By now, the threat landscape of unauthorized cryptomining and cryptojacking has been researched and discussed in depth, not only by NTT Security but the cybersecurity community in general. In 2017, with the rise of cryptocurrency value, cyber criminals jumped on board with custom and re-usable cryptominers. Several other tactics, such as hacking vulnerable cryptocurrency wallets and smart contracts took place. Unauthorized cryptomining has become the new mass internet-wide triage of reconnaissance, exploitation and installation without the care of success-rate and maintaining a small footprint.
Mass-Sending Without Care
Although these attacks and campaigns followed detailed processes laid out by the threat actor(s), recently NTT Security researchers have noticed a more “spray and pray” approach being used without much reconnaissance and planning taking place prior to.
If you have ever touched a video game as a child or still do, you may understand the term “spray and pray” being used to explain holding the trigger down without a care for trying to take time to aim. Referring to cybersecurity and cryptocurrency, the same approach is being used when new vulnerabilities are disclosed for popular products, in which successful remote code execution (RCE) could take place. Take for example, CVE-2018-11776, a recent vulnerability in Apache Struts 2.
Disclosed on August 22, 2018, the vulnerability was found to be in existence because of errors with the namespaces and allowing the use of Object Graph Navigation Language (OGNL) expressions if no namespace was given, thus allowing RCE. In previous years, such a vulnerability is mass-scanned across the internet, resulting in days, even weeks of scanning and logging vulnerable addresses. During this phase, an actor may take some time to do a review of vulnerable addresses before weaponizing their payloads, installing them on vulnerable devices and continuing to nudge towards their objective.
NTT Security researchers have analyzed several campaigns over the years that follow a similar process in regard to the distribution of commodity malware or IoT botnets. However, recently it appears attackers are less concerned about the payload installation success-rate, but more concerned about seizing the opportunity across possibly thousands of vulnerable devices, without any concern about cloaking operations to not be so identifiable or easy to analyze. At this rate, it almost guaranteed that mass-scanning of such a vulnerability will not only report vulnerable addresses to a remote server, but also try to install a cryptominer, because “why not?”.
In addition, NTT Security has stated most cryptominers being used in unauthorized campaigns are re-used or modified versions of publicly available common binaries mostly found on Github, for example, XMRig or CPUminer. With this in mind, attribution analysis becomes difficult because the tools, tactics, techniques and malware is not unique. Because of this, less concern may exist in the mind of a threat actor, causing them to increase infection attempts without a care of reducing footprint in the process.
CVE-2018-11776 Mining Campaigns
In April 2018, CVE-2018-11776 was reported as a remote code execution vulnerability in Apache Struts by Man Yue Mo. A detailed security bulletin (SB) was released by GTIC on August 23, 2018, titled GTIC-SB-201808-003. More details about the vulnerability can either be found in this SB or from the following resources: https://semmle.com/news/apache-struts-CVE-2018-11776 and https://lgtm.com/blog/apache_struts_CVE-2018-11776.
NTT Security has several detection services in place for detecting and thwarting exploitation attempts against this vulnerability. Immediately following detections put in place, exploit attempts were observed from several sources in China, United States, Philippines, Canada, Romania, and India. Education, technology, healthcare, manufacturing, retail and finance industries appear to be the most targeted. As referenced in NTT Security’s Monthly Threat Report, education, healthcare and finance accounted for 88% of all unauthorized cryptomining activity detected in the month of August. The cryptomining campaign was detected the day of detection implementations but is straightforward.
The actors appear to either have used a tool written in GO or included the user-agent manually, to send the HTTP GET requests. The request targets the victim at [SERVER]/struts3-showcase path where the exploit uses the _memberAccess namespace and /actionChain1.action action. This user-specified namespace causes Struts to evaluate it as a OGNL expression, thus allowing the code in-between the namespace and action to be remotely executed. If successfully exploited, a shellscript named 'upcheck.sh' and a cnrig, 64-bit, binary is downloaded. The shellscript will download i386, ARM and MIPS versions of cnrig as well, before execution. The miner is given the mining pool at 'us-east[.]cryptonight-hub[.]miningpoolhub[.]com:20580' with username c.646.miner and password 'x'.
Figure 1: HTTP Request from CVE-2018-11776 Exploit Attempt
Technical indicators can be found below.
It's Just a Cryptominer Though, Right?
As explained in GTIC’s Monthly Threat Report, although an actors initial intentions are to identify vulnerable systems and install miners, you could have bigger issues if they are successful. While a miner may leverage system resources, the fact is they were able to successfully exploit a public facing system and install a payload. The process is cemented at this point and a simple, “rinse and repeat” is all that is necessary to more install a multi-faceted malware. Since the attacks began with the “spray and pray” method, the other systems logged as vulnerable are just sitting ducks at this point.
Conclusion and Recommendations
As always, NTT Security recommends appropriate patch management to be of the highest priority. Whether dealing with script kiddies or advance persistent threats (APT), a public facing system with outdated software is like an open-door in the worst of worst neighborhood, meaning someone is bound to enter. Most cryptominers are identifiable by anti-virus (AV) engines, therefore maintaining up-to-date signatures is also vital to combat cryptominers. NTT Security’s services and products help identify and combat cryptominers.