In the constantly evolving digital landscape, it's not surprising that threat actors continue to hone their malicious tactics to exploit every possible vulnerability. This time, they have set their crosshairs on Internet-facing Linux systems and Internet of Things (IoT) devices with a campaign designed to mine cryptocurrency surreptitiously.
In the latest turn of events, these cyber miscreants use a backdoor to deploy an assortment of tools like rootkits and an IRC bot, effectively co-opting device resources for mining operations. According to Microsoft's threat intelligence researcher, Rotem Sde-Or, this backdoor also installs a patched version of OpenSSH, thus enabling the attackers to hijack SSH credentials, move laterally within networks, and hide malicious SSH connections.
How It Works
The attack begins with the brute-forcing of misconfigured Linux hosts to gain initial access. Once inside, the threat actors disable shell history and fetch a trojanized version of OpenSSH from a remote server. This rogue OpenSSH package is then used to install and launch the backdoor, a shell script that allows the attackers to distribute additional payloads and carry out other post-exploitation activities.
On successful exploitation, the attackers exfiltrate information about the device, install open-source rootkits from GitHub named Diamorphine and Reptile, and take steps to conceal their activities by erasing logs that could raise alarms. They also ensure persistent SSH access by appending two public keys to the authorized_keys configuration files of all users on the system.
Malicious Scripts and The Unseen War
The backdoor seeks to dominate the infected system's resources by eliminating competing crypto mining processes before launching its miner. It runs a modified version of ZiggyStarTux, an IRC-based distributed denial-of-service (DDoS) client capable of executing bash commands issued from the command-and-control (C2) server. It's based on another botnet malware called Kaiten (aka Tsunami).
Furthermore, these attacks cunningly leverage a Southeast Asian financial institution's subdomain for C2 communications, camouflaging the malicious traffic. Unfortunately, this pattern of attack is not unique to this campaign. Similar attacks were recently reported by the AhnLab Security Emergency Response Center (ASEC), confirming that such offensive tactics have become an alarming trend.
The Bigger Picture: Mirai Botnet and IoT Device Vulnerabilities
In a larger perspective, it's vital to understand that this development comes on the heels of multiple known security flaws in routers, digital video recorders, and other network software being actively exploited by threat actors to deploy the infamous Mirai botnet malware, as per reports from Akamai and Palo Alto Networks Unit 42. Discovered in 2016, the Mirai botnet continues to pose a threat today due to persistent security flaws in IoT devices.
The Cybersecurity Perspective
The implications of this new mining campaign are far-reaching, particularly for Cyber Security Operations Centers (CSOCs). Organizations need to maintain stringent cybersecurity measures, including keeping Linux systems updated, strengthening passwords to resist brute force attacks, and having an effective Incident Response Plan (IRP) to counter such threats. Employing robust security tools to detect anomalous behavior and isolate affected systems promptly can also mitigate potential damages.
Key Terms and Definitions
Internet of Things (IoT): A network of physical devices, vehicles, and other items embedded with software, sensors, and network connectivity, which enable them to collect and exchange data.
Cryptocurrency Mining: The process of verifying transactions for various forms of cryptocurrency and adding them to the blockchain digital ledger.
OpenSSH: A free version of the Secure Shell (SSH) connectivity tools that technical users rely on.
Backdoor: A method of bypassing normal authentication or encryption in a computer system, a product, or an embedded device.
Rootkits: A collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed.
Botnet: A number of internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection.
Mirai Botnet: A botnet that targets poorly protected internet of things devices like IP cameras and home routers.
Summary
Threat actors are now leveraging backdoors to exploit Linux systems and IoT devices for illicit cryptocurrency mining. These attacks install a rogue OpenSSH package to conceal malicious activities, eliminate competing mining processes, and ensure persistent access. Simultaneously, the increasing exploitation of IoT device vulnerabilities by the Mirai botnet underscores the urgent need for enhanced security measures in the digital world.
留言