In February 2018, several Russian nuclear scientists were arrested for allegedly mining cryptocurrencies using computing resources located at a Russian nuclear warhead facility. Globally, cryptominers are rapidly increasing and spreading for an obvious reason: it’s lucrative. Threat actors are also surfing this wave by using different kind of attacks to compromise not only personal computer but also servers. They are looking for powerful CPU resources to mine cryptocurrencies, such as Monero (XMR), among others, as fast as they can. The more infected machines they can get mining for them, the more money they can make.
Over the last few months we have begun to see a switch away from traditional ransomware, most probably because fewer and fewer victims are paying the ransom. Experts are suggesting that victims not pay ransoms, as there is no guarantee that the cybercriminals will actually return access to their encrypted data. Moreover, as has been described a few times on this blog, most of the time getting back access to the original data is simply not technically possible.
However, last year, we not only witnessed IoT malware embedding exploits to recruit more bots in their army, but also campaigns using exploits to deploy cryptocurrency miners onto those devices. That trend is even more popular today, with cybercriminals exploiting new critical vulnerabilities within days of the public release of patches. For example, the vulnerability disclosed on Drupal CMS in March was exploited just a few days after the patch was released. Drupal is an open-source content management system (CMS) that is powering millions of web sites around the world.
The vulnerability, dubbed “Drupalgeddon 2.0” (CVE-2018-7600), was rapidly turned to advantage with a cryptomining exploit by unknown actor(s), as detailed by Volexity in “Drupalgeddon 2: Profiting from Mass Exploitation.” The interesting thing is that the tactics, techniques, and procedures (TTPs) used to exploit this vulnerability were exactly the same as those we identified previously for other exploits. One wonders if the threat actors behind a few of these identified campaigns are not in fact the same actor, who simply jumps from one hot vulnerability to another?
In particular, the Monero wallet address used in this exploit is one of the constant data elements that tie these different attacks together.
Other evidence linking this attack to others has also been found in attacks back in December 2017 that targeted the Oracle WebLogic Server (CVE-2017-10271) vulnerability. Attackers exploited that remote code execution vulnerability within days of the patch being released by forcing public facing servers to download and execute a malicious cryptomining payload.
Even before December 2017 we documented Docker images hosted on the Docker Hub registry that were seen to embed malicious malware. This was particularly the case for the Docker account docker123321, which was created in May 2017 (see Figure 1), and which currently provides 19 images under popular project names like Cron, Tomcat, and Mysql.
When we inspect one of these images using the CLI, we see the following:
“Cmd” contains the command line run while starting the container, as can be seen above.
It adds a command line to the Cron Linux job scheduler, the purpose of which is to automatically download a test44.sh file from a remote server.
Here’s the content of that shell script.
It appears to run five instances of the crypto mining official image bitnn/alpine-xmrig, under the names “sosmseww”, “sosmsea2”, “sosmsen2”, “sosmsek2“, and “sosmset2“. That image is auto pulled if it does not exist locally. All five of these containers connect to the crypto-pool.fr pool.
A more recent case is the image dubbed docker123321/cron, which was pushed onto the public registry the first week of January.
That logo1.jpg file is a shell script file that downloads and locally executes a crypto currency miner, as defined below:
The script runs some background tests before downloading a ‘rig’ file from a remote server and checking the hardware. That ‘rig’ file is a compiled version of the popular Monero (XMR) miner XMRig as seen from the binary:
The cryptominer configuration config.json downloaded from hxxp://220.127.116.11:8220/1.json is then passed as the command line argument.
Within that configuration file we can see that it refers to the Monero wallet that FortiGuard Labs is tracking, but that time it was linked to the monerohash.com pool.
The docker123321/kk attack described above has been pulled more than 100K times, while docker123321/cron has been pulled more than 1M times. All of the images stored by that user are of the same magnitude.
Of course, we can safely assume that these had not been deployed manually. In fact, the attack seems to be fully automated. Attackers have most probably developed a script to find misconfigured Docker and Kubernetes installations. Docker works as a client/server architecture, meaning the service can be fully managed remotely via the REST API.
By default, the service is available on TCP/2375 and TCP/2376. If these ports are exposed to the Internet without a proper authentication scheme, it can pose a major threat to your environment. The same happen for Kubernetes, which is listening on port 8080.
Aqua Security demonstrated some of these attacks at BlackHat US 2017 under the “Well that Escalated Quickly! How Abusing Docker API Led to Remote Code Execution Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers” presentation.
As discussed above, FortiGuard Labs found some evidence that the same Monero wallet is being used; however, the mining pool has been switched between campaigns/attack vectors. It has been seen on the following mining pools:
As a side note, minexmr.com and monero.crypto-pool.fr have already suspended that address and now mark it as detected botnet activity. Sharing such information between pools would make sense, that’s obviously not the case for now. The actor has been able to mine about 630 XMR to date, which at the current USD rate is more than $172,000 for just a little more than one year of activity. Even though this current hashing power is generating about $12k/month, there is no way we can trace back the transactions to the threat actor since Monero promises transaction anonymity by design.
Reporting malicious activity to registrars or ISPs is a common practice in the security industry. With regards to cryptocurrencies, I would personally suggest that you always report the misuse of services directly to the pool owners so the wallets can be disabled globally.
Will the cryptominer threat overtake ransomware, or is it already the case? That’s a hard question to answer. FortiGuard Labs will keep continue to monitor such kind of activity and report any malicious events.
The following AV signatures have been created to detect riskware files related to these attacks:
Linux/CoinMiner.AE!tr and Riskware/MoneroMiner.
IPS signatures that cover the vulnerabilities described in the article:
*CVE-2018-7600 is covered by Drupal.Core.Form.Rendering.Component.Remote.Code.Execution
*CVE-2017-10271 is covered by Oracle.WebLogic.Server.wls-wsat.Component.Code.Injection
FortiGuard Web Filtering Service is currently blocking the malicious download URLs and C2s.
-= FortiGuard Lion Team =-
Check out our latest Quarterly Threat Landscape Report for more details about recent threats.
Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.
*** This is a Security Bloggers Network syndicated blog from Fortinet All Blogs authored by Fortinet All Blogs. Read the original post at: http://feedproxy.google.com/~r/fortinet/blogs/~3/p_9xxoofQYY/yet-another-crypto-mining-botnet.html