Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cryptojacking Campaign. Show all posts

Novel Crytpojacking Campaign is Targeting Docker APIs Across the Internet

 

Cado security researchers recently identified a sophisticated cryptojacking campaign that exploits exposed Docker API endpoints over the internet. 

The campaign, called “Commando Cat”, has been operating since early 2024, the researchers noted, claiming that this was the second such effort to be identified in only two months. The first container, created with the Commando open-source tool, seems innocent, but it allows the criminals to escape and launch several payloads on the Docker host itself.

The payloads delivered are determined by the campaign's short-term targets, which include establishing persistence, backdooring the host, exfiltrating cloud service provider credentials, and activating cryptocurrency miners, according to the researchers. This campaign's cryptocurrency miner is the famed XMRig, a popular cryptojacker that mines Monero (XMR), a privacy-oriented currency that is nearly impossible to track. 

Cado Security's researchers added that Commando cat temporarily stores stolen files in a separate folder, implying that this is done as an evasion tactic. Indeed, this complicates forensic analysis. 

At press time, the researchers had no idea who the threat actors behind Commando Cat were, although they did detect resemblance in shell scripts and C2 IP addresses with another cryptojacking outfit dubbed TeamTNT. Cado, however, does not believe TeamTNT is behind this particular effort and instead suspects a copycat organisation. 

The researchers advised that users should upgrade their Docker instances and install necessary security measures to safeguard themselves from such attacks. 

Last month, the same cybersecurity team uncovered a similar campaign that used insecure Docker hosts to install both XMRig and the 9Hits Viewer software. 9hits is an online traffic exchange platform that allows users to drive traffic to each other.

When a user installs 9hits, their device visits the websites of other members using a headless Chrome instance. In exchange, the user earns credits, which may subsequently be used to attract traffic to their own websites. Installing 9hits on compromised Docker instances generates more credits, which the attackers can then use to buy more traffic.

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet

 

A group of cybersecurity experts has recently unearthed previously unreported payloads linked to a Romanian threat actor named Diicot. The discovery sheds light on the threat actor's capability to execute distributed denial-of-service (DDoS) attacks. In July 2021, a cybersecurity firm called Bitdefender discovered the actions of a threat actor named Diicot (formerly known as Mexals). 

The investigation revealed that Diicot utilized a tool called Diicot Brute, which is a Go-based SSH brute-forcer, to compromise Linux hosts as part of their cryptojacking campaign. Akamai revealed a renewed surge in Diicot's operations that had been previously identified in 2021. This latest wave of attacks, believed to have commenced around October 2022, allowed the threat actor to accumulate illicit profits amounting to approximately $10,000. 

A recent analysis conducted by Cado Security has uncovered that the Diicot group has expanded its tactics by utilizing a ready-made botnet agent called Cayosin. This particular malware, which exhibits similarities to Qbot and Mirai, signifies a significant development for the threat actor as it demonstrates their newfound capability to launch distributed denial-of-service (DDoS) attacks. 

Additionally, the group has engaged in activities such as revealing private information about rival hacking groups, a practice known as doxxing. Furthermore, Diicot relies on the popular communication platform Discord for controlling its operations and extracting stolen data. 

The threat actor, Diicot, employs several distinct tools in their operations: 

Chrome:  This tool functions as an internet scanner using Zmap technology. It gathers information during operations and saves the outcomes to a text file named "bios.txt". 

Update:  This executable is responsible for fetching and executing the SSH brute-forcer and Chrome tools if they are not already present on the compromised system. 

History:  Designed as a shell script, History facilitates the execution of the Update tool. 

DDoS attacks and Cryptojacking Relation 

DDoS attacks and cryptojacking are being combined by cybercriminals. The connection lies in using DDoS attacks to distract from and mask cryptojacking activities. This can involve launching a DDoS attack on a cryptocurrency exchange to divert attention. 

It can also include using DDoS attacks to test a victim's defenses and exploit vulnerabilities for cryptojacking. The consequences of this combination include increased energy consumption, hardware damage, and the potential theft of sensitive information. 

The SSH brute-forcer tool, also known as aliases, utilizes the information extracted from Chrome's text file output. It processes this data to gain access to each identified IP address. If the brute-forcing attempt is successful, it establishes a remote connection to the respective IP address. 

To determine if your computer is part of a botnet, watch out for the following signs: 

  • Unexplained activity: Excessive running of the processor, hard drive, or computer fans without a clear cause. 
  • Slow Internet: Unusually slow internet speeds, despite no active downloads, uploads, or software updates. 
  • Slow reboots and shutdowns: Sluggish shutdowns or restarts, potentially caused by malicious software.
  • Application crashes: Previously stable programs now frequently crashing or behaving erratically. 
  • High RAM usage: Check if an unknown application is consuming a significant portion of your computer's memory. 
  • Mysterious emails: Recipients reporting spam or malicious emails sent from your account. 
  • Unsafe habits: Neglecting important security updates, visiting unsafe websites, downloading unsafe software, or clicking on malicious links. 

To protect against these attacks, organizations are advised to implement measures such as SSH hardening and firewall rules. By implementing SSH hardening practices, organizations can strengthen the security of their SSH configurations. 

Additionally, setting up firewall rules helps limit SSH access to specific IP addresses, reducing the potential for unauthorized access attempts. These proactive measures can significantly enhance the security posture of organizations against SSH-related threats.

Hacked Devices Generated $53 for Every $1 Cryptocurrency Through Crypto Jacking

 


The team of security researchers evaluated the financial impact of crypto miners affecting cloud servers. They stated that this costs cloud server victims about $53 for every $1 of cryptocurrency mined by threat actors through crypto-jacking. 

