Crypto Mining Malware Campaign Targets Misconfigured Servers

March 6, 2024

Threat actors are exploiting misconfigured servers running services such as Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis as part of a new malware campaign. The campaign is designed to deliver a cryptocurrency miner and establish a reverse shell for continuous remote access. The attackers take advantage of common misconfigurations and exploit an N-day vulnerability to conduct Remote Code Execution (RCE) attacks and infect new hosts, according to Matt Muir, a security researcher at Cado.

The campaign, named Spinning YARN by the cloud security company, shows similarities to cloud attacks linked to threat actors such as TeamTNT, WatchDog, and a group known as Kiss-a-dog. The attack process begins with four novel Golang payloads capable of identifying and exploiting susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The attackers use tools like masscan or pnscan to search for these services.

In the case of Docker compromise, the attackers create a container and escape from it onto the host, as explained by Muir. The initial access then sets the stage for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to hide malicious processes, deploy the Platypus open-source reverse shell utility, and eventually launch the XMRig miner.

It is evident that attackers are investing considerable time in understanding the types of web services deployed in cloud environments, keeping up with reported vulnerabilities in those services, and using this knowledge to infiltrate target environments. This trend follows the revelation by Uptycs of the 8220 Gang's exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a series of attacks targeting cloud infrastructure from May 2023 through February 2024.

Using internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access. Once inside, they employ a series of advanced evasion techniques, demonstrating a deep understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected.

The attacks, which target both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion. It also follows the misuse of cloud services mainly intended for artificial intelligence (AI) solutions to deliver cryptocurrency miners as well as host malware. With both mining and AI requiring access to large amounts of GPU processing power, there's a certain degree of transferability to their base hardware environments, as noted by HiddenLayer last year.

According to Cado's H2 2023 Cloud Threat Findings Report, threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive. With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems. Cloud and Linux infrastructure is now subject to a broader variety of attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.