Threat actors are compromising cloud accounts in order to create distributed workloads for cryptomining — compromising misconfigured and vulnerable cloud instances for executing distributed denial-of-service (DDoS) attacks and abusing trial accounts from DevOps service providers.
A Romanian group, dubbed Outlaw, compromises Internet of Things (IoT) devices and Linux servers and containers by rudimentarily exploiting known vulnerabilities and using stolen or default credentials to mine the Monero digital currency or execute DDoS attacks. A more sophisticated group, TeamTNT, targets vulnerable software services; it ramped up attacks starting last November while claiming it would halt operations. And the Kinsing group harbors an impressive number of cloud exploits and rapidly transitioned to the Log4j exploit in December, according to a report released by Trend Micro on March 29.
The attacks should be a warning sign to companies that their security controls are not working well in the cloud, says Stephen Hilt, a senior threat researcher with Trend Micro.
“The amount of poorly configured cloud instances is high, and these groups are taking advantage of it,” he says. “The systems are unchanged from the attackers, so this doesn’t set off any red flags for things like changing passwords, adding their mining software and scripts, and leaving everything else untouched. If you aren’t paying for the on-demand pricing, it is likely a long time before you notice their activities, specifically the groups that set limits on resources the miners can use.”
Source: Trend Micro
Other attackers have found ways to exploit the free tier of continuous integration, continuous deployment (CI/CD) pipeline services — such as Azure DevOps, BitBucket, CircleCI, GitHub, GitLab, and TravisCI — and string together the transient workloads into a cryptomining cloud service, according to cloud security firm Aqua Security. In one case, an attacker used multiple six-hour build steps to add processor cycles to a pooled mining service, according to a blog post published by the company last week.
The attacks are simple to detect on paper but hit at the heart of the cloud model, where offering developers trial accounts or a free tier spurs usage and subscriptions and is an essential business practice. Adding barriers could hamper future growth of cloud services or make developers less likely to try out new services, says Mor Weinberger, a software engineer with Aqua Security’s Argon team.
“Even when barriers are implemented, advanced actors are still able to bypass them,” he says. “Going forward, I believe platforms will substantially strengthen their defenses against cryptomining attacks and threat actors will seek more profitable and less resistant targets.”
The research underscores that attackers are finding ways to compromise and monetize cloud offerings that differ from tactics used to compromise and monetize devices, desktops, and servers. Access-as-a-service groups, for example, will often use compromised cloud accounts to run cryptominers or generate DDoS attacks as a way to generate extra income.
Cybercriminal “Capture the Flag” Different groups are also competing for cloud resources. TeamTNT, for example, appears to have targeted systems compromised by a rival cryptocurrency mining group known as Kinsing, according to Trend Micro’s report. Meanwhile, Outlaw recently created a tool to find and remove the utilities and settings used by other mining gangs to compromise cloud services, the report states.
“They are fighting for the sake of which group owns the box — [they] want all the resources for mining to go to [them], not the other groups,” says Trend Micro’s Hilt. “This leads to them kicking each other out, cleaning up the other’s malware and scripts, and trying to maintain the box themselves. Effectively, the attackers are playing a criminal game of capturing the flag in your infrastructure.”
Many companies might consider the attacks less serious, since they may not affect operations or customer privacy, but having visibility into cloud instances to detect such attacks is critical, Hilt says.
In addition, cloud services may find that their resources are quickly overrun if attackers can automate cryptomining as part of a CI/CD pipeline, says Aqua Security’s Weinberger. Because the throughput of the attack varies based on the number of accounts managed by the attackers, the threat actors will often create multiple accounts and pipelines across different platforms, he says.
“This also helps them avoid being fully blocked in case the platforms detect some of their accounts,” Weinberger adds.
Companies and cloud services should focus on visibility as the first step to prevention, using the maturity of the accounts to allow more utilization and detecting indications of mining-based processes and network telemetries, he says.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Ukrainian servicemen hold a national Ukrainian flag and a cross during the funeral ceremony on March 17, 2022 in Lviv, Ukraine. Viasat’s KA-SAT network saw significant outages starting on Feb. 24 when operators noticed their satellite modems had been rendered inoperable. (Photo by Alexey Furman/Getty Images)
A day after Viasat offered an explanation for a cyberattack causing widespread outages of its equipment at the start of the invasion of Ukraine — just as the Ukrainian military would be leaning on the satellite internet service the most — researchers at SentinelOne offered a contradictory explanation involving wiper malware with significant overlaps to the Russian VPNFilter.
Viasat’s KA-SAT network saw significant outages starting on Feb. 24 when operators noticed their satellite modems had been rendered inoperable. It was the most significant apparent cyberattack believed to correspond with the Russian war effort, though six additional sets of wiper attacks, most notably WhisperGate and HermeticWiper, have also been seen in Ukraine since the build-up to the war.
