Researchers Track Linux Intrusions to Cryptojacking Gang

Bitdefender security researchers have uncovered a Romanian-based threat group active since at least last year targeting Linux-based machines with weak Secure Shell Protocol (SSH) credentials.

The researchers discovered the group was deploying Monero mining malware used to steal cryptocurrency. That malware also allows other kinds of attacks, according to Christoph Hebeisen, director of security intelligence research at Lookout, an endpoint-to-cloud security company, who is not associated with the Bitdefender report.

That additional functionality can open the door for malicious activity such as stealing information, lateral movement, or botnets,” he told LinuxInsider.

The insight connecting the group with the Linux angle is among the latest incidents involving vulnerabilities associated with Linux. The operating system is top-down a rigorous and secure computing platform. The problem with breaching Linux systems is often connected to misconfigurations and user inattentiveness to security issues.

“The state of Linux security today has evolved in a positive way with more visibility and security features built-in. However, like many operating systems, you must install, configure, and manage it with security in mind as that is how cybercriminals take advantage through the human touch,” Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a provider of cloud identity security solution who also is not associated with the Bitdefender report, told LinuxInsider.

Old Tricks With New Tools

Hackers attacking computers running weak SSH credentials is not uncommon, according to a Bitdefender blog posted July 15. The attacks are made easier for hackers because computer operators often use default usernames and passwords or weak SSL credentials.

Hackers can overcome those common weaknesses easily with brute force. The trick for hackers is doing it in a way that lets attackers go undetected, according to Bitdefender.

A brute-force attack in cryptography involves an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. Researchers can identify hacker groups by the tools and methods they use.

The number of original tools in this campaign and their complexity indicates that an individual or group with significant skills created this toolkit, suggested Lookout’s Hebeisen.

“The actors behind cryptojacking campaigns aim to use third-party computing resources to mine cryptocurrency for their financial gain. Cryptomining is very computationally intensive and as such, having cloud instances taken over by cryptojacking can drive up cloud costs for the victim,” said Hebeisen about the need for hackers to compromise large numbers of personal and enterprise computers.

Charting the Attack Discovery

The threat actor group Bitdefender tracked use traditional hacking tools. Researchers found among the hackers’ toolkit a previously unreported SSH bruteforcer written in the open-source programming language Golang, according to Bitdefender.

Researchers believe this tool is distributed as a service model, as it uses a centralized application programming interface (API) server. Threat actors in the group supply their API key in their scripts.

“Like most other tools in this kit, the brute-force tool has its interface in a mix of Romanian and English. This leads us to believe that its author is part of the same Romanian group,” noted Bitdefender’s cybersecurity blog.

Researchers started investigating this group in May because of their cryptojacking campaign with the same software loader. They then traced the malware to a file server in an open directory that also hosted other files and was known to host other malware since February.

The security researchers connected the original tools in this hackers’ software kit to attacks seen in the wild. Most hackers have their favorite methods and techniques. When used often enough, these create a common fingerprint that can be used to track them digitally, according to Thycotic’s Carson.

“The ones that are tough to track are the ones who hide behind stolen code or never reuse the same methods and techniques again. For each new campaign, they do something completely different,” he said.

However, attackers who tend to take this path are typically well funded and resourced. Most cybercriminals will take the easy road and reuse as many existing tools and techniques as possible.

“It will really depend on whether the attacker cares about being discovered or not. The more steps an attacker takes to stay hidden tends to mean they operate within a country which they could be prosecuted if discovered,” he added.

Hacker Tactics Risky

Most cryptojacking campaigns are all about stealing compute resources and energy. That motivates threat actors to limit the impact so they can stay hidden for as long as possible, according to Carson.

The impact to an organization is that it could affect business operations performance and result in a hefty energy bill that, over time, could run into thousands of dollars. Another risk is that the cryptojacking could leave backdoors, allowing other cybercriminals to gain access and cause further damage, such as ransomware.

“The techniques being used have been shared too often on the darknet, making it easy for anyone with a computer and an internet connection to start a cryptojacking campaign. The end goal is mining cryptocurrency to make a profit at the expense of others,” Carson said.

The hackers’ success or failure in the malware distribution campaign depends on individuals actually running the malware (cryptojacking or otherwise), noted Karl Steinkamp, director of PCI product and quality assurance at Coalfire; not associated with the Bitdefender report. Tracking down the people behind the activities will vary, he observed.

“Some of these bad actors use bulletproof hosting, while others use hosting in locations where law enforcement has trouble engaging. There are also the bad actors that run operations directly from their primary location, and for these select few, it is quite often trivial to track and arrest these individuals,” Steinkamp told LinuxInsider.

Victims Aplenty, Once Found

Attackers hold the upper hand in getting successful attack results. In part, that is because no shortage of compromised Linux machines with weak SSH credentials exists, noted Bitdefender.

Finding them is where the trick hides.

Attackers play out their hunt for victims by scanning network servers for telltale weak SSH credentials. That process occurs in three stages, explained the Bitdefender blog.

Attackers host several archives on the server. These contain toolchains for cracking servers with weak SSH credentials. Depending on the stage, the attackers use different tools.

  • Stage one is reconnaissance. The hackers’ toolkit identifies SSH servers via port scanning and banner grabbing. The tools in play here are ps and masscan.
  • Stage two is credential access. The hackers identify valid credentials via brute force.
  • Stage three is initial access. The hackers connect via SSH and execute the infection payload.

The hacker group uses 99x / haiduc (both Outlaw malware) and ‘brute’ for the last two stages.

Four Keys To Stay Safe

Cryptojacking may allow the bad actors to perform all the traditional aspects of malware, with the added benefits of mining some iteration of a crypto asset. Depending on the malware distribution/packaging and the technical abilities of the bad actor, these crypto miners will often target either Monero, Ethereum, and/or Bitcoin, explained Steinkamp.

Many of these cryptojacking malware packages are sold on underground sites to allow novice-to-expert bad actors to similarly participate. Gaining administrative access to one or more Linux hosts through SSH, system, or application vulnerabilities will allow them a foothold to attempt to compromise the host and then spread out laterally and vertically within the organization, he said.

“Organizations that have strong configuration management, alerting, log management, file integrity, and incident response will generally fair better to respond to a malware infection such as cryptojacking,” offered Steinkamp when asked about protection efforts to thwart such attacks.

If a cryptojacking malware is based on a family of like malware or instances of code reuse across malware, antimalware rules and heuristics will likely pick up newer malware cryptojacking variants, he continued.

The presence of cryptojacking malware to attempt to hide using shell script compilers is readily reversible using freeware tools found on Github, allowing security teams to decompile malware based on x86, x64, MIPS, and ARM.

In terms of bad actors using a different command and control (C2) mechanism for information reporting, it is a new occurrence but not unexpected, according to Steinkamp. Cryptojacking malware has and continues to use IRC and HTTP for communications, and now we are seeing Discord.

“Each of these, by default, transmits key information from the compromised host in cleartext, allowing the victim to log and readily see the communications. Both, however, also may be configured to use SSL, making tracking more difficult,” he noted.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels