Attack Observation Report: Hello, SpaceX

Attack Observation Report: Hello, SpaceX

Executive Summary

The following report provides an in-depth analysis of malicious activities conducted by IP 145.224.101.116, associated with SpaceX's Starlink ASNAME. This IP was specifically chosen for further investigation due to its association with the SpaceX ASN, which is an unusual and interesting origin for malicious activity. While there is no direct evidence that [1]CVE-2024-6387 was exploited in the observed activities, this IP has been flagged by multiple threat intelligence sources, including [2]GreyNoise and [3]CrowdSec, for engaging in opportunistic attacks, such as SSH brute-forcing and scanning for alternative SSH ports. The attacker targeted vulnerable systems to establish persistent SSH access through brute-force methods and subsequent SSH key injection. This report also includes a statistical analysis of the attack patterns over a seven-day period.

Statistical Overview and Timeline Analysis

1. Total Number of Attacks

  • Overall Attacks Observed: 383 distinct attack sessions were recorded over seven days.
  • Attacks from IP 145.224.101.116: Out of the total, 127 attacks were directly traced back to IP 145.224.101.116.

2. Command Patterns and Payloads

  • Most Common Command Sequence: Most attack sessions involved a command sequence of 20 to 22 commands, with the 22-command sequence being the most frequent (249 instances). These commands typically modify SSH configurations to inject malicious SSH keys and ensure persistence.
  • Common Payloads:
    • Trojan.shell/malkey: Found in 379 sessions, including those initiated from IP 145.224.101.116, indicating widespread use in this campaign.
      • SHA-256 Hash: [4]a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2
      • File Location: /root/.ssh/authorized_keys and /home/<username>/.ssh/authorized_keys
      • VT Malicious Hits: 25 detections
    • Trojan.ircbot/shell: Detected in a smaller number of sessions, highlighting variations in the tools used by the attacker.
      • SHA-256 Hash: [5]09a90e0a579cc4158383bab20885e409069be7104706a0635875fc6f7936e5d7
      • File Location: Typically located in /tmp/ before execution
      • VT Malicious Hits: 37 detections
    • Hosts File Manipulation: This technique was observed in several sessions. It was used to modify access control, potentially disrupting legitimate connections or blocking defensive measures.
      • SHA-256 Hash: [6]01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
      • File Location: /etc/hosts.deny
      • VT Malicious Hits: 0 detections

3. Geolocation and Origin Analysis

  • IP Origin (145.224.101.116): This IP is associated with SpaceX's Starlink AS in Greece, with an additional session linked to the US.
  • Target Geolocations: The attacks targeted systems globally, with a notable focus on cloud infrastructure in Europe and North America. The attack origins spanned various countries, indicating a widespread attack vector.
  • Correlation with Local Time: When mapped to local times at the target locations, the attack times often fell during early morning hours, a common tactic to exploit off-peak monitoring times.

Detailed Analysis of CVE-2024-6387 Exploitation

1. Vulnerability Description

  • CVE-2024-6387: This vulnerability allows remote code execution via misconfigured services, which can be exploited by sending crafted requests that enable arbitrary command execution.
  • Known Exploitation: Although IP 145.224.101.116 has been associated with campaigns exploiting CVE-2024-6387, no direct evidence was found in the observed activities to confirm its exploitation during this campaign.

2. Tactics, Techniques, and Procedures (TTPs)

  • Initial Access (T1078.003): The attacker utilized brute-force techniques to obtain valid credentials.
  • Persistence (T1098.004): After successful login, the attacker injected SSH keys into .ssh/authorized_keys files, ensuring future access without re-authentication.
  • Defense Evasion (T1222): Commands like chattr -ia .ssh were used to modify file attributes, circumventing security measures designed to protect these directories. This technique, coupled with the careful timing of commands to avoid detection, demonstrates a sophisticated understanding of the target environments.

3. Impact Assessment

  • Resource Hijacking: The primary impact could include resource hijacking (e.g., crypto mining), though no such activity was confirmed in this session. However, the persistent access established by the attacker indicates the potential for long-term exploitation of compromised systems.
  • Data Exfiltration Potential: With the level of access achieved, the attacker could easily exfiltrate sensitive data or deploy additional payloads to compromise the system more broadly. The consistency of the attacks, especially those targeting root accounts, suggests a high potential for data exfiltration or further network penetration.

Additional Insights from GreyNoise

  • Opportunistic and Malicious Behavior: According to GreyNoise, IP 145.224.101.116 has been flagged for engaging in opportunistic attacks, specifically SSH brute-force attempts and scanning for non-standard SSH ports. The IP is categorized as Malicious and associated with worm-like behavior, suggesting a non-targeted, widespread attack strategy.
  • Scanning and Fingerprinting: The IP was observed scanning ports 22 and 2222 and others commonly associated with SSH services, reinforcing its classification as an SSH brute forcer and alternative port crawler. This behavior aligns with the observed attack patterns, where the same SSH vulnerabilities were exploited across different sessions.

Recommendations

  • Patching: Immediate patching of CVE-2024-6387 is critical to prevent further exploitation, even though no direct evidence of exploitation was observed in this campaign. Given the IP’s history, proactive measures are essential.
  • SSH Hardening: Enforce strong, unique passwords and disable password-based authentication where possible. Implement multi-factor authentication (MFA) to add layers of security. Consider restricting SSH access to trusted IP addresses and using non-standard SSH ports to reduce the attack surface.
  • Monitoring and Detection: Deploy and enhance monitoring of SSH activity, particularly for unauthorized changes to .ssh/authorized_keys and the use of commands like chattr. Implement alerting for unusual login times or unexpected geolocations, which could indicate an active attack or reconnaissance attempt.

References

[1] CVE-2024-6387

[2] GreyNoise

[3] CrowdSec

[4] Trojan.shell/malkey

[5] Trojan.ircbot/shell

[6] Hosts.deny

Follow my journey