Attackers are increasingly targeting vulnerable cloud infrastructure to exploit it for covert cryptojacking or to deliver ransomware, Securonix researchers warn.
Some attacks are fairly trivial, but others are multi-vector/multi-platform threats where multiple functionalities are combined as part of the same malicious threat (e.g., XBash, which combines cryptomining, ransomware and botnet/worm activity).
The way in
The attacks are automated and probe the infrastructure and cloud services for vulnerabilities and/or weak or default login credentials.
Among the known exploits leveraged are those for:
- An unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API
- A Redis remote command execution bug
- CVE-2016-3088, an ActiveMQ arbitrary file execution flaw.
“In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access. In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads,” the researchers explained.
The attackers achieve the persistence of their malicious implants through cronjob entries on Linux and malicious startup items on Windows systems. They continually change the C&C servers that deliver additional malware, username/password lists, etc.
“XBash is a good example of a more advanced threat actor leveraging many of these common behaviors,” the researchers noted.
The malware infects Linux and Windows systems, installs cryptojacking scripts and spreads through the network by brute-forcing the weak passwords configured on the various services.
Once it successfully logs into the database services, it deletes the existing databases and creates a one with a ransom note specifying the amount and the bitcoin wallet. Unfortunately, those who pay the ransom won’t get anything in return, as the malware did not make backups of the deleted databases.
Keeping the attackers out
Securonix has included indicators of compromise (malicious file hashes, C&C IP addresses), defensive rules for administrators to use and pointed them towards specific logs that may show evidence of compromise.
The company is also advising them to continuously review their cloud infrastructure services’ exposure to the internet and restrict access whenever possible; think about deploying a centralized patch management system; consider implementing Redis in protected mode and implementing strong password policies for all services.