2019 - Cloud Wars EPV - The Cryptojacker Strikes back - James Condon

I told that they saved the best for last [Music] this is an Italian really well with what he was talking about what Greg was talking about specifically this is going to be interesting phenomenon that was touched in both those presentations what it is is going different attacker groups compromise the resource and they start battling each other for control that researcher so we see this happen quite a bit MacLeod we've seen a big uptick of this over the last year generally this happened to his cryptocurrency mining so you find a way in to server in the cloud and then you try and figure out who else is there and get rid of all that you can and then

start mining from there all right this quick background on myself my name is James Condon I'm director of research at a company called lacework lacework is a startup out of Mountain View California and we do cloud security so we do everything from configuration and compliance auditing parada guess GCP mazur all the way down to Linux containers and Cooper names runtime security so we cover quite a wide area there how I got in the InfoSec I started out in government working for the Air Force doing computer crime investigations following that up for Manian for a few years of the network traffic analyst any response in threat intelligence and then I work for a company out here

protect why's it built out there research team that's getting threats focused on the network excited about it so primarily I've been doing Network forensics instant response all the threat intelligence and most recently clogged security so if you're interested in the security topics please be sure to follow me on Twitter but freezing me on the end of time you can also check out our blog so one of the things I wanted to hear since we have a small enough group is we're gonna run through some various case studies of different malware families and the tactics that they're using to get rid of other pieces of malware on a given host so I want to encourage discussion around these so

I'll probably throw up a few questions so we can kind of drive this conversation and go based on some of the feedback from the audience so how I kind of got into this originally like I was saying before worked with traditional enterprise security doing a lot of apt type research so about a year ago I started shifting my focus in the cloud security area as I started getting an idea of what was going on in the cloud doing some research what type of threat actor parents are operating one of the big things that kinda sticks out is things like that also reported and a few years ago ransomware was a really large issue when it came to

cloud workloads but then we kind of see this shift most recently and this is finished if two cryptocurrency mining specifically Manero and what I kind of did is my first are getting into this is first step is let's deploy some honey pots and see what's going on so I'm pretty used to seeing with any open application exposed to the internet you're going to get all kinds of different exploits thrown at it nothing new there but the thing that surprised me a little bit is once you start getting these honey pots compromised is we have start seeing installers scanning for other processes looking for IP addresses the sinkhole and take out other people that might take care of one of these servers so in

particular one of the first time Pachi set up it kind of shifted hands about four times every four hours and a lot of this was automated by God and that's kind of shaking each other out starting over and that really kind of fog capacity and you start really going to dive into some of those and get some pieces so when that first place is a start a really good idea if you want to get something compromised as quickly as possible as Redis it's a great place to go it's really easy to set up read honey pot so we intentionally picked something pretty old we just use bun 2:14 natto for use half get seller a

server and this actually installs like really a little version of Redis 2.8 not for this is vulnerable to see me ease from 2015 some nasty remote codex vulnerabilities and then what you want to do is give external access to this house so opening out for at 63 79 so if you haven't seen what network traffic for a Retta sucks like in the back up just one step read it out of the box isn't going to have default authentication and authorization it's also not going to have default encryption it's not going to be using TLS maybe call it's not going to be using encryption at rest so out of the box pretty easy to use for hunting plot

but can get in really sticky situations if you're using it for other other reasons well what we have here is just a Wireshark screenshot and the protocol that it uses is called register ization protocol as you can see this is easy to digest it's just clear text protocol where you're just feeding commands and there's some numbers that will come through with the length of the command and the command argument spot and things like that so one of the things that we see first and foremost is people interrogating the server getting some more information about what it is one of the common attacks that we would see is it said q-value care in this case this

weapon acts weapon Z and these are cron job entries and so this is common mode of persistence with a lot of these plot attacks is setting cron job to continually pull down a batch script and executed sometimes that's when sometimes it's from other places but a lot of times those scripts will get certainly updated so they can give new commands to Ponyo and things like that in this particular case just based on that we set the honeypot these end up failing they're trying to eventually grab these keys to the cron job files another attack that's pretty common that I saw is trying to get SSH access so in this screenshot here trying to take an

