The Attack
- In a possibly concerted string of attacks, malicious crypto miners target academic data centers across China, Europe, and North America, disrupting COVID-19 research.
- EGI Computer Security Incident Response Team believes that the attacker moves from one victim to another using compromised SSH credentials, with intentions to mine Monero.
- The targeted hosts are infected with malware and are altered to serve as:
- XMR mining hosts (by running a hidden XMR binary)
- XMR-proxy hosts; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
- SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
- Tunnel hosts (SSH tunneling) ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).
The Tactics
- TOR or the compromised hosts are leveraged to connect to SOCKS proxy servers.
- Among various other techniques, the attackers also use a malicious Linux Kernel Module to cover up their activities.
- SSH credentials are stolen to gain access to the hosts. Although it is not known how the attackers steal the credentials, some victims have been able to find compromised SSH binaries.
- To avoid detection, the XMR activity has been configured in a way that it operated only at night.
File Details
- Run kill -63 $(random pid) followed by lsmod, then search for modules with names like: diamorphine, scsi, iscsi, readaps.
- Check the content of /etc/cron.hourly/0anacron.
- Other files:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Indicators of Compromise
Network Indicators |
||
IP |
Comment |
Role in Attack |
91.196.70.109 | XMR mining server | Coordinate the XMR activity |
149.156.26.227 | Victim server andromeda.up.krakow.pl | Malicious IP used for SSH logins + running SOCKSproxy |
149.156.26.56 | Victim server vega.up.krakow.pl | Malicious IP used for SSH logins + running SOCKS proxy |
142.150.255.49 | Victim desktop UTORONTO | Source for attack on .ca hosts |
159.226.234.29 | Victim server at CAS, China | Malicious IP used for SSH logins + running SOCKS proxy |
149.156.26.227 | Andromeda.up.krakow.pl (host now cleaned) | Malicious IP used for SSH login |
202.120.32.231 | Shanghai Jiaotong University | IP used for SSH logins |
202.120.58.243 | Shanghai Jiaotong University | IP used for SSH logins |
202.120.58.244 | Shanghai Jiaotong University | IP used for SSH logins |
IP |
Comment |
Role in Attack |
2001:da8:8000:6300:199:433c:16c7:c668 | Shanghai Jiaotong University | IP used for SSH logins |
2001:da8:8000:6300:1c22:6545:295d:f55c | Shanghai Jiaotong University | IP used for SSH logins |
2001:da8:8000:6300:1cc4:148e:4368:1d2c | Shanghai Jiaotong University | IP used for SSH logins |
2001:da8:8000:6300:6c46:cb5b:f478:185e | Shanghai Jiaotong University | IP used for SSH logins |
2001:da8:8000:6300:7925:5377:34a8:e4b3 | Shanghai Jiaotong University | IP used for SSH logins |
2001:da8:8000:6300:8c84:868e:9c5d:3322 | Shanghai Jiaotong University | IP used for SSH logins |
2001:da8:8000:6300::/64 | Shanghai Jiaotong University | IP used for SSH logins |
159.226.161.107 | CSTNET, China | Malicious IP used for SSH login |
159.226.234.29 | CSTNET, China | Malicious IP used for SSH login |
List of TOR hosts (SOCKS Proxy users) |
51.77.135.89 (also used for malicious SSH logins) |
51.15.177.65 |
51.75.52.118 |
51.75.144.43 |
51.79.53.139 |
51.79.86.181 |
212.83.166.62 |
List of suspected hosts |
159.226.88.110 (CSNET, China. TCP/44300 access from krakow.pl): Being investigated by CSTCERT |
159.226.62.107 (CSNET, China. HTTPS access from krakow.pl): Compromised (XMR mining) and reinstaled by the admin ~2020-05-08 |
159.226.170.127 (CSNET, China. TCP/21 access from krakow.pl): Being investigated by CSTCERT |
132.230.222.12 (Uni-Freiburg. SSH access from krakow.pl): Investigated (malicious SSH binaries found) (not clear if they are involved in this or just 20200512) |
192.154.2.203 (UCLA, USA. SSH access from krakow.pl): Notified. |
129.49.37.67 (SUNYSB, USA. Access from a SOCKS proxy): Notified. |