![]() In this case, Sandfly was run against the affected host and it immediately spotted two problems: Sandfly patrols Linux systems for suspicious activity and pulls over forensic evidence of anything it finds out of sorts. To recap, Sandfly is an agentless intrusion detection and forensic investigator for Linux. Let’s go over how the cryptomining happened and how Sandfly can help spot this and other malicious activity on Linux. This customer has given us permission to use their forensic evidence from Sandfly for this post. Once Sandfly was run against the affected host it was obvious something very bad was afoot. Sandfly does not use signatures to search for malware, rather we focus on how attacks work to provide generic detection even against unknown threats. If you are relying on a signature-based file scanner to find this kind of activity, you will be disappointed. This particular piece of malware was not identified by sites like using the file hash. There was a weak password which allowed a basic brute force attack to gain access. The attack came in over a compromised SSH account for the “oracle” user. Forensic Analysis of a Linux CryptominerĪ customer had a cryptominer infiltrate a legacy server on their network. Use host-based intrusion detection to spot any problems that might have slipped through (yeah, we’re biased but you’ll see below why it’sĭoing the above will knock out most of the cryptomining hacks we have seen. Monitor systems for unusual CPU, memory, disk, and network activity. databases, control panels, and SSH ports). To protect against these attacks we recommend you take the following action:ĭisable all default system login accounts.ĭisable SSH password logins and require SSH private key authentication.Įnable two-factor authentication for SSH as well if you are able.īlock access to all network services that do not need to be exposed to the Internet (e.g. The attacks are almost always automated and are searching for low hanging fruit for an easy hit. Most of the cryptomining attacks we see have been the result of lapses in basic security. Finally, there is also the possibility that other credentials on the host were compromised and the attackers could spread further. Also, because you can never be sure what else was modified during the attack, you will need to reload the affected system completely from known good backups which wastes your time. While most of the time this attack is not destructive, it does tie up the system resources. Yet, the end result it the same: A process that is using the victim’s resources to mine cryptocurrency for the attacker. The mechanisms have also been adapted to brute force exposed SQL services, web servers, etc. Start mining cryptocurrencies on the victim’s CPU or GPU. Modifying the system to ensure malware persistence. The usual attack vector is the following:Ī brute force attack against SSH accounts.Īutomated install of a pre-compiled binary once access is obtained. This year we have seen a huge uptick in cryptomining malware against Linux servers.
0 Comments
Leave a Reply. |