On Wednesday, Viasat wrote in a blog post that it had found “no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference” in the attack. Instead, it said, an attacker had used internal “network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
In an exhaustive blog post, SentinelOne said it had found malware likely designed to wipe modems — contradicting the legitimate commands explanation from Viasat.
Juan Andres Guerrero-Saade, one of the researcher behind the SentinelOne report, said even before identifying the likely malware culprit, the Viasat explanation did not make logical sense. He called for Viasat to release more details if they stood by their original explanation.
“I doubt there’s any legitimate commands that would overwrite the flash memory of the routers unless you’re pushing an update or a binary, which is what they say did not happen. And if that’s being done from the management section, that is a supply chain attack, which they also said did not happen,” he told SC Media.
Instead, said Guerrero-Saade, a more likely explanation was that the modems were wiped using malware SentinelOne discovered in VirusTotal.
The wiper, which SentinelOne is dubbing “AcidRain,” is an ELF 32-bit MSB executable using MIPS uploaded to VirusTotal as Ukrops. SentinelOne discovered the binary looking into the Viasat claims, because the MIPS Elf binaries are a rare find on VirusTotal.
Researchers have documented the state Viasat modems’ storage was left in after the cyberattack. AcidRain would leave those modems in an identical state. The wiper overwrites seven sections of storage relevant to IoT devices with decremented data. It is written generally enough that the wiper could be reused in other circumstances after this use.
AcidRain shows overlaps with VPNFilter, malware the FBI linked to the Russian Sandworm APT. There have not been any formal public attributions connecting any of the cyberattacks in Ukraine to Russia, and Guerro-Saade cautions that code overlap is not a strong enough connection to make a formal attribution in this case. But it is one of the more substantial connections found so far between the invading nation and the attacks.
“The connections are not trivial. They are significant,” said Guerro-Saade.
The Viasat attack saw some of the most widespread spillover of any cyberattack during the war, affecting modems throughout Europe, including nearly 6,000 wind turbines in Germany. While cyberattacks have been muted in comparison to what Russia has unleashed against Ukraine in the past, potential attacks that may eventually be attributed to Russia are non-negligible.
The Ukrop name seen on the binary could refer to a number of things, according to SentinelOne. It could simply be a shortening of “Ukrainian Operation,” a reference to the Ukrainian Association of Patriots or an anglicization of the Russian ethnic slur against Ukranians Укроп. “I hope it’s Ukrainian operation,” said Guerro-Saade.
AcidRain would be the seventh wiper associated with the invasion of Ukraine.
Anonymous has taken Operation OpRussia a step further by targeting MashOil and RostProekt, which happened to be giants in their respective industries.
The online hacktivist group Anonymous has claimed responsibility for targeting two Russian companies stealing a trove of their data and leaking it online for the public to download.
MashOil Data Breach
MashOil is a Moscow based company known for designing, manufacturing, and maintaining equipment used in the drilling, mining, and fracking industries. According to the company’s website, “MashOil LLC is the official representative of the FID Group in the Russian Federation.”
FID Group on the other hand is a group of Belarusian and Russian enterprises specializing in manufacturing equipment for the oil and gas industry in both countries. However, Anonymous has claimed responsibility for targeting the company and stealing a whopping 110 GB worth of its data.
The data includes over 140,000 emails which can be downloaded via torrent and is available on the official website of Distributed Denial of Secrets (aka DDoSecrets), a non-profit whistleblower organization.
On Twitter, @YourAnonNews, one of the largest social media representatives of the Anonymous movement also confirmed the hack.
Anonymous on Twitter confirmed the MashOil breach after quoting a tweet from DDoSecrets’ founder Emma Best (Image credit: Hackread.com/Twitter)
RostProekt Hack
RostProekt is a Russian construction company based in the city of Ivanovo. Anonymous claimed to target the company over the weekend and leaked 2.4GB worth of files containing email data. The files can be downloaded via torrent from the official website of DDoSecrets.
As seen by Hackread.com, according to the information posted on the website, RostProekt operates in the “construction, foundation, structure, investments, and building exterior contractors’ industry.
Message From Anonymous
RostProekt data breach was originally announced by @DepaixPorteur, an Anonymous affiliate who also played a vital role in hacking unsecured printers in Russia and sending anti-war and anti-censorship printouts across the country. While addressing the Rostproekt breach, @DepaixPorteur said that,
We are Anonymous. We have created a new site to host our upcoming leaks + future Anonymous leaks. We also hacked Rostproekt emails as a treat to celebrate the new site & to hold you over while waiting for the upcoming dump(s).
