Rise in Attacks by Crystalray, the New OSS-Based Threat Actor

July 11, 2024

Crystalray, a newly discovered cyber threat actor, is leveraging a range of open source software (OSS) tools to boost its operations focused on stealing credentials and cryptomining. The group was initially discovered in February, deploying a penetration testing program named 'SSH-Snake' to exploit known vulnerabilities in Atlassian's Confluence platform.

Since then, experts from Sysdig have witnessed Crystalray integrating several other OSS tools to aid every stage of its attack chain. This strategy has led to a significant increase in the group's activity, impacting over 1,800 unique IP addresses across the globe, with the US and China being the most targeted regions.

Crystalray uses the ASN command line tool for initial reconnaissance, which queries Shodan for open ports, known vulnerabilities, and other useful information about potential targets. The group then uses 'zmap' to scan the internet for specific ports running vulnerable services, followed by the HTTP toolkit 'httpx' to verify if the potential target domain is active.

Once the target is identified, Crystalray employs the vulnerability scanner 'nuclei' to check for known vulnerabilities. Vulnerabilities targeted include CVE-2019-18394 in Ignite Realtime Open Fire, CVE-2021-3129 in Ignition for Laravel, and CVE-2022-44877 in the CentOS Control Web Panel.

Crystalray does not develop its exploit scripts but uses publicly available proofs-of-concept exploits to deliver its malicious payloads. These payloads may include Sliver, a cross-platform red team framework used for command-and-control, or Platypus, a Go-based tool for managing multiple reverse shells.

'Some of these are not legitimate open source tools,' Michael Clark, director of threat research at Sysdig, pointed out. He noted that while some tools like nuclei are intended for defenders, others like Platypus are designed for malicious purposes.

Crystalray also uses SSH-Snake, a worm that enables lateral network movement by gradually accumulating and logging SSH keys. Additionally, it uses all-bash-history and Linux-smart-enumeration to discover sensitive credentials in bash command history files. These credentials, especially those associated with cloud platforms and SaaS email platforms, are then sold in black markets.

Crystalray also profits from two cryptominers, which based on the attacker's crypto wallet, generate around $200 per month. Clark commented on the unusual use of legitimate OSS tools for malicious purposes, noting that while they save time and effort, they also allow defenders to reproduce the attacks to understand how they work in their environment.

He added that despite having access to these tools, detection can be challenging due to their advanced nature and the effort put into making them highly effective, even when used for defensive purposes.

Related News

• New 'LLMjacking' Attack Exploits Cloud-Hosted AI Models

Latest News

• PHP Flaw Exploited by Threat Actors to Disseminate Malware and Initiate DDoS Attacks
• VMware Addresses High-Severity SQL-Injection Vulnerability in Aria Automation Product
• Critical Vulnerability in GitLab Allows Attackers to Execute Pipelines as Other Users
• CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities
• Longstanding Windows Zero-Day Exploited for Over a Year