Cryptojacking has become the favorite tool for cybercriminals to mine cryptocurrencies on the systems and/or computing resources hosted over IaaS infrastructures like Amazon AWS, Microsoft Azure, and Google Cloud. Netskope threat research labs has discovered attack patterns where Internet-facing infrastructures hosted on the cloud, have been targeted by cybercriminals to look for security holes that can be exploited to gain access to the services. Once they gain control over the computer resources, they can then be utilized for illegal mining of cryptocurrencies. In our previous few blogs about cryptocurrency mining, we detailed about how cryptojackers are targeting enterprises and consumers to infect their machines and capitalize its resources for mining. In this post, we want to shed some light on how cloud-based infrastructures are also on the radar of cybercriminals for illegal mining. The advantage that these cloud infrastructures provide is the high availability and powerful computing resources that can enable miners to quickly solve the compute-intensive mining problem.
Attack methodology
Netskope Threat Research Labs has noticed attackers attempting to scan for cloud provider IP ranges to map out reachable services like ssh logins to servers in public cloud, kubernetes clusters and other orchestron services hosting cloud applications. This gives them a list of machines to target at. We noticed multiple login brute-forcing attempts on the open ports/services, specifically on ports running logon instances like SSH as shown in figure 1 below.
Figure 1: Login attempts made by the attacker IP
Another instance of attack captured in a Netskope monitored cloud environment was exploitation attempts against the hosted Drupal service, attempting to execute known vulnerabilities in the web application, as shown in figure 2 below.
Figure 2: Attacks on cloud service hosting web application server
Above figure shows some of the exploitation attempts made on the web application server. The first highlighted arrow shows an attempt to exploit CVE-2018-7600, which was a recently disclosed zero-day vulnerability in Drupal CMS.
Upon gaining access to the resource, the next wave of attack comprises of dropping the mining payloads and make the resource ready for mining. Figure 3 below shows one such event where the attacker begins to download a bash script by using the curl command. This bash script serves as the first stage payload which makes the resource ready for mining and reporting back to the mining pool.
Figure 3: Download of mining script
The attackers were seen rotating through multiple websites to download the shell script(md5: bacec449c5dad3d0dd8927544658437b). This was possibly done to ensure resilience to website take-downs. Closer analysis of the shell script showed that it sets up the environment for monero mining onto the compromised system. The command line argument passed in the above image is the unique mining ID which associates the activity with the owner in the mining pool. The mining operation uses the integrated public address which is a combination of standard monero mining address with some additional information like payment ID and checksum. This increases the total length of the address between 95 and 106 alphanumeric characters.
Figure 4: bash script looking for monero pool wallet ID and validating its length.
In a nutshell, the shell script performs following operations onto the infected machine(also depicted in Figure 5 below):
- Download the required dependencies like lscpu, curl etc.
- Validates the presence of existing mining process running onto the system and disable it.
- Download, extract and install the latest version of xmrig monero miner.
- Begins the mining operation in the background and reports back to the mining pool of the operation.