- In a possibly concerted string of attacks, malicious crypto miners target academic data centers across China, Europe, and North America, disrupting COVID-19 research.
- EGI Computer Security Incident Response Team believes that the attacker moves from one victim to another using compromised SSH credentials, with intentions to mine Monero.
- The targeted hosts are infected with malware and are altered to serve as:
- XMR mining hosts (by running a hidden XMR binary)
- XMR-proxy hosts; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
- SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
- Tunnel hosts (SSH tunneling) ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).