Jupyter Notebooks targeted by cryptojackers

Cryptojackers are targeting exposed Jupyter Notebooks to install cryptominers and steal credential files for popular cloud services, researchers have uncovered.

What are Jupyter Notebooks?

“Jupyter is a service that allows you to host individual snippets of code and lets others execute this code in an isolated environment. A Jupyter Notebook refers to an instance of the Jupyter web application (i.e., where you would define the code to be run and how it’s presented),” Matt Muir, Threat Research Lead at Cado Security, told Help Net Security.

Jupyter Notebooks can be deployed by organizations on-premises or remote servers, but are also commonly deployed in cloud environments (e.g., Google Cloud, AWS) as managed services. Unfortunately, Notebooks to which access hasn’t been restricted (e.g., by requiring prior authentication) can often be found and accessed by anyone on the public internet.

The attack

According to the researchers, after accessing an exposed Notebook, the attacker opens a Bash instance using Jupyter’s built-in terminal feature to do quick reconnaissance and to, finally, retrieve the attack mi.sh shell script.

Once executed, the script:

• Retrieves and executes a XMRig miner and makes sure it and the miner will be executed after a reboot/on a daily basis
• Attempts to terminate competing mining operations (if present)
• Adds the attacker’s SSH key (to create a persistent backdoor to the compromised host)
• Installs a rootkit to hide malicious processes
• Exfiltrates cloud service provider credentials
• Attempts to deliver the mi.sh shell script to related hosts via SSH

The researchers have observed the malware exfiltrating credentials by using the Telegram Bot API, and soon after they noticed the attacker trying to use the said credentials to access the cloud service.

The attacker is hosting malware payloads on the Codeberg code hosting platform, and using Discord as command and control (C2) to send out commands and track the progress of the campaign.

“Using Discord as a C2 isn’t uncommon, large amounts of malware will abuse developer-friendly features such as webhooks and bots. This is due to the ease of access and use of these features (taking seconds to spin up a fresh account and making a bot) as well as familiarity with the platforms themselves. Using SaaS platforms like Discord also make C2 traffic harder to identify in networks, as traffic to SaaS platforms is usually ubiquitous and may pose challenges to sort through,” Muir explained.

Protecting Jupyter Notebooks

The researchers shared YARA rules and indicators of compromise (IoCs), and advised users with Jupyter Notebook deployments to review the security of the Jupyter servers themselves, and to pay particular attention to firewall and security group configurations.

“Contemporary versions of Jupyter include token-based authentication which is enabled by default. You can also opt to secure the server with a password. We’d recommend taking a defense-in-depth approach and adding additional networking security measures, such as firewalling and building an IP allowlist,” says Muir.

“If an attack succeeded in compromising the underlying infrastructure upon which the Jupyter Notebook is running, the cloud provider would need to remediate that (in the case of a managed service).”