Nagios XI is a popular enterprise server and network monitoring solutions. The feature “Configuration Wizard: Windows Management Instrumentation (WMI)” is being exploited in Nagios XI.

Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296, a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coin miner on victims’ devices.

The XMRig coin miner is an open-source cross-platform cryptocurrency miner. If the attack is successful, the XMRig coin miner will be installed on the compromised devices.

The attacks try to execute a malicious bash script fetched from the malicious server. The bash script dropped by the attacker downloads the XMRig miner from the same server where the script is hosted and releases a series of scripts to run the XMRig miner in the background. Once the attack succeeds, the devices will be compromised for cryptojacking.

The attack targeting Nagios XI 5.7.5, exploits CVE-2021-25296 and drops a cryptocurrency miner, jeopardizing the security of systems running out-of-date Nagios XI applications.

Cryptojacking malware-infected devices can experience performance degradation. Furthermore, the attacker could modify the script online, causing the new script to be automatically downloaded and executed on the compromised computers, resulting in additional security risks.

Security subscriptions protect Palo Alto Networks Next-Generation Firewall customers from the vulnerability:

1.Threat Prevention can block attacks with Best Practices through Threat Prevention signature 90873.

2.Static signature detections in WildFire can avoid malware.

3.Malicious malware domains can be blocked using URL filtering.