漏洞众多：黑客攻击误配置的服务器进行加密货币挖矿

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access.

威胁行为者正以Apache Hadoop YARN、Docker、Atlassian Confluence和Redis服务上配置失误和易受攻击的服务器为目标，作为新兴的恶意软件活动的一部分，旨在交付一个加密货币挖矿工具，并产生一个反向Shell以实现持久的远程访问。

"The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts," Cado security researcher Matt Muir said in a report shared with The Hacker News.

Cado安全研究员Matt Muir在与黑客新闻分享的报告中表示，“攻击者利用这些工具发布利用代码，利用常见的配置错误和利用N天漏洞，进行远程代码执行(RCE)攻击并感染新主机。”

The activity has been codenamed Spinning YARN by the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.

这一行动被云安全公司命名为纺纱（Spinning YARN），与归因于TeamTNT、WatchDog和被称为Kiss-a-dog的集群的云攻击有关。

It all starts with deploying four novel Golang payloads that are capable of automating the identification and exploitation of susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these services.

一切始于部署四个新的Golang有效载荷，它们能够自动识别和利用容易受到攻击的Confluence、Docker、Hadoop YARN和Redis主机。传播工具利用masscan或pnscan寻找这些服务。

"For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," Muir explained.

Muir解释说，“对于Docker的妥协，攻击者生成一个容器并从中逃离至底层主机。”

The initial access then paves the way for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to conceal malicious processes, drop the Platypus open-source reverse shell utility, and ultimately launch the XMRig miner.

最初的访问随后为部署其他工具铺平了道路，以安装诸如libprocesshider和diamorphine等rootkit以隐藏恶意进程，放置Platypus开源反向Shell工具，并最终启动XMRig矿工。

"It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments," the company said.

该公司表示：“很明显，攻击者正在投入大量时间来理解在云环境中部署的哪些类型的面向网络的服务，了解这些服务的已报告漏洞，并使用这些知识来在目标环境中获得立足点。”

The development comes as Uptycs revealed 8220 Gang's exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.

这一发展是在Uptycs揭示8220团伙利用Apache Log4j（CVE-2021-44228）和Atlassian Confluence Server和Data Center（CVE-2022-26134）的已知安全漏洞作为一系列针对云基础设施的攻击的一部分，从2023年5月到2024年2月。

"By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access," security researchers Tejaswini Sandapolla and Shilpesh Trivedi said.

安全研究员Tejaswini Sandapolla和Shilpesh Trivedi表示：“通过利用互联网扫描来识别易受攻击的应用程序，该团伙确定了进入云系统的潜在入口点，利用未修补的漏洞获得未经授权的访问。”

"Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected."

“一旦进入内部，他们部署了一系列高级的逃避技巧，这表明他们对如何导航和操纵云环境以获得优势有着深刻的了解。这包括禁用安全执行，修改防火墙规则，以及删除云安全服务，从而确保他们的恶意活动不被发现。”

The attacks, which single out both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion.

这些攻击专门针对Windows和Linux主机，旨在部署加密货币矿工，但在此之前要采取一系列优先考虑隐蔽性和逃避的步骤。

It also follows the abuse of cloud services primarily meant for artificial intelligence (AI) solutions to drop cryptocurrency miners as well as host malware.

它还跟随主要用于人工智能（AI）解决方案的云服务的滥用，以投放加密货币矿工以及宿主恶意软件。

"With both mining and AI requiring access to large amounts of GPU processing power, there's a certain degree of transferability to their base hardware environments," HiddenLayer noted last year.

HiddenLayer去年注意到，“由于挖矿和AI都需要访问大量的GPU处理能力，它们的基础硬件环境有一定程度的可转移性。”

Cado, in its H2 2023 Cloud Threat Findings Report, noted that threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.

在其2023年下半年云威胁发现报告中，Cado注意到，威胁行为者越来越多地针对需要专业技术知识才能利用的云服务，而且挖矿不再是唯一动机。

"With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems," it said. "Cloud and Linux infrastructure is now subject to a broader variety of attacks."

它表示：“随着新的Linux变体勒索软件家族的发现，比如Abyss Locker，Linux和ESXi系统上的勒索软件是令人担忧的趋势。”“如今云和Linux基础设施受到更广泛的攻击。”

参考资料

[1]https://thehackernews.com/2024/03/hackers-exploit-misconfigured-yarn.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：漏洞众多：黑客攻击误配置的服务器进行加密货币挖矿