Researchers at Bitdefender Security recently discovered a Romanian-based threat intelligence group hacking Linux machines and targeting systems with weak Secure Shell Protocol (SSH) credentials. The group was using Monero mining software to target cryptocurrency wallets and exploit misconfigurations to cause data breaches.
By Mukesh Makwana, Lead Blockchain Consultant at MindDeft Technologies
Joseph Carson, Chief Security Scientist and Advisor CISO at Thycotic, said that Linux security had evolved over the years. Unlike before, platforms now offered greater visibility with more outstanding features. Security Linux platforms meant bringing the human element when doing system reconfigurations and managing changes.
Computer users often used weak credentials, and hackers are going undetected when launching brute force attacks. Hackers were obfuscating Bash scripts using shell script compilers and reporting data back using Discord. In addition to traditional toolkits, they were also using masscan and zmap alongside brute force tools.
It’s not uncommon to find Linux users use weak SSH credentials, old usernames, and passwords, and third-party resources make it easier for attackers to take advantage of system vulnerabilities.
Christoph Hebeisen said cryptojacking was “cloud intensive” and rack up high costs for victims if their risk factors were left unattended. Researchers believe that cryptojacking attacks will rise, and threat actors are supplying their APIs into scripts. Bitdefender Security researchers investigated cryptojacking campaigns and stated that most hackers are untraceable, but despite odds, their digital footprints can often be traced when using these tools.
The challenge is cracking down on hackers who hide behind stolen code and never use the same tools twice when loading malware. Investigators believe that the methods and techniques employed by adversaries all boil down to whether or not they want to be discovered. Usually, those afraid of being prosecuted due to their country’s laws and regulations tend to keep their tracks hidden and take extra steps for protection.
How Does This Romanian Cryptojacking Gang Operate?
The Romanian Cryptojacking Gang uses a ‘Dicot brute force’ technique to spearhead their massive malware campaigns. According to researchers, this is how they operate:
- They use a unique scanning method to identify and target Linux servers.
- Archives such as tar, Juanito, scn, and skamelot are hosted by them on these servers.
- Hackers use toolchains and these archives to find weak SSH credentials and crash them.
- They track these unique credentials, connect to SSH, and deploy payloads.
- A Go-based Dicot Brute which uses a centralized API server, is then deployed as a service.
- Attackers use a hell script compiler and bash scripts for obfuscation.
- They use discord and webhooks to cover their tracks and wipe out traces. The goal of their methods is to steal credentials without getting detected.
Drive-by cryptomining is a scheme where cyber criminals ask for access permissions to users’ cryptocurrency wallets in exchange for offering free content. Malicious programs can mine cryptocurrency in the background even after they leave websites and there are Trojans that can infect Android phones that lead to increased processing power consumption.
Why Do Brute Force Attacks Work?
The main reason brute force attacks work is the userbase represented and how these users set weak credentials. Easy to guess and simple passwords are the top reasons why accounts get hijacked through brute force techniques.
The Dicot Brute Force tool filters out honeypots, and researchers discovered that cryptojacking campaigns are launched using a “.93joshua” loader.
What is Discord?
Discord is a VoIP and instant messaging app designed to create communities, do group chats, and share media files in private. It is a free service accessible on both mobile and desktop, being launched to communicate easily with other users while gaming or live streaming.
Cybercriminals are using Discord to launch DDoS (Distributed Denial of Service) threats since the app involuntarily supports malware distribution through the use of C2 servers and webhooks. Discord was first launched in 2015 and can be linked to Xbox accounts, YouTube, and other social media platforms.
What is Cryptojacking?
Crypto hacking refers to hacking into personal and business computer systems to perform cryptomining activities from them. The idea behind cryptojacking is to take advantage of enterprise computing power and resources to siphon cryptocurrency from company wallets and process unauthorized digital transactions without getting detected.
The malicious code deployed on these systems run in the background, which makes them impossible to detect. And cybercriminals use hijacked computers to do cryptocurrency mining work for them automatically in the process.
How Cryptojacking Spreads – 3 Main Methods
There are 3 main ways cryptojacking scripts spread:
1. File-based Cryptojacking
This is when a malicious program is executed on the IT infrastructure, corrupting and hijacking systems. File-based cryptojacking is done primarily through emails where users are engaged and made to click on malicious links. When a user clicks on any attachments in these emails, the malicious code downloads and executes itself. The script works in the background and steals information without their knowledge.
2. Browser-based Cryptojacking
3. Cloud Cryptojacking
Hackers search for API keys within the organization to access and exploit Cloud services. When they’re successful in acquiring them, they can use unlimited computing resources to siphon cryptocurrencies and illicitly mine sensitive data while erasing their digital footprints.
