One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8589816 |
| Date de publication | 2024-10-01 16:15:17 (vue: 2024-10-01 17:18:27) |
| Titre | Hadooken and K4Spreader: The 8220 Gang\'s Latest Arsenal |
| Texte | ## Snapshot Sekoia\'s Threat Detection & Research (TDR) team identified a notable infection chain targeting both Windows and Linux systems through vulnerabilities in Oracle WebLogic Server. The attacker exploited [CVE-2017-10271](https://security.microsoft.com/intel-explorer/cves/CVE-2017-10271/) and [CVE-2020-14883](https://security.microsoft.com/intel-explorer/cves/CVE-2020-14883/) to deploy Python and Bash scripts, executing the G0-based K4Spreader malware, which then delivered the Tsunami backdoor and PwnRig cryptominer. ## Description CVE-2017-10271 is a remote code execution flaw in WebLogic\'s XMLDecoder, while CVE-2020-14883 allows unauthorized access to WebLogic servers, enabling attackers to potentially take control of vulnerable systems. K4Spreader is a malware variant designed to facilitate the distribution of additional malicious payloads, where then, the Tsunami backdoor enables attackers to maintain persistent access and control over compromised systems. For Windows systems, the attacker attempted to execute a PowerShell script designed to install a cryptominer via the .NET-based loader called "CCleaner.” Additionally, the campaign employs PwnRig, a cryptominer that targets system resources to mine Monero. Researchers identified a possible connection between K4Spreader and Hadooken malware. Hadooken is a malware variant known for exploiting the same WebLogic vulnerabilities, [reported by AqueSec](https://security.microsoft.com/intel-explorer/articles/0d8ef9ca). These malware similarities include overlapping code and tactics used in their operations. Sekoia\'s analysis of K4Spreader and Hadooken, including the Monero wallet, points to the 8220 Gang intrusion set as the potential perpetrator of these attacks. The 8220 Gang, [also known as Water Sigbin](https://security.microsoft.com/intel-explorer/articles/d4ad1229), is allegedly based in China and primarily exploits vulnerable cloud environments to deploy cryptomining malware. Their objective is to hijack system resources to mine Monero cryptocurrency (XMR). The intrusion set commonly targets cloud hosting services, and has a victim count that fluctuates between 200 and 250 machines. ## Recommendations Microsoft recommends the following to help identify and mitigate cryptojacking attacks, alongside specific product detections. These recommendations are based on observations from responding to multiple resource abuse engagements. - **Separation of privileged roles** – Keep administrator and normal user accounts separate. Non-administrator users who require privileged roles in the environment for specific functions should use [Privileged Identity Management](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure?ocid=magicti_ta_learndoc) to access the roles on an as-needed basis in a way that can be audited and tracked, or also have separate accounts created. In most resource abuse cases Microsoft Incident Response has investigated, the initially compromised user is over privileged in some way. Thus, it is good practice to limit the number of accounts that have the [virtual machine contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role. In addition, accounts with this role should be protected by MFA and [Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/overview) where possible. Also, since a global admin must enable the [elevate access](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) option to have permissions over all Azure resources, it should be considered a very sensitive activity that should be monitored and reviewed. - **Multifactor authentication** – Tenant administrators should ensure that [MFA](https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa) is in use comprehensively across all accounts. This is especially important if the account has vi |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© **limit **monitor **multifactor **risk **separation 10271 10271/ 14883 14883/ 200 2017 2020 2024 2024** 250 365 8220 abuse abused access access/overview accessed accessing account accounts across actions active activities activity actors addition additional additionally addresses admin administrator administrators advanced advantage agent agents alert alerts all allegedly allocated allow allows alongside also analysis analyzing and anomalous anomaly another antivirus any applicable aquesec are arsenal arsenal/ attack attacker attackers attacks attempted attempts audited authenticated authentication authentication** – azure backdoor backdoor:macos based bash basis before begins behavior behaviors between block both browser called campaign can cases ccleaner chain china cli cloud cloud/recommendations code com/azure/active com/azure/defender com/azure/role com/cli/azure/vm com/en com/intel commonly compliance comprehensively compromised compute conditional conduct configure connection considered content contributor control control/built control/elevate copyright core correlate correlating count created credentials cryptocurrency cryptojacking cryptominer cryptomining cve default defender defenders delivered deploy description designed detection detections device directory directory/authentication/tutorial directory/conditional directory/privileged discouraged disruptive distribution does early elevate elevation employs enable enables enabling encyclopedia enforce engagements enough ensure environment environments especially execute executing execution exploited exploiting exploits explorer/articles/0d8ef9ca explorer/articles/d4ad1229 explorer/cves/cve external facilitate first flaw fluctuates follow following force found from full functions gang gangs global good group guessing guide hadooken has have help high hijack hosting https://blog https://learn https://security https://www identified identify identity important incident include including increase increases increases** – indicator infection information initially install intelligence intrusion investigated investigating in io/hadooken issue k4spreader k4spreader: keep known lastly latest latest#az learndoc legitimate limit linux list loader locations login looking looks machine machines maintain malicious malware management management/pim many marked mfa microsoft might mine mitigate monero monitor monitored monitoring most multifactor multiple must name=backdoor:macos name=pua:msil/ccleaner name=puabundler:win32/ccleaner name=trojan:linux/tsunami needed net non normal normally not notable number obfuscation objective observations occurring ocid=magicti often one operations oracle otherwise outright outside over overlapping owned part password passwords payloads performed performing period permission permissions perpetrator persistent points policies policies** – positive possible potential potentially powershell practice prevent primarily privileged privileges produce product prohibited protected provide provides proxy pua:msil/ccleaner puabundler:win32/ccleaner pwnrig python quota raise range rare reauthentication recommendations recommends reference references refined regions remote reported reproduction requests requests/2 require research researchers reserved resource resources respond responding response reusing reviewed rights risk risky role roles roles#virtual roles** – same scores script scripts secure security seeing sekoia sensitive separate server servers services set severity short should sigbin sign signal signals signed signing similarities since site snapshot some specific standard strong successful such suspected suspicious system systems tactics take targeting targets tdr team teams techniques tenant tenant** – that then thereof these the threat through thus time tracked triggered trojan:linux/tsunami true tsunami tuning types unauthorized unexpected unused update us/wdsi/threats/malware usage use used user users uses use using variant very victim view=azure virtual vulnerabilities vulnerabl |
| Tags | Malware Vulnerability Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.