Cyber Security

Hackers Concentrating on WebLogic Servers and Docker APIs for Mining Cryptocurrencies

Hackers Concentrating on WebLogic Servers and Docker APIs for Mining Cryptocurrencies
Written by admin


Hackers Concentrating on WebLogic Servers and Docker APIs for Mining Cryptocurrencies

Malicious actors resembling Kinsing are making the most of each just lately disclosed and older safety flaws in Oracle WebLogic Server to ship cryptocurrency-mining malware.

Cybersecurity firm Pattern Micro mentioned it discovered the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable working system (OS) security measures resembling Safety-Enhanced Linux (SELinux), and others.

The operators behind the Kinsing malware have a historical past of scanning for weak servers to co-opt them right into a botnet, together with that of Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence flaw (CVE-2022-26134).

CyberSecurity

The Kinsing actors have additionally been concerned in campaigns towards container environments through misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently unfold the malware to different containers and hosts.

The newest wave of assaults entails the actor weaponizing CVE-2020-14882 (CVSS rating: 9.8), a two-year-old distant code execution (RCE) bug, towards unpatched servers to grab management of the server and drop malicious payloads.

It is price noting that the vulnerability has been exploited up to now by a number of botnets to distribute Monero miners and the Tsunami backdoor on contaminated Linux techniques.

Profitable exploitation of the flaw was succeeded by the deployment of a shell script that is accountable for a collection of actions: Eradicating the /var/log/syslog system log, turning off security measures and cloud service brokers from Alibaba and Tencent, and killing competing miner processes.

The shell script then proceeds to obtain the Kinsing malware from a distant server, whereas additionally taking steps to make sure persistence by the use of cron job.

“The profitable exploitation of this vulnerability can result in RCE, which might permit attackers to carry out a plethora of malicious actions on affected techniques,” Pattern Micro mentioned. “This will vary from malware execution […] to theft of vital information, and even full management of a compromised machine.”

TeamTNT actors make a comeback with new assaults

The event comes as researchers from Aqua Safety recognized three new assaults linked to a different “vibrant” cryptojacking group known as TeamTNT, which voluntarily shut store in November 2021.

“TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container picture, with a command line to obtain a shell script (ok.sh) to a C2 server,” Aqua Safety researcher Assaf Morag mentioned.

What’s notable in regards to the assault chain is that it seems to be designed to interrupt SECP256K1 encryption, which, if profitable, may give the actor the power to calculate the keys to any cryptocurrency pockets. Put in another way, the thought is to leverage the excessive however unlawful computational energy of its targets to run the ECDLP solver and get the important thing.

CyberSecurity

Two different assaults mounted by the group entail the exploitation of uncovered Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.

TeamTNT’s focusing on of Docker REST APIs has been well-documented over the previous yr. However in an operational safety blunder noticed by Pattern Micro, credentials related to two of the attacker-controlled DockerHub accounts have been uncovered.

The accounts – alpineos and sandeep078 – are mentioned to have been used to distribute quite a lot of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.

“The account alpineos was utilized in exploitation makes an attempt on our honeypots thrice, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” Pattern Micro’s Nitesh Surana mentioned.

“The risk actors had been logged in to their accounts on the DockerHub registry and possibly forgot to sign off.” Alternatively, “the risk actors logged in to their DockerHub account utilizing the credentials of alpineos.”

Pattern Micro mentioned the malicious alpineos picture had been downloaded greater than 150,000 instances, including it notified Docker about these accounts.

It is also recommending organizations to configure the uncovered REST API with TLS to mitigate adversary-in-the-middle (AiTM) assaults, in addition to use credential shops and helpers to host person credentials.



About the author

admin

Leave a Comment