It is worth noting that Anonymous has launched two new websites where the group has been publishing download links and details of previous and future data dumps under Operation OpRussia to mark a protest against the Russian invasion of Ukraine.
Anonymous vows 1.22 TB of Russian Leak
In an exclusive conversation with Hackread.com, @DepaixPorteur revealed that their group is currently working on a large-scale data leak belonging to sensitive Russian institutions. Anonymous said that they plan to leak 1.22TB worth of data in the next couple of weeks to mark a protest against the Russian invasion of Ukraine.
Anonymous Cyberwar Against Russia
It is no secret that Anonymous is standing strong with Ukraine over the ongoing conflict between the two countries. The group has so far targeted both the government and the private sector to spread its message.
On March 26th, 2022, Anonymous not only confirmed breaching the Central Bank of Russia, but also leaked 28GB worth of banking data via DDoSecrets. The list and timeline of some of the cyberattacks reported by Hackread.com on the ongoing conflict between Russia and Ukraine are as follow:
Distributed Denial-of-service (DDoS) attacks decreased slightly in 2021 but are becoming larger and more complex in nature, an analysis from F5 has found.
Data showed a 3% year-on-year decline in the overall volume of attacks recorded in 2021. However, while volume may have declined, the severity of attacks ramped up markedly over the course of the year.
By Q4 2021, the mean attack size recorded was above 21 Gbps, more than four times the level from the beginning of 2020. Last year also saw the record for the largest-ever attack broken on multiple occasions.
“The volume of DDoS attacks has fluctuated by quarter, but the unmistakable trend is that these attacks are getting larger,” said David Warburton, Director of F5 Labs. “While the peak size of attack remained steady throughout 2020, last year we saw it climb consistently.”
Attacks are getting larger
While most attacks recorded in 2021 were under 100 Mbps, there were some notable exceptions.
After the largest attack of 2020 topped out at 253 Gbps, there was one that struck in February 2021 measuring 500 Gbps. The record was shattered again in November with an attack weighing in at 1,4 Tbps—more than five times larger than the previous year’s record.
Targeting an ISP/hosting customer, maximum attack bandwidth was reached in just 1,5 minutes, and lasted only four minutes in total, harnessing a combination of volumetric (DNS reflection) and application-layer (HTTPS GET floods) methods.
Attacks are becoming complex
Volumetric attacks, which use publicly available tools and services to flood a target’s network with more bandwidth than it can handle, continued to be the most common form of DDoS in 2021, comprising 59% of all recorded attacks. This represented a slight decline from 66% in the previous year, as the prevalence of protocol and application-type DDoS attacks ticked up, the latter increasing by almost 5% year-on-year.
This slight shift was underlined by changing the utilisation of protocols. 27% of attacks in 2021 harnessed TCP, up from 17% the previous year, and indicative of the requirements of more complex application and protocol-based attacks.
In terms of specific attack methods, there were some notable changes in prevalence: DNS query attacks became more common, up 3,5% year-on-year and the use of UDP fragmentation declined 6.5%. LDAP reflection also diminished by 4,6% and DNS reflection by 3,3%.
“Alongside changes in attack type, we continued to observe strong prevalence of multivectored attacks, including the 1,4 Tbps incident that utilised a combination of DNS reflection and HTTPS GETS,” said Warburton.
“This was particularly true at the start of the year, when multivectored attacks significantly outnumbered single-vector assaults. It illustrates the increasingly challenging landscape for threat protection, with defenders needing to employ more techniques in parallel to mitigate these more sophisticated attacks and prevent a denial of service.”
Financial services in the crosshairs
Banking, financial services and insurance (BFSI) was the industry most targeted by DDoS attacks in 2021, subjected to more than a quarter of the total volume. That continued a trend which has seen attacks against BSFI steadily rising since the beginning of 2020.
By contrast, technology, the most targeted sector of 2020, fell into fourth place behind telecommunications and education. Between them, these four industries accounted for 75% of all recorded attacks, with a long tail of others including energy, retail, healthcare, transportation and legal that saw hardly any adverse activity.
“Even though the number of attacks tapered off slightly in 2021, the DDoS problem is by no means abating,” said Warburton. “Both the size and complexity of these attacks are increasing, demanding a more agile and multi-faceted response from defenders.
“Although it is reasonable to question the efficacy of attacks that may only last for a few minutes, threat actors know that even a short interruption to a service can have significant consequences and adversely impact brand and reputation.
“As the sophistication and variety of DDoS attacks increases, organizations will find themselves using a wide variety of measures to protect against them, including upstream controls to inspect and limit the traffic reaching endpoints, and managed service providers who can work alongside internal security teams both to prevent attacks and move quickly to mitigate those in progress.”
