Security Weekly 30: Attackers Using Linux and Windows Servers to Get a Crypto Miner Mule, Scientists at the University of California Decided to Benefit Society By Creating a Utility Tripwire.
In the web, an epidemic of gold miners rages: unknown intruders via Linux and Windows servers get mules (more precisely, Mule crypto miner) for pumping out Monero. The campaign is thought out to the last detail, aggressive, like a zerg rush, and Zealot was named after one of the downloadable malicious files (other talking terms are also missing in the code and in the file names: how do you like Observer or Overlord?). Little is known about the organizers: firstly, they are obviously fans of StarCraft, and secondly, they are also clearly pro in their business.
- The campaign is complex, multi-way and multi-component: first, attackers scan the Internet and look for servers with an open vulnerability in ApacheStruts or in the WCM-system DotNetNuke DNN.
Having penetrated the server through one of these holes, malware spreads through the local network using exploits fused by Shadow Brockers in the spring: the sensational EternalBlue, and his little-known little brother EternalSynergy, are in the course. Then on Windows, the PowerShell script is downloaded, which downloads the Monero miner. On Linux, Python scripts are used for this.
- So far, only one wallet has been tracked, at which time there were bitcoins worth about $ 8,500. The amount is rather modest, but the real revenue of hackers is probably much larger. Besides, it’s not evening yet.
It is characteristic that all the exploited vulnerabilities and exploits have long been made public and patched. Therefore, just in case, we recall: the age of the rake does not affect their impact force in any way, and updates are a useful and charitable thing.
Scientists at the University of California Decided to Benefit Society By Creating a Utility Tripwire
The scientists from the University of California decided to benefit society a utility that tests how responsible sites are approaching the protection of their users. And called it Tripwire.
- The mechanism of the utility is simple but elegant: you register a new mailbox, and then – an account on some site, using the same password as for the mailbox. Then Tripwire monitors the mailbox. If someone entered into it, then there was a leak of data on the site with the appropriate accountancy. Roughly speaking, the hacking detector was built on a typical user jamb.
Even with the help of Tripwire, you can expose sites that use weak hashing or even have a bad habit of storing passwords in plain text. To do this, the resource creates several accounts: half with a weak password, half with a strong password. If only weak passwords leak, then the protection is quite reliable, and the attackers had to brute force. But if the flow of both the weak and the strong – the business on the site is completely bad.
- The researchers themselves checked with a “stretch” a number of sites, and for the purity of the experiment, they decided to exclude the hacking of the mail server itself. To this end, they created several hundred control addresses that are not tied to anything. Since no stranger touched them, it means that it was the sites being checked that were to blame.
The test run gave even too successful results: of 2300 sites, leaks were detected at 19, and one of them has as many as 45 million accounts (about as many users on Odnoklassniki and only a little more on Reddit). Naturally, Californian researchers wrote to all owners of leaky sites. Strangely enough, they did not get an answer.
Alas, to disclose which sites were unreliable, the authors of the utility cannot: no one gave consent to participate in the experiment, and its results are fraught with lawsuits, not only for sites but for the inspectors themselves. However, those who wish can read the research they have written this. Or download the repository code on GitHub.
Salvation drowning – not a matter of drowning
Only last week we spent the rest of The Janit0r, but the place is not empty: there was another justice fighter in the news, though, apparently, less experienced and acting on such a big scale.
- We heard about it in connection with the “de-mining” of the WiFiFamily blog, which promotes Netgear’s products to Word Press, a site that has been working since 2015. For some reason, access to HMTL-resources in it was open to all comers, although by default these settings in Word Press are disabled. As a result, almost from the moment of creation, the attackers used the site for their own purposes: for redirecting to porn sites, phishing sites, false technical support sites and other bad places. In addition, the blog posted spam posts on behalf of the administrator and registered users.
The security expert under the name Derek came across this hornet’s nest by accident, was outraged that the technology company for two years can not patch up such a blatant hole, and reported it on his blog. Almost immediately after, an unknown activist contacted Vigilante and said that he found a PHP shell, picked up a simple password (root) and deleted the entire folder with downloads, including malicious ones. The threat for some time has disappeared – and with it all the evidence against the intruders.
The researcher reminded an unknown enthusiast that, from the point of view of the law, he had heated more from the point of view of the law than unknown hackers: at least they did not break anything and did not delete the content, they just downloaded a new one. In the current reality, the only legitimate way to deal with malicious resources is to write to the owners of these resources and hope that they will correct something. It is desirable – earlier than in two years.
By the way, Netgear responded that the site does not belong to them: they only sponsored it, and the development and support are being done by completely different people. However, the resource is still instantly covered up, without showing the hacker any claims – we can say, this time everyone was lucky.