Cloud Security , Security Operations
Chinese Group Targeting Vulnerable Cloud Providers, Apps
Cryptomining Campaign Targets Public Cloud Environments, Increases Security RisksCybersecurity researchers say a Chinese for-profit threat group tracked as 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.
The group employs a variety of tactics and techniques to hide its activities and evade detection, including the use of a blocklist to avoid tripping over honeypots. "Yet, the group is not perfect and was caught attempting to infect one of Radware's Redis honeypots at the beginning of this year," according to cybersecurity firm Radware.
The threat groups specializes in cryptomining campaigns that target public cloud environments for several reasons, including because they offer potential targets with sufficient or elastic computing resources, researchers say.
"Many organizations have limited visibility, making it more difficult for security and network operations to detect and respond to security threats, and the public cloud providers also offer limited security controls, making it easier for threat actors to find and exploit vulnerabilities," researchers say.
Attack Methods
The attackers used a custom crypto miner, "PwnRig," that slows down systems using CPU and GPU resources. This also causes devices to become unresponsive, which causes elastic compute nodes to expand their resources and ultimately results in "a huge, unexpected invoice for the victim at the end of the billing cycle."
Daniel Smith, head of research for Radware's Threat Intelligence division, tells Information Security Media Group that the main concern with cryptomining malware is that it can significantly affect a system's performance and can also expose systems to additional security risks.
"Once infected, threat actors, can use the same access to install other types of malware, such as keyloggers or remote access tools, which can subsequently be leveraged to steal sensitive information, gain unauthorized access to sensitive data or deploy ransomware and wipers," Smith says.
The threat group was also found infecting devices using the Tsunami IRC bot - aka kaiten, which it uses as a backdoor. Tsunami is one of the earliest IoT botnets. It dates back to 2001 and uses the IRC protocol for command and control.
An IRC bot is a set of scripts or an independent program that connects to internet relay chat as a client. The bot allows the threat actors to remotely control systems and launch distributed denial-of-service attacks.
"The Tsunami IRC bot supports four different types of denial-of-service attacks, including SYN and UDP floods. DDoS attacks from the Tsunami bot can significantly impact targeted websites or networks by degrading services or making them unavailable for legitimate users, resulting in financial losses for the victim," according to Radware researchers.
Technical Details
The source IP address for the attack was a compromised Apache server hosted on a major cloud provider, researchers say. This IP address sent a series of scripted commands to Radware's Redis honeypot using /api/login
and port 8443.
"These commands were cron jobs intended to download, install and execute a shell script named xms?redis
, a Python script named d.py
, a crypto miner called PwnRig, and the Tsunami IRC bot on the system where Redis is running.
Once these payloads are downloaded and executed, the shell script runs a series of commands designed to modify the system's configurations and settings. The commands from xms?redis
create two new directories and give anyone permission to read, write and execute files in these directories.
"The commands also disable SELinux, set a limit on the number of processes a user can have running at one time, disable the firewall management tool, ufw, and removes attributes from the /etc/ls.so.preload
file on targeted systems," researchers say.
The commands also executes a function to remove the security tools from several cloud providers, and it checks if outbound communications are "blocked by security components on targeted devices and deletes log files that may contain suspicious activity."
The 8220 Gang uses multiple scan functions to discover new potential targets, brute-force ssh services and collect ssh keys.
"The threat to cloud environments and insecure applications continues to pose risks to organizations around the world, especially those that use weak credentials or do not patch vulnerabilities immediately. Because of poor security hygiene, low-skilled groups like the 8220 Gang are able to cause a significant impact on targeted systems," Smith says.
Radware researchers recommend that organizations adopt a comprehensive security strategy that includes security controls, monitoring, and incident response capabilities to protect their cloud environments and applications from cryptomining campaigns.
It also advises organizations to ensure their security controls provide visibility into their hybrid and multi-cloud environment to detect and respond to new security threats.