Mar 06, 2024NewsroomServer Security / Cryptocurrency

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access.

“The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts,” Cado security researcher Matt Muir said in a report shared with The Hacker News.

The activity has been codenamed Spinning YARN by the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.

It all starts with deploying four novel Golang payloads that are capable of automating the identification and exploitation of susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these services.

“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” Muir explained.

The initial access then paves the way for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to conceal malicious processes, drop the Platypus open-source reverse shell utility, and ultimately launch the XMRig miner.

“It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” the company said.

The development comes as Uptycs revealed 8220 Gang’s exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.

“By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access,” security researchers Tejaswini Sandapolla and Shilpesh Trivedi said.

“Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected.”

The attacks, which single out both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion.

It also follows the abuse of cloud services primarily meant for artificial intelligence (AI) solutions to drop cryptocurrency miners as well as host malware.

“With both mining and AI requiring access to large amounts of GPU processing power, there’s a certain degree of transferability to their base hardware environments,” HiddenLayer noted last year.

Cado, in its H2 2023 Cloud Threat Findings Report, noted that threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.

“With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems,” it said. “Cloud and Linux infrastructure is now subject to a broader variety of attacks.”

Feb 20, 2024NewsroomServer Security / Cryptojacking

A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts.

“This particular campaign involves the use of a number of novel system weakening techniques against the data store itself,” Cado security researcher Matt Muir said in a technical report.

The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines.

The cloud security company said it detected the campaign after it identified an “unusual series of commands” targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options –

It’s suspected that these options are turned off in order to send additional commands to the Redis server from external networks and facilitate future exploitation without attracting much attention.

This step is then followed by threat actors setting up two Redis keys, one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the malicious primary payload from a file transfer service named Transfer.sh, a technique previously spotted in early 2023.

The shell script to fetch Migo using Transfer.sh is embedded within a Pastebin file that’s, in turn, obtained using a curl or wget command.

Persistence

The Go-based ELF binary, besides incorporating mechanisms to resist reverse engineering, acts as a downloader for an XMRig installer hosted on GitHub. It’s also responsible for performing a series of steps to establish persistence, terminate competing miners, and launch the miner.

On top of that, Migo disables Security-Enhanced Linux (SELinux) and searches for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers such as Qcloud and Alibaba Cloud. It further deploys a modified version (“libsystemd.so”) of a popular user-mode rootkit named libprocesshider to hide processes and on-disk artifacts.

It’s worth pointing out that these actions overlap with tactics adopted by known cryptojacking groups like TeamTNT, WatchDog, Rocke, and threat actors associated with the SkidMap malware.

“Interestingly, Migo appears to recursively iterate through files and directories under /etc,” Muir noted. “The malware will simply read files in these locations and not do anything with the contents.”

“One theory is this could be a (weak) attempt to confuse sandbox and dynamic analysis solutions by performing a large number of benign actions, resulting in a non-malicious classification.”

Another hypothesis is that the malware is looking for an artifact that’s specific to a target environment, although Cado said it found no evidence to support this line of reasoning.

“Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services,” Muir said.

“Although libprocesshider is frequently used by cryptojacking campaigns, this particular variant includes the ability to hide on-disk artifacts in addition to the malicious processes themselves.”

Feb 01, 2024NewsroomCryptocurrency / Botnet

Cybersecurity researchers have detailed an updated version of the malware HeadCrab that’s known to target Redis database servers across the world since early September 2021.

The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve.

The cloud security firm said that “the campaign has almost doubled the number of infected Redis servers,” with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023.

HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.

While the origins of the threat actor are presently not known, they make it a point to note in a “mini blog” embedded into the malware that the mining activity is “legal in my country” and that they do it because “it almost doesn’t harm human life and feelings (if done right).”

The operator, however, acknowledges that it’s a “parasitic and inefficient way” of making money, adding their aim is to make $15,000 per year.

“An integral aspect of the sophistication of HeadCrab 2.0 lies in its advanced evasion techniques,” Aqua researchers Asaf Eitani and Nitzan Yaakov said. “In contrast to its predecessor (named HeadCrab 1.0), this new version employs a fileless loader mechanism, demonstrating the attacker’s commitment to stealth and persistence.”

It’s worth noting that the previous iteration utilized the SLAVEOF command to download and save the HeadCrab malware file to disk, thereby leaving artifact traces on the file system.

HeadCrab 2.0, on the other hand, receives the malware’s content over the Redis communication channel and stores it in a fileless location in a bid to minimize the forensic trail and make it much more challenging to detect.

Also changed in the new variant is the use of the Redis MGET command for command-and-control (C2) communications for added covertness.

“By hooking into this standard command, the malware gains the ability to control it during specific attacker-initiated requests,” the researchers said.

“Those requests are achieved by sending a special string as an argument to the MGET command. When this specific string is detected, the malware recognizes the command as originating from the attacker, triggering the malicious C2 communication.”

Describing HeadCrab 2.0 as an escalation in the sophistication of Redis malware, Aqua said its ability to masquerade its malicious activities under the guise of legitimate commands poses new problems for detection.

“This evolution underscores the necessity for continuous research and development in security tools and practices,” the researchers concluded. “The engagement by the attacker and the subsequent evolution of the malware highlights the critical need for vigilant monitoring and intelligence gathering.”