The HolesWarm malware is a cross-platform crypto-miner threat that has managed to compromise over a thousand cloud hosts in just a couple of months. The high success rate of the threat's infection is based on the fact that it can change its attack method rapidly. So far, researchers have observed HolesWarm leveraging over 20 different vulnerabilities found in numerous office server components such as Apache Tomcat, Spring boot, Jenkins, Shiro, UFIDA, Weblogic, Structs2, XXL-JOB and Zhiyuan.
Once established on the targeted system, HolesWarm will hijack the available resources and use them to mine Monero coins. In addition, the attackers can establish control over the compromised server and collect password information.
The ability to modify the behavior of the threat and go through so many different attack methods rapidly shows that the threat actor has sufficient know-how and software skills. At the same time, the lack of established TTPs (Tactics, Techniques, and Procedures) indicate that the group may have been formed recently. The ease with which the threat was detected also supports this conclusion.
To mitigate the chances of suffering an illicit breach, organizations should install the necessary updates on their servers. The consequences of leaving known vulnerabilities unpatched could be devastating and lead to serious operational disruptions.