Mar 06, 2024NewsroomServer Security / Cryptocurrency

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access.

“The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts,” Cado security researcher Matt Muir said in a report shared with The Hacker News.

The activity has been codenamed Spinning YARN by the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.

It all starts with deploying four novel Golang payloads that are capable of automating the identification and exploitation of susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these services.

“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” Muir explained.

The initial access then paves the way for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to conceal malicious processes, drop the Platypus open-source reverse shell utility, and ultimately launch the XMRig miner.

“It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” the company said.

The development comes as Uptycs revealed 8220 Gang’s exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.

“By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access,” security researchers Tejaswini Sandapolla and Shilpesh Trivedi said.

“Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected.”

The attacks, which single out both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion.

It also follows the abuse of cloud services primarily meant for artificial intelligence (AI) solutions to drop cryptocurrency miners as well as host malware.

“With both mining and AI requiring access to large amounts of GPU processing power, there’s a certain degree of transferability to their base hardware environments,” HiddenLayer noted last year.

Cado, in its H2 2023 Cloud Threat Findings Report, noted that threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.

“With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems,” it said. “Cloud and Linux infrastructure is now subject to a broader variety of attacks.”

Feb 01, 2024NewsroomCryptojacking / Linux Security

Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called Commando Cat.

“The campaign deploys a benign container generated using the Commando project,” Cado security researchers Nate Bill and Matt Muir said in a new report published today. “The attacker escapes this container and runs multiple payloads on the Docker host.”

The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on another activity cluster that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software.

Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider (CSP) credentials, and launching the miner.

The foothold obtained by breaching susceptible Docker instances is subsequently abused to deploy a harmless container using the Commando open-source tool and execute a malicious command that allows it to escape the confines of the container via the chroot command.

It also runs a series of checks to determine if services named “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache” are active on the compromised system, and proceeds to the next stage only if this step passes.

“The purpose of the check for sys-kernel-debugger is unclear – this service is not used anywhere in the malware, nor is it part of Linux,” the researchers said. “It is possible that the service is part of another campaign that the attacker does not want to compete with.”

The succeeding phase entails dropping additional payloads from the command-and-control (C2) server, including a shell script backdoor (user.sh) that’s capable of adding an SSH key to the ~/.ssh/authorized_keys file and creating a rogue user named “games” with an attacker-known password and including it in the /etc/sudoers file.

Also delivered in a similar manner are three more shell scripts – tshd.sh, gsc.sh, aws.sh – which are designed to drop Tiny SHell and an improvised version of netcat called gs-netcat, and exfiltrate credentials

The threat actors “run a command on the cmd.cat/chattr container that retrieves the payload from their own C2 infrastructure,” Muir told The Hacker News, noting this is achieved by using curl or wget and piping the resulting payload directly into the bash command shell.

“Instead of using /tmp, [gsc.sh] also uses /dev/shm instead, which acts as a temporary file store but memory backed instead,” the researchers said. “It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp.”

“This also results in the artifacts not touching the disk, making forensics somewhat harder. This technique has been used before in BPFdoor – a high profile Linux campaign.”

The attack culminates in the deployment of another payload that’s delivered directly as a Base64-encoded script as opposed to being retrieved from the C2 server, which, in turn, drops the XMRig cryptocurrency miner but not before eliminating competing miner processes from the infected machine.

The exact origins of the threat actor behind Commando Cat are currently unclear, although the shell scripts and the C2 IP address have been observed to overlap with those linked to cryptojacking groups like TeamTNT in the past, raising the possibility that it may be a copycat group.

“The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one,” the researchers said. “This makes it versatile and able to extract as much value from infected machines as possible.”

Jan 18, 2024NewsroomServer Security / Cryptocurrency

Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy.

“This is the first documented case of malware deploying the 9Hits application as a payload,” cloud security firm Cado said, adding the development is a sign that adversaries are always on the lookout for diversifying their strategies to make money off compromised hosts.

9Hits advertises itself as a “unique web traffic solution” and an “automatic traffic exchange” that allows members of the service to drive traffic to their sites in exchange for purchasing credits.

This is accomplished by means of a software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, for which they earn credits to pay for generating traffic to their sites.

The exact method used to spread the malware to vulnerable Docker hosts is currently unclear, but it’s suspected to involve the use of search engines like Shodan to scan for prospective targets.

The servers are then breached to deploy two malicious containers via the Docker API and fetch off-the-shelf images from the Docker Hub library for the 9Hits and XMRig software.

“This is a common attack vector for campaigns targeting Docker, where instead of fetching a bespoke image for their purposes they pull a generic image off Dockerhub (which will almost always be accessible) and leverage it for their needs,” security researcher Nate Bill said.

The 9Hits container is then used to execute code to generate credits for the attacker by authenticating with 9Hits using their session token and extracting the list of sites to visit.

The threat actors have also configured the scheme to allow visiting adult sites or sites that show popups, but prevent it from visiting cryptocurrency-related sites.

The other container is used to run an XMRig miner that connects to a private mining pool, making it impossible to determine the campaign’s scale and profitability.

“The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left,” Bill said.

“The result of this is that legitimate workloads on infected servers will be unable to perform as expected. In addition, the campaign could be updated to leave a remote shell on the system, potentially causing a more serious breach.”