As cryptocurrencies like Bitcoin exploded in popularity, a huge increase in coinminer malware attacks followed. In 2019, over US$4.5 billion worth of cryptocurrency “went missing” due to theft and fraud. Avira Protection Labs observed a 53% increase in coinmining attacks from the third to fourth quarter of 2020.
Cybercriminals use executable files, browser-based cryptocurrency miners, and advanced fileless miners and malware to exploit common, but critical, vulnerabilities in frameworks and platforms such as Jenkins, Apache Struts, Drupal, and misconfigured Docker APIs, or exploiting common cloud misconfigurations. Threat actors also leverage the anonymity-centric features of the Monero (XMR) cryptocurrency to target cloud resources with mining botnets.
In this blog, we demonstrate how Trend Micro Vision One™ and Trend Micro Cloud One™ can safeguard against cryptomining exploit attempts where we observed:
- Exploitation of critical vulnerabilities (Apache Struts2 Remote Code Execution CVE-2017-5638 and CVE-2018-11776, Drupal Remote Code Execution CVE-2018-7600)
- Use of JSP Web-shells for Persistence.
- Noisy bruteforce attempts on exposed secure shell (SSH) service.
- Download and execution of foreign executable and linkable format (ELF) binaries and bash scripts (network scanners, trojanized XMRig)
- Enumeration and exploitation of Amazon Web Services (AWS) like Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), and Instance Metadata Service (IMDS).
Attack Description:
In this attack, there are two Amazon EC2 Instances involved:
Instance Name | Vulnerable Framework | Vulnerable to | Publicly Exposed Ports |
Apache EC2 | Apache Struts 2.3.12 Showcase | CVE-2017-5638, CVE-2018-11776 | 22 and 8080 |
Drupal EC2 | Drupal 8.4.2 | CVE-2018-7600 | 22 and 80 |
Let’s go through how the attack unfolded.
Initially, the attacker tries to brute force the SSH service on the Amazon EC2 instances exposed to the public (which has password-based authentication enabled). They unsuccessfully attempt to exploit CVE-2018-11776 (Apache Struts OGNL Expression Remote Command Execution Vulnerability).
Later, they gain an initial foothold into the Apache Amazon EC2 instance by exploiting a well-known vulnerability in the Apache Struts Framework (CVE-2017-5638) using a public proof of concept (POC), which enables them to execute commands on the compromised host remotely. They attempt to enumerate the running processes and current user, obtain the current working directory and view the /etc/passwd file. Then, they proceed to deploy a JSP webshell, for later persistence.
Through the deployed webshell, the attacker can:
- View environment variables
- Browse through the directories using a file manager
- Search for files on the compromised host
- Execute commands and get the output
- Connect to MySQL database (if there is any) on the compromised host or any other host
- Capture the desktop graphical user interface (GUI), if there is one.
To start, they list out the details of the instances in that region by performing the DescribeInstances API call using the AWS Command Line Interface (CLI). Later, they download a pre-compiled ELF file, and we see it scanning the subnet for the default ports for Apache Tomcat Manager, Redis, Apache CouchDB™, and Docker Engine API (a RESTful API). They discover another Drupal Amazon EC2 instance with port 80 open for public access.
Equipped with the relevant information, the attackers fetch the AWS Identity and Access Management (IAM) role credentials associated with the Apache Amazon EC2 instance by querying the AWS IMDS and try enumerating the permissions in a very intrusive and noisy manner, which we confirmed from the unusual AWS CloudTrail logs.
On the compromised instance itself, they immediately enumerate and download the contents of the Amazon S3 buckets.
On the newly discovered host, they execute a brute force attack on the SSH and later, they identify that this instance is running Drupal CMS 8.4.2 in the default configuration on the HTTP port 80. They successfully exploit CVE-2018-7600 and launch a remote code execution attack using a public POC. Next, the attackers upload a hypertext preprocessor (PHP) backdoor into the web root.
Using this backdoor, the attackers download the Apache Struts™ Exploit into the world-writable directory (/tmp) and attempt reading the Unix shadow file by exploiting the Struts vulnerability (CVE-2017-5638) on the same machine they gained initial access from. Upon the unsuccessful attempt, they move to deploying the XMRig coinminer on both the machines.
Lastly, to cover their tracks, the attacker shuts down the Amazon EC2 instances.
Trend Micro Cloud One Correlations
Trend Micro Cloud One is a platform comprised of 7 security solutions purpose-built for cloud builders. For the first set of detections, we used Trend Micro Cloud One™ – Workload Security, which provides automated security via powerful APIs. Workload Security uses advanced security controls such as intrusion prevention system (IPS), deep packet inspection (DPI), and integrity monitoring to protect against coinminer attacks. The following detection rules safeguard the vulnerable instances against the reported CVEs:
Workload Security
IPS detections:
- 1005934 - Identified Suspicious Command Injection Attack
- 1006823 - Identified Suspicious Command Injection Attack – 1
- 1005604 - Apache Struts Multiple Remote Command Execution Vulnerability
- 1008207 - Apache Struts2 Remote Code Execution Vulnerability (CVE-2017-5638)
- 1009265 - Apache Struts OGNL Expression Remote Command Execution Vulnerability (CVE-2018-11776)
- 1008970 - Drupal Core Remote Code Execution Vulnerability (CVE-2018-7600)
Integrity monitoring detections:
- Unix - Monitor Processes Running From '/tmp' Directories (ATT&CK T1059)
Log inspection detections:
- 1002828 - Application - Secure Shell Daemon (SSHD)
- 1002792 - Default Rules Configuration
Trend Micro Cloud One™ – Network Security
The following set of detections were found with Network Security. This solution provides defense in depth by inspecting ingress and egress traffic and providing virtual patching as well as post-compromise detection and disruption.