SSH key and ultimately get that put in the root is the state directory again in this case you know what so then next we end up seeing some successful exploit activity so this is a little over ability this is actually CP 2015 4 3 3 5 and like what Q saying is there's a lot of outdated applications so this occurred within one of the first days so you know that people are out there running really old versions of lettuce that are vulnerable to this and winds up happening is after the exploit is we just have a command to download a batch script and executed so it's a curl command and here they're using the service called in grok same one

before yeah so in Caracas it's a simple service that you can use to you can basically take like your laptop put a web server on it and you're behind an admin you could expose that and then have it internet accessible from the mainland choice so in this case we sell second group using n drop to serve up this first batch drip and this installation script has a number of different steps it's not super long but most of the steps include downloading a different download or making downloading different pieces of malware maybe trying to put in an SSH key persistence maybe setting up a service things like that this was last year about October and I

came across this section of codes which I found pretty interesting and what we have here is we're looking for a process like these associated with certain keywords and then we want to kill those processes and if we take even a closer look at it and it's really interesting you'll see different attacker groups do different approaches for how they form at some of these different queries but essentially what we're doing is we're setting this PID variable and then we're going to process the state we're prepping out the Bret process we're looking for XM our stack and then we're getting the process I'm using up make sure that we've got a process ID last night so this will run through and

if there's a cron job that is going on every time the script gets downloaded this will get rerun so I think in this process it's a pop back up those might get taken care of so real quick has anyone seen this type of activity before maybe in data centers that you're protecting okay we know for sure anyone want to tell us about an instance where they've seen this being the application nice I get extra credit do you know any of the answers okay let's take a look at how this process is killed can anyone think of the advantages and disadvantages of this tactic the tactic being scan active process listings and kill them say you're bad guy and you want to make sure

other crypto miners aren't running on the system is this an effective tactic yeah

yeah yeah definitely so find this to be really effective can anyone think of maybe an issue with just killing the process just common yeah yeah so depending on the user that you're running your visibility into what's processes are going you might have some reduced visibility there if you're doing it from user land maybe there's rootkits involved and you can't see what's processes right another thing is you know basic persistence so if you're not continually scanning and killing these processes you know you might run into some issues with them popping back up but this is kind of one of the most common methods that we see so fast forward to March of this year there was a nasty CVE that

came out for confluence this was CDE 2000 1933 96 so this was a remote code expectation this is done pre authentication so we expect confluence servers to possibly be internet basing it's not best practices but right after this came out you know people went on showdown and they're like yeah there's like at least 20,000 different confluence servers fixing the internet can't necessarily see which versions they are but it's a big footprint this RCE occurs before medication that's necessary there's also a directory traversal that can occur as well and the thing that we found interesting with this is you just exploit it with the well-crafted post request and the first public key of C came out about April 4th and this just

appeared on a github there wasn't much news about it but what we ended up seeing in our dataset is around April 8th the PRC was being actively used in some different activities then on April 10th there was a detailed write-up of this particular POC and then I kind of opened the floodgates and then there was like a massive amount of attacks going on so here's just what this looks like from Network point of view we have a post request going to our confluence server and in this payload the actual actually ends up occurring in this velocity template so you have to surf it from somewhere else there's a number of different key of seeds out there some of

them get the HTTP version to work someone who needs ectopy but one of the things that was really interesting in this and this particular one that we caught is we actually see them using the exploit to run a command to look for this DV launch s process to kill now this is a common malware name that we've seen with some of the crypto mining activity so in this case this particular best thing to see the attackers just doing mass scanning trying to kill from outside the box and so this is one of the install scripts that would pull down and as you can see the sense of getting pretty big I'm just going to show you real quick

what this didn't want to look like so we have a batch script and the vast majority of this batch script is done for killing different processes going on and some of its kind of funny and it really makes you wonder like who's behind this and inconsistencies that occur as we go so we first start off with this for loop that's just iterating around and making sure that he kills not running and that sleeps not running and I don't know maybe they weren't confident that it was just going to work all the time so maybe that's why it's literally time and shortly later our right falling it sleeps targeted again so seeing this occur in multiple times

there's the Kerberos downloader that was talked about with rock and what we end up getting is start getting some interesting Intel like you know as an analyst okay who are these guys targeting what processes are they going after and as we go through it we've talked about process scanning to kill what we end up seeing a little bit later is a new and simple technique a little bit different is actually looking for certain files to remove and then let me see after this

is we actually have a net stat stable so what net staff is doing here is it's looking for any established connections to these following IP addresses if they're established get a process ID and go ahead and kill that this this only works I'm not sure what all link system said this will work on this and that's that to get that process I think doesn't always work so that one is kind of interesting to me but if we take a closer look at what some of these IP addresses are we see that this 37 not 59 both of those actually resolve to a very popular XMR mining pool and that's pulled mine XM are calm so that makes

sense this next one 192 99 that's a custom Monaro mining pool that's been recorded you see by the 8220 game before next up this one 58 69 another private pool used in association with the 8220 game and then this kind of goes on and on the 190 299 142 that was seen an attacks that were specifically talked targeting opened docker api's in pushing malicious containers do fancy lighting and then this also this 202 one we saw this as a custom one that was steam and some kubernetes attacks that we've kind of reported on to talk about and then you know a year or so prior houston hit you in the yarn attacks so these actors no

