Hackers behind a crypto mining campaign have managed to avoid detection since 2019. The attacks exploited misconfigured Docker APIs that allowed them to gain network entry & ultimately sets up a ‘backdoor’ on compromised hosts to mine cryptocurrency, researchers have found.
The attack method is script-based & dubbed “Autom,” because it exploits the file “autom.sh.” Attackers have consistently abused the API misconfiguration during the campaign’s active period, however the evasion tactics have differed – allowing adversaries to evade detection, wrote Aquasec’s research arm Team Nautilus in a report published recently.
Team Nautilus
Attackers hit ;honeypots’ set up by Team Nautilus 84 times since 2019, with 22 attacks in 2019, 58 in 2020, & 4 in 2021 before researchers began writing up their report last Oct., researchers stated.
Researchers also report attacks on ‘honeypots’ decreased significantly this year, while overall targeting of poorly configured Docker APIs did not, according to a Shodan search, researchers noted.
“This decrease in attacks on our honeypots might imply that the attackers identified them & therefore reduced the volume of their attacks in 2021,” they observed.
Evasive Manoeuvres
Although attackers use the same entry point & tactics to achieve their ultimate goal of crypto-mining during the attack, what changed most about the attack over the years is how threat players constantly have evolved evasive manoeuvres to avoid detection, researchers stated.
“We saw the progression of the campaign in the tactics that the adversaries use to avoid detection,” they wrote in the report.
Attackers also have used 5 different servers to download the shell script that initiates the attack since they started, they explained. “It seems that the group behind the attack has developed their skills to expand the attack surface & spread their attack,” researchers commented.
Attack Breakdown
Team Nautilus 1st observed the attack in 2019 when a malicious command was executed during the run of a vanilla image alpine:latest, which downloaded the autom.sh shell script, they detailed in the report.
Adversaries often use ‘vanilla’ images along with malicious commands to perform attacks because most organisations trust these images & allow their use, researchers explained.
Attackers consistently have used the same entry point for the attack, which is executed from a remote server that searches for vulnerable hosts to exploit misconfigured Docker APIs, they surmised.
Vanilla Image
Then they run the vanilla image & subsequent malicious shell, which creates a user by 2 methods—adduser, which adds users by setting up the account’s home folder & other settings, & useradd, a low-level utility command for adding users–under the name akay.
Since the newly created user is not privileged, the threat players elevate privileges by using the “sudo” prefix & then turns it into a root user, which grants unlimited privileges to run any command sudoers file.
Targeted Machine
This controls how sudo works on a targeted machine, basically making the threat player a ‘superuser,’ researchers suggested.
Attackers then use the domain icanhazip[.]com to get the public IP address of the compromised host & use it to download a file from the remove server.
Through these series of steps, attackers install a backdoor that grants them persistence on the compromised host to stealthily mine cryptocurrency, researchers wrote.
Evasive Manoeuvrers
While attackers have barely changed how they gain entry & achieve persistence on victims’ machines since they started the Autom campaign, they have changed 2 things–the server from which the shell script autom.sh was downloaded &, more notably, specific evasion tactics, researchers outlined.
To the 2nd point, Team Nautilus has observed the campaign evolving from having no “special techniques” for hiding its illegal business in 2019 to adding more complex concealment tactics over the next 2 years, researchers said.
Security Mechanisms
In 2020, they disabled a number of security mechanisms to stay hidden, including ufw (Uncomplicated Firewall), which enables users to allow or deny access to a service and NMI (non-maskable interrupt), which is the highest-priority interrupt that typically occurs to signal attention for non-recoverable hardware errors & is used to monitor system resets.
This year, attackers added a new technique to hide the crypto-mining activity by downloading a shell script from a remote server, researchers explained.
“They encoded the script in base64 5 times to prevent security tools from reading it & understanding the intentions behind it,” they wrote. “Decoding the script revealed the mining activity.”
Compromised Host
Other concealment abilities added over the course of the campaign included downloading the log_rotate.bin script, which launches the crypto-mining activity by creating a new cron job that will initiate mining every 55 mins. on the compromised host, researchers added.
“The Autom campaign illustrates that attackers are becoming more sophisticated, continually improving their techniques & their ability to avoid detection by security solutions,” they concluded.
