A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Intelligence Bulletin – When Cryptomining Attacks Breadcrumb Home Insights Blog Intelligence Bulletin – When Cryptomining Attacks February 07, 2018 Intelligence Bulletin – When Cryptomining Attacks Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers. The attacks are focusing on Linux hosts that are running unpatched versions of Apache, JBoss and WebLogic. Attackers are exploiting Remote Code Execution exploits specific to the services in order to infect hosts with the mining malware. Infected hosts are configured to add a cronjob for download of the minerd ELF 64-bit executable and various configuration files for mining to the attacker’s wallet. Using this technique, the attacker can dynamically change the address and executables to avoid detection, or to migrate an attack upon detection. Once downloaded, hosts are queried for available resources and workers are started based off CPU cores available. Recently, we have noticed that care has been taken to limit the resources used on the infected host in order to avoid detection. In a recent case, threads were only started on half of the available cores in order to not signal unusually high utilization on the machines. Also of note, the bash scripts utilized by the attackers are being disguised as typically non-executable files in order to avoid network detection when downloaded. In order limit exposure to these threats we recommend that systems utilizing vulnerable services are patched in order to avoid the initial foothold. Additionally, file integrity monitoring and or HIDS should be reporting on crontab entries and modifications. Optiv’s gTIC assesses with HIGH confidence that malicious actors will continue to utilize cryptomining malware in order to financially benefit. Additionally, we assess with HIGH confidence that malicious actors that are financially motivated will focus on targets of opportunity and are potentially utilizing tools such as Shodan to uncover vulnerable systems. Intelligence Gaps: How will financially motivated actors continue to change TTPs for continued use of cryptomining malware? Is this an organized campaign to utilize cryptomining malware? How are malicious actors determining their targets? A list of network IOCs for the miner binaries can be found below. Hashes 7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c 9359f7e7b1dd0f4ce4a2c52fe611c981a3dd7a17f935862e3ce9acb5f2df8ced f4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911 d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d bcf306bf3c905567ac1a5012be94fe642cac6116192cea6486730341b32b38a4 0c5e960ca2a37cf383a7457bcc82e66d5b94164b12dfca1f21501211d9aca3c9 b3aba7582de82a0229b4d4caf73bc50cc18eb98109a0e251447dfb47afabc597 0dc34402be603f563bfb25e7c476a0b4 6455ffef458df6d24dd4df37f3d6df73 9eadc40299864089e8a0959d04b02b39 e1df71c38cea61397e713d6e580e9051 deeb65dbf4ac5d1d0db6ac4467282f62049a3620 777af085e72a4a19b6971f24c1167989335af508 4f41da624726daf16e1c0034e8a6a99c790be61e 9be68990dd7b071b192b89b0e384f290cce2b2db 0b2bd245ce62787101bc56b1eeda9f74e0f87b72781c8f50a1eff185a2a98391 182812097daabfc3fe52dd485bb0a0f566ddf47f23b9d9f72c2df01a1a4faf84 