By now, the threat landscape of unauthorized cryptomining and cryptojacking has been researched and discussed in depth, not only by NTT Security but the cybersecurity community in general. In 2017, with the rise of cryptocurrency value, cyber criminals jumped on board with custom and re-usable cryptominers. Several other tactics, such as hacking vulnerable cryptocurrency wallets and smart contracts took place. Unauthorized cryptomining has become the new mass internet-wide triage of reconnaissance, exploitation and installation without the care of success-rate and maintaining a small footprint.

Mass-Sending Without Care

Although these attacks and campaigns followed detailed processes laid out by the threat actor(s), recently NTT Security researchers have noticed a more “spray and pray” approach being used without much reconnaissance and planning taking place prior to.

If you have ever touched a video game as a child or still do, you may understand the term “spray and pray” being used to explain holding the trigger down without a care for trying to take time to aim. Referring to cybersecurity and cryptocurrency, the same approach is being used when new vulnerabilities are disclosed for popular products, in which successful remote code execution (RCE) could take place. Take for example, CVE-2018-11776, a recent vulnerability in Apache Struts 2.

Disclosed on August 22, 2018, the vulnerability was found to be in existence because of errors with the namespaces and allowing the use of Object Graph Navigation Language (OGNL) expressions if no namespace was given, thus allowing RCE. In previous years, such a vulnerability is mass-scanned across the internet, resulting in days, even weeks of scanning and logging vulnerable addresses. During this phase, an actor may take some time to do a review of vulnerable addresses before weaponizing their payloads, installing them on vulnerable devices and continuing to nudge towards their objective.

NTT Security researchers have analyzed several campaigns over the years that follow a similar process in regard to the distribution of commodity malware or IoT botnets. However, recently it appears attackers are less concerned about the payload installation success-rate, but more concerned about seizing the opportunity across possibly thousands of vulnerable devices, without any concern about cloaking operations to not be so identifiable or easy to analyze. At this rate, it almost guaranteed that mass-scanning of such a vulnerability will not only report vulnerable addresses to a remote server, but also try to install a cryptominer, because “why not?”.

In addition, NTT Security has stated most cryptominers being used in unauthorized campaigns are re-used or modified versions of publicly available common binaries mostly found on Github, for example, XMRig or CPUminer. With this in mind, attribution analysis becomes difficult because the tools, tactics, techniques and malware is not unique. Because of this, less concern may exist in the mind of a threat actor, causing them to increase infection attempts without a care of reducing footprint in the process.

CVE-2018-11776 Mining Campaigns

In April 2018, CVE-2018-11776 was reported as a remote code execution vulnerability in Apache Struts by Man Yue Mo. A detailed security bulletin (SB) was released by GTIC on August 23, 2018, titled GTIC-SB-201808-003. More details about the vulnerability can either be found in this SB or from the following resources: https://semmle.com/news/apache-struts-CVE-2018-11776 and https://lgtm.com/blog/apache_struts_CVE-2018-11776.

NTT Security has several detection services in place for detecting and thwarting exploitation attempts against this vulnerability. Immediately following detections put in place, exploit attempts were observed from several sources in China, United States, Philippines, Canada, Romania, and India. Education, technology, healthcare, manufacturing, retail and finance industries appear to be the most targeted. As referenced in NTT Security’s Monthly Threat Report, education, healthcare and finance accounted for 88% of all unauthorized cryptomining activity detected in the month of August. The cryptomining campaign was detected the day of detection implementations but is straightforward.

The actors appear to either have used a tool written in GO or included the user-agent manually, to send the HTTP GET requests. The request targets the victim at [SERVER]/struts3-showcase path where the exploit uses the _memberAccess namespace and /actionChain1.action action. This user-specified namespace causes Struts to evaluate it as a OGNL expression, thus allowing the code in-between the namespace and action to be remotely executed. If successfully exploited, a shellscript named 'upcheck.sh' and a cnrig, 64-bit, binary is downloaded. The shellscript will download i386, ARM and MIPS versions of cnrig as well, before execution. The miner is given the mining pool at 'us-east[.]cryptonight-hub[.]miningpoolhub[.]com:20580' with username c.646.miner and password 'x'.

Figure 1: HTTP Request from CVE-2018-11776 Exploit Attempt

Technical indicators can be found below.

It's Just a Cryptominer Though, Right?

As explained in GTIC’s Monthly Threat Report, although an actors initial intentions are to identify vulnerable systems and install miners, you could have bigger issues if they are successful. While a miner may leverage system resources, the fact is they were able to successfully exploit a public facing system and install a payload. The process is cemented at this point and a simple, “rinse and repeat” is all that is necessary to more install a multi-faceted malware. Since the attacks began with the “spray and pray” method, the other systems logged as vulnerable are just sitting ducks at this point.

Conclusion and Recommendations

As always, NTT Security recommends appropriate patch management to be of the highest priority. Whether dealing with script kiddies or advance persistent threats (APT), a public facing system with outdated software is like an open-door in the worst of worst neighborhood, meaning someone is bound to enter. Most cryptominers are identifiable by anti-virus (AV) engines, therefore maintaining up-to-date signatures is also vital to combat cryptominers. NTT Security’s services and products help identify and combat cryptominers.

Technical Indicators

Hashes

File: 386

MD5: d50c119f236c5d64546df85a5b5340cc

SHA1: 3c06c52b1cb8185ced9b06d48b317f9445f39e87

SHA256: d892cc3da1a6066736b37acab211aef0af04c39d09aae758c973f4f35b6fa130

File: arm

MD5: 94ea165c7779c200e1826579f9b111e5

SHA1: e1f82e1b9a4c08239086625ed0f6e88de1e76f79

SHA256: f80dbca7d9f7d280ed1185d4f46f72f3b22ba9dd2791d657ab685700e9461ebc

File: cnrig-0.1.5-linux-x86_64

MD5: 8b1af0f1daa0008baf4675c700b51e3a

SHA1: 57639ce616055ffaa3b974ef721c5622d9fa05cf

SHA256: c890d18fe3753a9ea4d026fc713247a9b83070b6fe40539779327501916be031

File: mips

MD5: be8ac7ee3a5fef7640288bd6abf9be6d

SHA1: 3ff2b8487244012ac22e7723d486d69296238268

SHA256: 7fa546076799bc0cd575ecf58019dfcd92bbb2d802b72970cfff53584f3e2766

File: upcheck.sh

MD5: cae9cefb9e0dd6b2af7d448728999994

SHA1: 52cd4046afbf163d7b7a3fce6aec2c3cc3f42c01

SHA256: 234a8871bc9afdf63a63f48600a980151273b0701073cffcc3f9fae2a6da61d5

URLs

hxxps://bitbucket[.]org/c646/zz/downloads/386

hxxps://bitbucket[.]org/c646/zz/downloads/arm

hxxps://bitbucket[.]org/c646/zz/downloads/mips

References:

http://fortune.com/2018/02/14/bitcoin-cryptocurrency-blockchain-wallet-hack/

https://medium.com/solidified/the-biggest-smart-contract-hacks-in-history-or-how-to-endanger-up-to-us-2-2-billion-d5a72961d15d

https://www.nttsecurity.com/docs/librariesprovider3/resources/gtic-monthly-threat-report-august-2018

https://nvd.nist.gov/vuln/detail/CVE-2018-11776