+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

OpenSSH Cryptomining Attacks on Linux and IoTs

Internet-facing Linux-based systems and Internet of Things (IoT) devices are being targeted in a recent attack that uses a patched version of OpenSSH to take over the devices and install cryptomining malware. 

 

Cryptomining involves the solving of complex mathematical problems to verify the payments carried out in cryptocurrency transactions, and creating new cryptocurrency tokens that are added to the blockchain. The process is competitive, as well as incredibly computing-power-intensive. Although cryptomining can be profitable, it does need a high investment first of both computing power, time and electricity. Because of this, cyber criminals find it more profitable to perform cryptojacking attacks, where cryptomining malware is installed on victim computers and cloud environments in order to hijack the system and use the processing power for cryptomining purposes. Cryptojacking has become a criminal industry recently, with attack tools, infrastructure, and other services being offered by cyber criminals for sale and as malware-as-a-service. A 2021 study by Google’s Cybersecurity Action Team found 86% of the compromised Cloud instances they detected were due to unauthorised cryptomining being performed. Researchers at Palo Alto Network’s Unit 42 have also found that cryptojacking is the most commonly seen attack against unsecured Kubernetes clusters.  

 

But cloud systems are not the only targets for cryptojackers, as Microsoft have recently discovered an attack that uses custom and open-source tools to target internet-facing Linux and IoT devices. This attack uses an OpenSSH trojan to install the cryptomining malware. This attack begins when the threat actors attempt to brute force credentials on internet-facing Linux devices that have not been correctly configured. This will lead to the threat actors successfully compromising a target, where they then disable shell history. A compromised OpenSSH archive named openssh-8.0p1.tgz is retrieved from a remote server, which contains OpenSSH source code as well as malicious files that are utilised in later stages of the attack including the shell script inst.sh, backdoor binaries for various architectures, and archive with the shell script vars.sh, which contains embedded files for the backdoor operation. Once this payload is installed, the shell script inst.sh runs a binary that matches the architecture of the device. This is an open-source backdoor which provides access for the attackers to deploy additional malware and tools onto the compromised device without needing to brute force credentials again. Two public keys are appended to the authorized_keys configuration files for all users to maintain this persistent SSH access.  

 

After the backdoor is running, the shell script tests the environment using access to /proc as evidence the device is not a honeypot. If the device is suspected to be a honeypot it exits, otherwise device information is gathered such as operating system, network configuration, and other accessible data including the contents of /etc/passwd and /etc/shadow. This information is then exfiltrated via email to a hardcoded email address included within the script. The backdoor then downloads, compiles, and installs two root kits called Diamorphine and Reptile. The Reptile rootkit is configured to communicate with a command and control (C2) server that the threat actors control, previously belonging to a Southeast Asian financial institution. This connection is established on port 4444. The child processes, files, and content are then hidden by this rootkit. The Diamorphine rootkit is also thought to be used to hide processes.  

 

As well as hiding processes, the backdoor performs further obfuscation by removing records from system logs, nginx, httpd, and Apache that contain incriminating information specified in the script, such as the IP or username. Another open-source tool is then used, called logtamper, to clear utmp and wtmp logs to remove further information about system events as well as user sign-in session data. Other competition for cryptomining is then cleared from the device by the backdoor, by adding iptables rules to stop and prevent communication with hosts and IPs and configuring /etc/hosts to resolve hosts to the localhost address. Cryptomining processes are identified by their names and then terminated, or have their access blocked, which is also true for any access established in authorized_keys through SHH configuration. This process to remove competition is important for the threat actors to monopolise the resources of the devices they compromise. 

 

A Linux functionality called patch is then exploited by the backdoor to apply the patch file ss.patch, one of the files embedded in vars.sh, to the OpenSSH source code. This alternate version of OpenSSH is then installed on the device, which allows for the threat actor to gain persistent access to the device and the SSH credentials handled by the device. In the applied patches are hooks which are installed to intercept passwords and keys for SSH connections, that are then stored in an encrypted file on the disk. The patches also enable a root login over SSH that can be used to further conceal the attack by suppressing the logging of specific SSH sessions performed by the threat actor, identified by a special password. Patches could also be used to provide access to other devices for threat actors to take over end compromise. The use of this alternate version of OpenSSH to apply these malicious patches can make detection harder, as it mimics the behaviour and appearance of a legitimate OpenSSH server. 

 

Another payload embedded in vars.sh is a modified version of ZiggyStarTux, an open-source internet relay chat (IRC) bot using Kaiten-based malware. The purpose of this payload is to establish a botnet of compromised devices that can be used to execute bash commands sent from the C2 server, and performing distributed denial of service (DDoS) capabilities. To establish ZiggyStarTux persistence, the backdoor first copies the ZiggyStarTux binary to multiple disk locations, then sets up cron jobs run at regular intervals to invoke it. The backdoor then runs a bash script that configures the service file etc/systemd/system/network-check.service and registers ZiggyStarTux as a systemd service.  

 

Researchers at Microsoft analysed ZiggyStarTux and found that logging-related strings had been stripped from the binary by the threat actors. An additional function was also found, which writes the process IDs for the bots to /var/run/sys_checker.pid. This allows the backdoor to read the /var/run/sys_checker.pid file and to hide the process IDs using the Diamorphine and Reptile rootkits. ZiggyStarTux bots communicate with the C2 via the IRC server, and they connect to this by joining a hidden password protected channel called ##..##. Bash commands are sent from this server that contain instructions for the bots to download and run two shell scripts, lscan and zaz. This first of these scripts, lscan, retrieves an archive of scripts called ssh.tgz which scans the IPs in the subnet for SSH access using a list of passwords. Each connection attempt is recorded by the script in a log file. Zaz then fetches the OpenSSH package with the backdoor from the server using the exfiltration email address for instillation. This script also retrieves the hive-start.tgz archive, containing the cryptomining malware designed for a Linux-based open source system Hiveon OS which is made for cryptomining. 

 

The best defence against these sorts of attacks is to protect and harden your internet-facing devices so that the threat actors are not able to obtain access in the first place. Keeping software up to date also helps with this, as well as setting up secure configurations for devices in the first place, including changing default usernames and passwords. Using least-privileged access for all accounts, restricting remote access, and using a secure VPN to connect to internet-facing and IoT devices can also improve the security of your network. Users who are unsure if they have been compromised can use the indicators of compromise found by Microsoft and included in their blog post to determine the security of their systems. 

 

Many users and administrators can forget the access that using IoT devices provides to your network, and the processing power they have themselves. This can cause IoT devices to remain unsecured and unpatched for a lot longer than any other devices on your network. However, these devices can be used by criminals to access other areas of your network, or to perform intensive processes on your dime. IoT devices should therefore be protected by antivirus, and other security detection and response systems, including integration into your SIEM systems, to help harden them against attacks and by installing them in isolated network segments without access to your core network.  

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top