Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Intelligence Bulletin – When Cryptomining Attacks
Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers. The attacks are focusing on Linux hosts that are running unpatched versions of Apache, JBoss and WebLogic. Attackers are exploiting Remote Code Execution exploits specific to the services in order to infect hosts with the mining malware. Infected hosts are configured to add a cronjob for download of the minerd ELF 64-bit executable and various configuration files for mining to the attacker’s wallet. Using this technique, the attacker can dynamically change the address and executables to avoid detection, or to migrate an attack upon detection.
Once downloaded, hosts are queried for available resources and workers are started based off CPU cores available. Recently, we have noticed that care has been taken to limit the resources used on the infected host in order to avoid detection. In a recent case, threads were only started on half of the available cores in order to not signal unusually high utilization on the machines. Also of note, the bash scripts utilized by the attackers are being disguised as typically non-executable files in order to avoid network detection when downloaded.
In order limit exposure to these threats we recommend that systems utilizing vulnerable services are patched in order to avoid the initial foothold. Additionally, file integrity monitoring and or HIDS should be reporting on crontab entries and modifications.
Optiv’s gTIC assesses with HIGH confidence that malicious actors will continue to utilize cryptomining malware in order to financially benefit. Additionally, we assess with HIGH confidence that malicious actors that are financially motivated will focus on targets of opportunity and are potentially utilizing tools such as Shodan to uncover vulnerable systems.
A list of network IOCs for the miner binaries can be found below.
July 29, 2016
Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.
Let us know what you need, and we will have an Optiv professional contact you shortly.