Microsoft researchers have identified a series of attacks that employ brute force techniques to gain unauthorized access to systems, enabling illicit cryptocurrency mining for profit.
This article delves into the intricate details of the attack, highlighting the deployment of backdoor tools, compromised credentials, and the evasive nature of the threat actors. We also explore the countermeasures recommended by Microsoft to safeguard your business from this malicious assault.
Infiltration and Persistence
Once the attackers breach their target system, they download a modified version of OpenSSH from a remote server. This rogue variant is carefully crafted to establish backdoor access to compromised systems and secretively acquire credentials, ensuring its longevity within the system.
The attack also involves the utilization of an open-source IRC bot with Distributed Denial of Service (DDoS) capabilities, contributing to the complexity and disruptive potential of the campaign.
The Arsenal of the Attackers
Employing an established criminal infrastructure, the threat actors employ a diverse range of tools and components, such as rootkits and an IRC bot, to steal device resources for mining operations. Additionally, the compromised devices are implanted with a patched version of OpenSSH, enabling the attackers to hijack SSH credentials, move laterally within networks, and conceal malicious SSH connections. The complexity and extensive scope of this attack exemplify the tremendous efforts invested by the attackers to elude detection.
Honeypot Detection
The system’s backdoor performs a critical check to differentiate between a genuine system and a honeypot—a simulated system designed to mislead attackers while logging their activities.
If the system is identified as a honeypot, the attackers abort their mission. However, if it proves to be a genuine target, they initiate a data exfiltration process, sending crucial information to a preselected email address. The extracted data typically includes the operating system version, network configuration, and the contents of /etc/passwd and /etc/shadow files.
Concealing Malicious Presence
Open source rootkits are deployed on systems that support them, facilitating the concealment of malicious files and processes. Activity logs are meticulously erased from various system locations to mask any traces of the attackers’ presence. Furthermore, additional tools are introduced to eliminate other logs that could potentially reveal evidence of unauthorized access.
Countermeasures
Microsoft provides specific recommendations to safeguard your business from this prevalent attack:
- Harden internet-facing devices against attacks.
- Ensure secure configurations for devices by changing default passwords to robust ones and blocking external access to SSH.
- Maintain device health by regularly updating firmware and applying the latest patches.
- Adopt the principle of least privilege access and use a secure virtual private network (VPN) service for remote access, restricting access to the device.
- Whenever possible, update OpenSSH to the most recent version.
By implementing these proactive measures, you can significantly mitigate the risk posed by cryptojacking campaigns targeting Linux and IoT devices.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