Cryptojacking Prevention Tips
Cryptojacking is unlike traditional malware invasions, where computers are hijacked and attacked directly to acquire informational assets. In cryptojacking, hackers do not attack computers but exploit them to gain access to CPU processing power. Companies like CoHive author crypto mining scripts and sell them online, which hackers buy and make use of.
A cryptojacking incident uses significant energy and computing resources, which means it’s a massive drain on an enterprise’s technological bandwidth. An organization that fails to address cryptojacking incidents risks losing money, time and faces reputational hazards. Here are some tips on how to prevent falling victim to cryptojacking attacks for users:
- Use browser extensions like MinerBlock or NoCoin to block mining activities online
- Patch systems frequently and make sure malware intrusion detection software stays updated.
- Implement a BYOD (Bring Your Own Devices) at your company and make security awareness training mandatory for all employees
- Use DNS filters, firewalls, and install the best web filtering tools.
- Install antivirus software and block pages that send cryptojacking mining scripts
- Continuously monitor your enterprise’s computing resources, check CPU energy consumption, and ensure no Cloud misconfigurations exist.
Cryptojacking Consequences Organizations Cannot Ignore
Here’s a list of the top key reasons why organizations shouldn’t ignore cryptojacking consequences and what they can eventually lead to when left unchecked:
Network and Device Performance Issues
We’ve seen cryptojacking incidents cause massive power drain in network machines. The more machines organizations have, the more dramatically their electricity consumption costs will go up after incidents.
Misconfigurations in Cloud
Cyber criminals can exploit vulnerabilities in Cloud platforms and use public cloud environments to mine cryptocurrency 24×7. Misconfigurations in containerization technology and unrestricted Cloud access can spell disaster for employees when cryptojackers take full advantage of these resources.
Cryptojackers can also make brands fail legal and compliance regulatory requirements by exploiting vulnerabilities and exposing them to the public. Businesses can end up losing client from reputational damages and there is no way of recovering from them.
What to Do After a Cryptojacking Incident
Experts advise enterprises to be on the lookout for unexpected network spikes, increased processing power consumption, and intensive resource utilization when scanning for cryptojacking threats. However, if you’ve already been affected the next best step would be to run cyber forensics analysis to analyze the extent of damages incurred.
Set up real-time malware monitoring solutions and block websites or URLs that are embedded with cryptojacking and communicating with corporate servers. Testing systems for unpatched vulnerabilities, doing vulnerability assessments, and switching to better vendors for hardware/software that aren’t vulnerable to cryptojacking codes are also recommended. Backup/recovery should be the primary focus after an incident and organizations should do their best to secure endpoint devices so that they don’t get compromised again.
What’s the Cryptojacking Scene?
China banned cryptocurrency trading exchanges back in 2017, and financial companies were advised not to transact digital coins in Yuan by official authorities. U.S. President Biden stated that the nation had a hand in the Microsoft Exchange email hacks earlier this year, and hackers who worked for the PRC Ministry of State Security (MSS) were involved in recent ransomware, cryptojacking, and extortion schemes all across the world.
The U.S. Government declared that a ransomware task force was already underway, and authorities were working on cracking down cybercriminals by tracing crypto payments linked to these attacks. Researchers were saying that recent Linux system breaches are a lack of user inattentiveness and server misconfigurations. Several tools are now available to hackers who use malware programs as a Distributed as a Service model. In May, researchers began investigating the cryptojacking group and found that criminals left backdoors that let other adversaries gain access and cause further ramifications such as ransomware attacks.
Cyber criminals used the Prometei botnet to exploit Microsoft Exchange vulnerabilities in early 2021 and harvested malware to launch state-sponsored attacks. Illicit cryptomining was being done by a cyber threat group dubbed PowerGhost that stole Windows credentials by initiating spear phishing threats on organizations worldwide, according to a cryptocurrency mining threat report.
Carson said that most cryptojacking techniques were shared openly on the dark web. Anyone with access to an Internet connection and crypto mining could start a cryptojacking campaign. A massive risk of cryptojacking is an attack that leads to enormous energy consumption by organizations’ computers. Companies could end up paying thousands of dollars in utilities if they left threats unchecked.
About the Author
Mukesh Makwana is an experienced lead with over 5 years of experience. His is a skilled professional in Blockchain, Python, ReactJS and Java. He is currently working as a Fullstack Blockchain developer, however he has also worked as a React developer, Python developer and Java Liferay developer in the past. He works on technologies such as Ethereum, Python, Java among others to provide best solutions for the client. Mukesh graduated from Silver Oak University with a Bachelor’s of Engineering (BE) in computer engineering.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.