Security News > 2021 > August > Splunk spots malware targeting Windows Server on AWS to mine Monero
Data analysis firm Splunk says it's found a resurgence of the Crypto botnet - malware that attacks virtual servers running Windows Server inside Amazon Web Services.
Splunk's Threat Research Team posted its analysis of the attack on Monday, suggesting it starts with a probe for Windows Server instances running on AWS, and seeks out those with remote desktop protocol enabled.
Once target VMs are identified, the attackers wheel out an old favourite: brute forcing passwords.
Splunk's security team noticed that one of the Monero wallets used in this campaign was also involved in a 2018 wave of attacks using the same Crypto botnet.
Splunk's advice for those hoping to avoid the attack is simple: stay up to date with patches, use strong passwords, and enable network-level authentication.
Windows admins will also know that RDP is not on by default, for good reasons - advice for those not wanting to avoid the attack is presumably to switch on RDP, use 'Admin/Passw0rd1234' as the login credentials and let 'er rip.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/08/10/crypto_botnet_targets_windows_on_aws/
Related news
- Microsoft confirms Windows Server 2025 blue screen, install issues (source)
- Windows Server 2025 released—here are the new features (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools (source)
- Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues (source)
- New Windows Server 2012 zero-day gets free, unofficial patches (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
- New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools (source)