Cryptojacking refers to the illegal method of extracting cryptocurrency from unauthorized devices, including computers, smartphones, tablets, and even servers with an intent of making a profit. Its structure allows it to stay hidden from the victims. The malicious actors generate income through hijacking hardware, as the mining programs use the CPUs of hijacked devices.  

The mining of cryptocurrency through the hijacked devices was primarily an activity of financially motivated hacking groups, especially Team TNT. It was responsible for most of the large-scale attacks against vulnerable Doctors Hub, AWS, Redis, and Kubernetes deployments.  

The cyber attackers updated the OS image by distributing the network traffic across servers that contained XMRig. It is a CPU miner for a privacy-oriented hard-to-trace cryptocurrency that has recently been considered the most profitable CPU mining.   

As opposed to ransomware, software that blocks access to systems until the money is paid, and includes aggressive law enforcement, rouge crypto mining is less risky for the cyber attackers.  

The Sysdig researchers used "Chimaera", a large campaign of TeamTNT for estimating the financial damage caused by crypto miners. The research revealed that over 10,000 endpoints were disclosed to unauthorized persons. 

In order to hide the wallet address from the hijacked machines and make tracking even harder, the cyber-attackers used XMRig-Proxy but the analysts were still able to discover 10 wallet IDs used in the campaign. 

Later the researchers disclosed that the 10 wallets held a total of 39XMR, valuing $8,120. However, they also mentioned that the estimated cost to victims incurred from mining those 29 XMR is $429,000 or $11,000 per 1 XMR. 

Moreover, they explained that, according to their estimates, the amount does not include amounts that are stored in unknown older wallets, the damage suffered by the server owner as a result of hardware damage, the potential interruptions of online services caused by hogging processing power, or the strategic changes firms had to make to sustain excessive cloud bills as a result of hogging processing power.

Romanian Cryptojacking Gang Target Linux-based Machines to Install Cryptominer Malware

 

Romanian threat actors are employing a new brute-forcer “Diicot brute” to crack the passwords on Linux-based machines and install cryptominer malware. 

According to Bitdefender researchers, the cryptojacking gang employs a unique SSH brute-forcer dubbed Diicot to crack weak passwords on Linux machines and install code of a miner XMRig, a legitimate open-source miner that’s been adapted for cryptojacking by numerous hackers. 

The researchers said they connected the cryptojacking gang to at least two DDoS botnets: a variant of the Linux-based DDoS DemonBot botnet called “Chernobyl” and a Perl IRC bot. The main motive of this campaign is to deploy Monero mining malware, also their toolset can be used to steal sensitive information from users and perform other nefarious actions. 

Cryptojacking is a slow and tedious way to generate illicit income, that’s why the actor is using botnet to infect as many devices as possible. “Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead,” according to the report published by Bitdefender researchers.

Threat actors are targeting people with weak and default passwords that are easily broken through brute force. “People are the simple reason why brute-forcing SSH credentials still work,” researchers wrote.

“Hackers going after weak SSH credentials is not uncommon. The tricky part is not necessarily brute-forcing passwords but rather doing it in such a manner that attackers can’t go undetected,” Bitdefender says. Another feature of the Diicot Brute force attack implied the capability of the tool to filter honeypots, as per threat actors’ declarations.

The attackers started the campaign in January and have not yet moved to the worm phase, according to Bitdefender. The cybersecurity analysts tracked the Romanian cryptojacking Gang back in May. Then, they discovered the cryptojacking campaign based on the “.93joshua” loader. Surprisingly enough, it was easy to trace the malware to “http://45[.]32[.]112[.]68/.sherifu/.93joshua” in an open directory.

“It turns out that the server hosted other files. Although the group hid many of the files, their inclusion in other scripts revealed their presence. They found that the associated domain, mexalz.us, has hosted malware at least since February,” analysts noted

TeamTNT Targeting Organizations Via Cryptojacking Malware

 

A cybercriminal gang known as TeamTNT has been ramping up its cloud-focused cryptojacking operations for some time now. TeamTNT operations have targeted Kubernetes clusters due to their wide usage and are an attractive target for threat actors running primarily in cloud environments with access to nearly infinite resources.

Attackers have also designed new malware called Black-T that unites open-source cloud-native tools to assist in their cryptojacking operations. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible, leading to malicious activity. 

Palo Alto’s Unit 42 researchers have discovered and confirmed close to 50,000 IPs compromised by this malicious campaign perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. Most of the compromised nodes were from China and the US — identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers)

TeamTNT has gathered 6.52012192 Monero coins via a cryptojacking campaign, which is equal to USD 1,788. The mining operation was found to be operating at an average speed of 77.7KH/s across eight mining workers. Operations using this Monero wallet address have continued for 114 days and are still operating. 

The researchers said TeamTNT’s new campaign is the most sophisticated malware Unit 42 has seen from this gang. They said on this round the threat actor developed more sophisticated tactics for initial access, execution, defense evasion, and command and control. Although the malware is still under development and the campaign has not spread widely, Unit 42 believes the attacker will soon improve the tools and start a large-scale deployment. 

Team TNT has stolen the credentials of 16 applications, including those of AWS and Google Cloud credentials, which may be stored on the compromised cloud instance if downloaded. The presence of Google Cloud credentials being targeted for collections represents the first known instance of an attacker group targeting IAM credentials on compromised cloud instances outside of AWS. 

Researchers believe that Microsoft Azure, Alibaba Cloud, Oracle Cloud, or IBM Cloud IAM credentials could be targeted using similar methods. Unit 42 researchers are yet to find evidence of credentials from these cloud service providers (CSPs) being targeted. TeamTNT first started collecting AWS credentials on cloud instances they had compromised as early as August 2020.