,
> feel free to post back.  I  did come across a couple of other posts
> where the OP said there was nothing but Tomcat and they also ended up
> with the miner.
>
> I have some updating to do....
>
Correct analysis.

What you need is this update
https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1

And while you're at it: There has been another patch published this
month
https://liferay.dev/blogs/-/blogs/june-2020-security-patches-for-liferay-portal-7-1-and-7-2

Best,

Olaf


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Cryptominer malware and Tomcat

Christopher Schultz-2
In reply to this post by Pete Helgren
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Pete,

On 6/17/20 17:44, Pete Helgren wrote:

> I am going to guess that it is one of these two known
> vulnerabilities:
>
> CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981) The
> JSONDeserializer of Flexjson allows the instantiation of arbitrary
> classes and the invocation of arbitrary setter methods.
>
> CST-7205: Unauthenticated Remote code execution via JSONWS
> (LPS-97029/CVE-2020-7961) The JSONWebServiceActionParametersMap of
> Liferay Portal allows the instantiation of arbitrary classes and
> invocation of arbitrary setter methods.
>
> Found the signature in the logs and it's pretty clear that that is
> what we are up against.  However, if something else comes to mind,
> feel free to post back.  I  did come across a couple of other posts
> where the OP said there was nothing but Tomcat and they also ended
> up with the miner.
>
> I have some updating to do....

Definitely update Liferay if these are known vulns.

You ought to upgrade Tomcat as well, since 8.0 is no longer supported.
8.0.32 is more than 4 years out of date. Latest 8.0.x release was
8.0.53 before support was dropped in favor of Tomcat 8.5.

> The VM running Tomcat/Liferay is served through reverse proxy
> listening on port 443 and passes traffic back to the Tomcat
> instance listening on 7080.  The VM has ONLY ports 7080, 7009, and
> 7005 open (firewalld)

What is the proxy protocol in use? Are those ports on the Tomcat end
only allowing connections from the reverse proxy? What are ports 7009
and 7005 open for? How do you make remote-connections to the server?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7srPYACgkQHPApP6U8
pFhmbg//Xq/MsdQ0D13iAp3naezwQv59Qmbii2Eboe+0vZp4VHjPX0Il3bT3JRkU
9AvJGwvaN7aPQgOUQjWqaHxTrnIPiQbEMdOuZ7wcWc67Z8cOp5lha/qdgMSvXgMR
q/O3o+d6TSQ8sEz4FnabUZPvnebJ6/+azAF3SZUnKXtbLK797CX57m3cefZ4kcEQ
UPFcjyXFC81yLBEbUdHTHcH6QOPLeRMzsISd4B4QajZdxOAOaQMqB8hUn/tAfoYu
O8nIl6qfQUC3p7JeOVpaacjH2R2mv1pTaFzpedNB0sTRwYkDsXtkmpsz/z02Aej0
/zIdLmIClEjd+IEaqGWGG9uF40EFRAcq+3GJupF7/tHpx72seY8uk/FBlYQQxaBH
Q0AXIZmgDcZ0JWnFhnn+N9fcbUVUnqF+sW7wW3JFvLm5mQSLsHYacX0ypLPLvxHX
3Ed44GmIXL+24E/gRqFdq/GnJRAALomM4b8NlFdQPjGZl1MwR41sJIVFi8RcdKA1
wfJ6DK9OcZzVA3a5l3WDtIpnltZbDTZN2rDeTt2m13DuEaZ65vx2Tz4EsjxLLPA2
+wSgCmFVsTmfAvNnFbRQkB1i2GKKxNwTMf74Yee2aAxfwextZp3Iku/ULafLqIWV
ZOh7jLiBN+6hm31tdhVRU85sMMEF27EmtInBnEgO3s1z/ZcDYs8=
=9Ihv
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]