different they're being used by different curves they know popular mining pools and they're using those to try and sinkhole that activity another tactic that we see in this case that attacker in assisting our process listings ignoring the ones that they're interested in and then they're looking for any CPU that's running over 30% and if we SCP you that's running over 30% we're going to go ahead and kill that so kind of my earth impression when I first this team is at the confluence was this year because we could see at least like two or three different groups like within three or four days of public POC me being used and they're just kind of doing anything that they can if you look

at these machines like the CPU is going out of control some of them are just kind of shutting down these guys can really get in the money because everyone's going after it so what I wanted to ask is when we look at that laundry list of processes to kill and these IP addresses is that like as a blue team person is that does that remind you of a thing anyway we do stuff cuz to me it reminds me of kinda how we tried to tell this to keep the bad guys out ourselves we're looking for file names we're looking for certain process names we're looking for IP addresses so these guys are really kind of doing the

same but it's more like an illegal capture-the-flag type situation what do you think about using net stat to kill processes as opposed to process names any thoughts on that how that made me better or worse yeah process names are easy to change another thing that we've noticed is the CQ infrastructure in the mining pools that these guys use don't change too often so sometimes those IP addresses you know end up working out pretty good another thing I kinda noted is any of the popular mining pools a lot of cyber criminals aren't using like my Nets and our comm what do you think about the killing process based on how much resources it's using it's not an

effective tactic to take out other competing processes can you think of anything that might go wrong there what's that yeah maybe cross the system take out something that you need to keep the system running there's definitely some things that could end up happening okay so this is the third case study this looks really interesting this is a great blog post put out by in desert they had talked earlier today and this the authors fearing some alpha analysis on piece of malware issues gotcha group and one of the big things the thing you notice is there are several protections and mechanisms in it targeting wrong so this time one of the big things that we see is that instead

of using a bash script to do the removable files and things like that the actual piece of malware is looking for the files in it students on process blacklisting here we see two rods again so it's a pretty infamous at this point and they're looking for it in multiple different places we've seen it you know store it at slash temp we've seen it that leaves are been kind of popped up in a different different place here there but this was this is a pretty interesting tactic and I hadn't seen this one before so this is kind of like our next step tactic only I think it's a little bit more effective and what they end up doing is they have a list of

blacklisted IP addresses and they decode those IP addresses out and then they add it's the system's routing table using the i/o control and they scope it to the local host so if any connection is attempted we may gain these IDs that's just gonna end up redirecting back to the local host effectively sync calling it so outside of this if anyone here you ran into that at all using using IP tables oh this decision falling like peas has anybody seen them do it that way they run in cuz I've only kind of really seen this specific technique use in that wall all right we'll move on to our last case study here and what this is is

crypto sync anyone hear this before crypto sync is reported by f5 earlier March and crypto sync is pretty interesting because it carries a number of different functionalities that we didn't see with other malware families we do see that the next point here and payload is to use a batch script to start the initial install one of the things that's kind of cool about this one if you're reverser is a lot of symbols are left in the binary so specifically we have this function call that's search and kills aw we also see searching till miners and then we have stop communication of other minor vexing : this was like pretty verbose here they would give how they're going to do it so

this ends up being pretty interesting this has multiple persistence mechanisms adding an SSH key adding service adding cron jobs the install script and then a unique Wanda will show here well what they end up doing is they take a list of these popular mining sites and then they read your redirects to local using that ethos cloud one of the kind of disadvantages to this is a lot of the different campaigns that we see are using custom lines like custom IP address mining pools and so we don't actually see them using a lot of these popular ones so I don't know how how effective that will be but this is kind of cool what they ended up doing is they

got rid of the RM binary on Linux and they replace it with their own and so it eventually calls RM which has been renamed to harden but what it does is it checks to make sure that's persistent whenever it's run so if we fast forward or rewind back to that one script that we saw we have a batch script and it's using RM to delete files so if it were to delete the files associated with this guy and check that persistence mechanisms there's no place and effectively make sure that it still stays installed ok the game won't have any other ideas on that any tactics that the attackers that one presented here that you might do as

an attacker one of the big ones that kind of sticks out on the top of my mind that I've never seen and let me know if you have but I've never seen an attempt to patch an application that was exploit it you keep others out you know there's going to be some pros and cons to that you might have more of a footprint than might cause more much more noise but you already pretty noisy anyway I think that would probably be an interesting one to see so if you ever see anything like that be sure to let me know so some of the common tactics that I've seen use scanning process listings for keywords skim process the sinks her CPU usage

searching for dung piles establish connections cinq calling Nikes then C calling DNS so what this all kind of ends up wrapping back out into is these are all kind of tactics that we can use them looting to gather Intel and you know you can easily go in virustotal to find these installers and monitor for those and look for maybe you know new file names new things to keep on top up since a lot of this activity is automated so what I'll do is on our blog all post these slides so you can have them and this has a number of different resources that global deeper into it but you can go ahead and contact me via in these

methods be sure to check out our blog and then any last questions before we wrap up nope all right cool thanks everyone [Applause]