- 29068: HTTP: Apache Struts 2 Struts 1 Plugin Remote Code Execution Vulnerability
- 27410: HTTP: Apache Struts Multipart Encoding Command Injection Vulnerability
- 32892: HTTP: OGNL Entity Usage in an HTTP URI
- 31031: HTTP: Drupal Core Multiple Subsystems Input Validation Vulnerability
Trend Micro Vision One Correlation:
Lastly, we used the Trend Micro Vision One for further insight. This cyber defense hub uses XDR capabilities to collect and correlate data across email, endpoints, servers, cloud workloads, and networks, for total visibility into your infrastructure. With the Trend Micro Vision One Workbench, we can easily see what threats were detected, attack techniques used, and a prioritized list of risky devices and users. Let’s take a deeper look:
Workbench Triggers with Root Cause Analysis (RCA):
Here we see that the attacker gained a foothold by exploiting a vulnerability in the Apache Struts Framework and tried to access the /etc/shadow file. In this case, the attacker’s machine IP address is 65.0.249.128. Under the highlights, you can see the command cat /etc/shadow executed. This attempt is unsuccessful since the command is run in the context of tomcat user.
The attacker initially fetches the IAM role credentials from the IMDS. They try listing out the Amazon S3 buckets by running aws s3 ls and successfully download the contents onto the compromised host itself.
The trigger showcases the commands run by the attacker once the Drupal Vulnerability was exploited. Here we can see the execution context is of the user apache. The attacker enumerates the instances in this region by performing the Describe-Instances API call and later proceeds to shut down one of the Amazon EC2 instances.
Next, we determine that a pre-complied nmap binary is run from the /tmp directory. The command line tells us that the internal subnet 10.10.10.0/24 was scanned for the ports 80 (Drupal) ,8080 (Tomcat), 6379 (Redis), 2375 (Docker API), and 5984 (CouchDB). The interesting part about this workbench trigger is that the bash script aws_creds.sh was downloaded and run to fetch the IAM role credentials assumed by the Amazon EC2 instance.
Root-Cause Analysis (RCA)
To summarize our findings, we conduct an RCA leveraging the MITRE ATT&CK V9 Matrix. This helps us assess how effective Trend Micro Cloud One and Trend Micro Vision One are in detecting and responding to coinminer attacks.
MITRE ATT&CK V9 Matrix –
Indicators of compromise (IoCs):
Below is a list of the IoCs
95d751d4b380d3ca39d4db3950092ff4ec79ee35 | HTML_JSPSHELL-B |
7e5a5c420e6409fc43b79ef6590bb86472c951cc | Trojan.SH.DLOADR.AM |
63cfb894e7b8bd87cba43ae275525e9592f55cb2 | Trojan.SH.SKIDMAP.UWEKA |
5988fd6085f998ab61b0324b17dacd655dd1c686 | Trojan.SH.SCANDLOD.A |
93b1b0fb372bf4997c5572d7a90ef5e4ad18c206 | Trojan.SH.MASSCANER.A |
e44fde3327f0cab59745cdc9e7fdda4f2c46cf13 | Coinminer.SH.XMRMINER.A |
1bf6b644228a468e6f90643d7a5efdd447dd169d | Coinminer.SH.XMRMINER.A |
b83f1addf59f0eeaa81602c0622fe4ffa5926c8a | Coinminer.SH.XMRMINER.A |
28e8e43bfedc80242c1998594e0fa341a4000f52 | Backdoor.Linux.DOKI.A |
a3cdc44add07da4b215ab8e53ec9f70faadf7a6f | Trojan.Linux.SKIDMAP.UWEKC |
621c222680c292bf14bc3add8adc7e7d22562fca | Coinminer.Linux.MALXMR.UWEKM |
6a1001a0c612c2fe1f663ffaa6397ab4a058e4ca | Coinminer.Linux.MALXMR.PUWELV |
115.62.242.91:8080 | Malware Accomplice |
185.36.81.52 | Malware Accomplice |
45.130.138.108 | Malware Accomplice |
205.185.125.54 | Malware Accomplice |
141.98.80.29 | Malware Accomplice |
167.172.182.188 | Malware Accomplice |
157.230.236.60 | Malware Accomplice |
161.35.217.30 | Malware Accomplice |
1.36.103.73 | Malware Accomplice |
74.70.121.142 | Malware Accomplice |
104.152.56.126 | Malware Accomplice |
209.141.55.46 | Malware Accomplice |
219.78.122.179 | Malware Accomplice |
141.98.80.71 | Malware Accomplice |
180.246.151.240 | Malware Accomplice |
85.105.230.22 | Malware Accomplice |
205.185.126.143 | Malware Accomplice |
209.141.43.49 | Malware Accomplice |
111.229.109.26 | Malware Accomplice |
117.217.122.71 | Malware Accomplice |
76.11.31.208 | Malware Accomplice |
Conclusions
There’s no such thing as being 100% secure, but the goal is to get as close to perfection as possible. Using solutions like Trend Micro Cloud One and Trend Micro Vision One that are easy to deploy and provide security from the moment code is committed to the repository, helps organizations shift security left. By moving security to the forefront of your build process, you avoid scrambling for patches after deployment and keep SecOps teams pleased, all without slowing you down.
Get started with a free 30-day trial for Trend Micro Cloud One.
*Coming soon* Trend Micro Vision One Test Drive.