Security researchers have found a new hacking campaign that used NSA exploits to install cryptocurrency miners on victim’s systems and networks.
They said that the campaign was a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits.
According to a blog post by F5 Networks, the campaign, called “Zealot”, targeted Windows and Linux systems. It got its name from a zip file containing the python scripts with the NSA-attributed exploits.
It exploits two vulnerabilities, CVE-2017-5638: Apache Struts Jakarta Multipart Parser attack, and CVE-2017-9822: DotNetNuke (DNN) content management system vulnerability. It also leverages EternalBlue and EternalSynergy exploits for lateral movement inside of networks.
Security researchers Maxim Zavodchik and Liron Segal said that when a hacker accesses a Windows system, they use PowerShell to download and install a malicious program that mines Monero. In Linux, attackers use Python scripts, which appear to have been taken from EmpireProject, after which they also install the Monero miner. The EmpireProject is a PowerShell and Python post-exploitation agent.
The hackers appeared to have made around £7,197 through mining. However, the total sum could be higher as researchers said the hackers could be using other cryptocurrency wallets. The hackers also appear to be fans of the video game StarCraft as file names used in the malware, such as Zealot, Observer, Overlord, Raven, and others are taken from the title.
“The Zealot campaign, however, seems to be opening new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities. The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,” said the researchers.
Graeme Park, senior consultant at Mason Advisory, told SC Media UK that as the value of bitcoin and alt-coins continue to rise at exponential rates “there will continue to be new and innovative approaches (some less than scrupulous) to mining”.
Ilia Kolochenko, CEO of High-Tech Bridge, told SC Media UK that companies should maintain a comprehensive and up2date inventory of their IT systems. “It is enough to forget about one tiny web application to get attackers on board. Some people may argue that it’s a very challenging and time consuming task, but it’s much easier than most people think,” he said.
Josh Mayfield, director at FireMon, told SC Media UK that organisations looking to mitigate the Zealot threat (among others) are shifting to a Zero-Trust network model. “In this model, you have a perimeter built around every asset in the network: applications, machines, even users. In a zero-trust model, you can quarantine an infected server or stop its communication across the network (east-west traffic) to prevent a system-wide spread.”
“If you haven’t prevented the infection, then you can at least stop it once detected. The Python and PowerShell commands mirror the behaviour of an application. Most network monitoring systems will discover these processes and will show a spike in computing within that server. This irregularity serves as an early sign of compromise,” he added.
Derek Weeks, VP and DevOps Advocate, Sonatype, emailed SC Media UK to comment: “The launch of the aggressive and successful Zealot malware campaign is yet another example of open source Struts2-based application attacks and the adverse ramifications they can have for businesses. In fact, application-based attacks are now the leading exploit path for hackers. Malicious actors are making massive investments to enable them to penetrate known vulnerable applications at the heart of operations. Yet despite this, most CIOs focus their attention and investments on perimeter defences, which aren’t enough to protect them; if thieves are crawling through your windows and back door, building a bigger fence around your perimeter is not going to protect your home (or your data). To thwart future attacks, executives must shift investments to where their adversaries are focused.”