43f78c1c1b078f29fd5eb75759aa7b1459aa3f1679bbaabc1e67c362620650fb 370109b73fa9dceea9e2b34b466d0d2560025efcc78616387d84732cbe82b6bd 36524172afa85a131bf0075c7ff20dcbfb8a94c4e981300fb33ef56ed912678c 348c7dd59ea1b4e88585863dd788621f1101202d32df67eb0015761d25946420 198e090e86863fb5015e380dc159c5634cc2a598e93b20dd9695e1649bb062ad d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d f4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911 3b83c25a00b3820b28941d4be1583af8ed22ca20a8270c318d02e4918d7b3070 IPs 104[.]25[.]208[.]15 94[.]130[.]143[.]162 72[.]11[.]140[.]178 88[.]99[.]142[.]163 78[.]46[.]91[.]134 104[.]25[.]209[.]15 136[.]243[.]102[.]154 136[.]243[.]102[.]167 148[.]251[.]133[.]246 104[.]223[.]37[.]150 208[.]92[.]90[.]51 45[.]77[.]106[.]29 181[.]214[.]87[.]240 181[.]214[.]87[.]241 Domains hxxp://27[.]148[.]157[.]89:8899/1[.]exe hxxp://221[.]229[.]204[.]177:8888 hxxp://27[.]148[.]157[.]89:8899/xmrig hxxp://72[.]11[.]140[.]178/?info=l30 hxxp://72[.]11[.]140[.]178/files/ hxxp://72[.]11[.]140[.]178/?info=l69 hxxp://72[.]11[.]140[.]178/files/w/default hxxp://27[.]148[.]157[.]89:8899/xmr64[.]exe hxxp://72[.]11[.]140[.]178/?info=w0 hxxp://27[.]148[.]157[.]89:8899/1[.]sh hxxp://72[.]11[.]140[.]178/files/w/default/auto-upgrade[.]exe hxxp://72[.]11[.]140[.]178/files/w/default?info=w0 hxxp://www[.]luoxkexp[.]com:8520/php[.]exe hxxp://72[.]11[.]140[.]178/auto-upgrade hxxp://luoxkexp[.]com:8888/samba[.]exe hxxp://27[.]148[.]157[.]89:8899/xmr86[.]exe hxxp://27[.]148[.]157[.]89:8899/fuckpig[.]jar hxxp://www[.]luoxkexp[.]com:8520/ hxxp://72[.]11[.]140[.]178/?info=w9 hxxp://72[.]11[.]140[.]178/files/w/default?info=w9 hxxp://luoxkexp[.]com:8888/xmr64[.]exe hxxp://luoxkexp[.]com/xmr64[.]exe hxxp://27[.]148[.]157[.]89:8899/112[.]exe hxxp://72[.]11[.]140[.]178/files hxxp://27[.]148[.]157[.]89:8899/jiba hxxp://luoxkexp[.]com hxxp://72[.]11[.]140[.]178/files/w/others hxxp://72[.]11[.]140[.]178/setup-watch hxxp://72[.]11[.]140[.]178/wls-wsat/CoordinatorPortType hxxp://72[.]11[.]140[.]178/?info=l60 hxxp://72[.]11[.]140[.]178/files/l/default hxxp://luoxkexp[.]com:8888/xmr86[.]exe hxxp://luoxkexp[.]com:8899/xmr64[.]exe hxxp://72[.]11[.]140[.]178/files/l/others hxxp://luoxkexp[.]com:8899/1[.]exe hxxp://letoscribe[.]ru/includes/libraries/files[.]tar[.]gz hxxp://letoscribe[.]ru/includes/libraries/getsetup[.]php?p=wl hxxp://45[.]77[.]106[.]29/selectv2[.]sh hxxp://45[.]77[.]106[.]29/sourplum hxxp://45[.]77[.]106[.]29/lowerv2[.]sh hxxp://45[.]77[.]106[.]29/rootv2[.]sh hxxp://181[.]214[.]87[.]240/res/logo[.]jp hxxp://5[.]188[.]87[.]12/langs/kworker_na hxxp://181[.]214[.]87[.]240/res/kworker[.]conf hxxp://letoscribe[.]ru/includes/libraries/notify[.]php?p=wl hxxp://104[.]223[.]37[.]150:8090 hxxp://k[.]zsw8[.]cc:8080 hxxp://i[.]zsw8[.]cc:8080 hxxp://pastebin[.]com/raw/rWjyEGDq hxxp://208[.]92[.]90[.]51 hxxp://208[.]92[.]90[.]51:443 minergate[.]com minexmr[.]com letoscribe[.]ru pool-proxy[.]com fee[.]xmrig[.]com nicehash[.]com data[.]rel[.]ro dkuug[.]dk i[.]zsw8[.]cc k[.]zsw8[.]cc pool[.]supportxmr[.]com pool[.]cortins[.]tk Sources Attackers using remote coding execution vulnerabilities to install cryptocurrency miners in vulnerable hosts. AusCERT. 2018. By: gTIC Share: Cryptomining/Cryptojacking Threat