In the past year or so, many cybercriminals have turned to cryptojacking as an easier and more low-key approach for “earning” money.
While the value of cryptocurrencies like Bitcoin and Monero has been declining for a while now and Coinhive, the most popular in-browser mining service, has stopped working, cryptojacking is still a considerable threat. After all, attackers need to expand very little effort and are using someone else’s resources for free.
Cybercrooks going after cloud-based assets
Many a security company has noticed the drastic switch from ransomware to cryptojacking – whether performed by stealthily installed malware or in-browser, though scripts – and has warned end users and companies about it.
The latter are especially juicy targets, with a myriad of computing resources (on premises or in the cloud) available for cybercriminals to exploit.
The crooks are using a variety of methods:
- Getting end users to install malware on their machines (private or corporate) is an easy task, most often achieved by sending an email carrying or pointing to cryptomining malware disguised as something else, or a downloader Trojan that will install a cryptominer at a later date.
- Compromising websites to serve cryptomining scripts is usually achieved via phishing or brute-forcing of access credentials belonging to web administrators, or by exploiting known vulnerabilities in the underlying software (widely used content management systems such as WordPress or Drupal are the preferred targets). Vulnerable web hosting control panels can also be of use.
- Compromising container management platforms and cloud environments via misconfigured management interfaces and exposed APIs, misconfigured Kubernetes consoles, or malicious Docker images served via well-established online registries.
- Compromising servers via vulnerable PHP frameworks and webservers through brute-force attacks.
Latest target: Elasticsearch servers
Threat researchers from F5 Networks have also recently spotted attackers going after Elasticsearch systems.
“The campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems running on both Windows and Linux platforms to mine XMR cryptocurrency,” they shared.
The attackers leverage a new method for killing other competing crypto-miners that may already be present on the machines: they redirect their outgoing pool traffic to localhost (“127.0.0.1”).
“In doing so, the competitors’ miners are not able to connect to those cryptocurrency pools and fail to start the mining process, which frees up system resources on the infected machine.” they explained.
The attackers are backdooring the servers to make sure they can access them whenever they want, and are also making sure they will survive a malware cleanup by renaming the original Linux rm (“remove”) command and replacing the binary with a malicious file named rmm that is downloaded from its C&C server.
“The irony is that even if the infected server’s administrator were to detect the other malicious files and try to remove them, she would probably use the rm command which, in turn, would reinstall the malware. Randomly executing the malicious code could make the administrator go crazy trying to understand how the machine continues to get re-infected,” they noted.