Trend Micro and Aqua Security experts have recorded new attacks on Linux servers with the aim of secretly mining cryptocurrency. Kinsing bot drivers are looking for unpatched Oracle WebLogic Server software, and someone who looks like the vanished TeamTNT is looking for errors in the Docker daemon settings.
During attacks on WebLogic, Kinsing botnet operators scan for vulnerabilities, both recent and older. Of the latter, attackers most frequently look for the two-year-old RCE CVE-2020-14882 .
If the exploit is successfully processed, a shell script is installed on the server, which works as an intermediate loader. This stager first prepares the ground for cryptojacking: it raises the resource consumption limit (using the ulimit command), deletes the /var/log/syslog log, disables protections like SELinux and Alibaba and Tencent cloud service agents, kills third-party miner processes.
After all these uninvited actions, the Kinsing malware is loaded onto the machine (from a remote server). To make sure it is always present, the shell script creates a new cron job.
The attacks recorded on the Aqua Security traps are different, but in style and tools used they resemble TeamTNT sorties. (Last November, this criminal group wound up its operations.)
Analysts were especially interested in the attack, apparently aimed at using someone else’s power to crack the elliptic curve algorithm (ECDLP secp256k1); success, in this case, will allow you to get the keys to any crypto wallet. Hackers are looking for poorly configured Docker daemons to deploy alpine, a standard container image that is then used to upload a shell script to C2 in command line mode.
The objectives of other attacks are more prosaic. In one case, the attackers are looking for vulnerable Redis servers in order to install the miner, in the other, they are looking for Docker APIs suitable for injecting the Tsunami backdoor
Catch up on more articles here
Follow us on Twitter here