Cryptojacking is an illegal method of cryptocurrency mining that operates by infecting third party IT assets with malware. This form of malicious hacker attacks have been more or less a common occurrence. Recent events show that their penetration methods are growing increasingly sophisticated. Furthermore, the task itself leaves little trace. The sole purpose of this malware is to crunch the numbers with the cryptojacked CPU. These characteristics allow for undetected infiltration of neglected IT equipment, and leads them to become ideal prey for aspiring cryptojackers. Among targeted devices, one of them stood out due to its nature as a government-owned It asset.

Recently, it was discovered that a South Korean government server was infected by malware and used for cryptomining. However, the problem comes from the fact that this malware was undiscovered for years. The hacked equipment in question was installed to measure livestock gas emission rates from nearby farms in realtime. Outlaw, the group famous for their cryptomining hacks, were revealed to be responsible for cryptojacked government IT assets. They infected this system’s server with malicious code in 2017.

The CIP team sourced and analyzed the activity details of the malicious IP address used to infect this livestock monitoring system. This was done by using OSINT techniques and Criminal IP tools.

Source: SBS “No one even suspected…government-owned system cryptojacked”

South Korean local news report detailing the cryptojacking incident of government-owned servers
South Korean local news report detailing the cryptojacking incident of government-owned servers

This case study analysis is based on information reported by the media regarding cryptojacked government IT assets and data tracked down by using OSINT tools and CTI systems.

Timeline of Events as Reported by the Media

  • 2017.10.05 12:03:48 ~ 2017.10.30 16:13:14

A log was identified to have been accessed from an external user for about 25 days. This was done presumably using SSH (further elaborated in this article)

  • 2020.12.30 22:34:06

3 years later, traces of traffic suspected of cryptomining found in 45.9.148.99. Unfortunately previous logs were not saved and could not be verified

Based on the existing logs, the hacker had access to this government server since October 2017. Therefore, it’s highly likely that cryptomining took place for about three years, given that its traces are still existent in 2020.

Tracking Malicious IPs and Codes

The IP address responsible for this breach was 45.9.148.99. Further evidence corroborates that cryptomining likely still continued on to 2020. According to the media, the infringement analysis report shows that among the files found, dota3.tar.gz was highly suspected of bearing malicious code. The CIP team further analyzed this incident based on these two leads. The first important information to note is that this IP address is presumed to be hosted in the Netherlands.

2020.06.11,  Outlaw’s Monero Mining Malware

An interesting article was posted on ogushantopgul.com, coincidentally around the time when cryptojacking traffic was identified (https://www.oguzhantopgul.com/2020/06/outlaw-botnet-xmrig-miner-and-shellbot.html). This article mentioned certain details regarding Outlaw‘s techniques for infecting the Monero mining malware. Their methods were executed by using the IRC bot and the SSH bruteforcing techniques. Furthermore, the article elaborates on IP addresses used by the hacker (45.9.148.99) and the package suspected of harboring malware (dota3.tar.gz). All of this information coincided with the traces left behind on the breached livestock monitoring system.

Therefore, we can suspect that the livestock monitoring system breach was caused by a malicious miner using the SSH approach.

dota3.tar.gz의 아키텍처(출처: https://www.oguzhantopgul.com/2020/06/outlaw-botnet-xmrig-miner-and-shellbot.html)
File system architecture of dota3.tar.gz (Source: https://www.oguzhantopgul.com/2020/06/outlaw-botnet-xmrig-miner-and-shellbot.html)

2019.06.13 Trend Micro Report on Outlaw

Whilst searching for further evidence regarding dota.tar.gz, our team found a 2019 report from Trend Micro addressing this issue. According to the report (https://www.trendmicro.com/en_dk/research/19/f/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor.html), this malicious code was found in one of their honeypots. The only difference in the process that they’ve reported was on the IP address used (not 45.9.148.99). The report further elaborated on the damage that could be inflicted. They presented the possibility that more than 200,000 servers could be infected by this method and code. Lastly, they argued for the need of a reliable Attack Surface Management system that could monitor ports of corporate IT assets regularly.

악성코드의 페이로드(출처 : 트렌드마이크로)
Malicious Code payload (Source: Trend Micro)

2020.05.30 Malware Sourcecode exposed on Github

Dan Goldin, the operator of TripleLift, posted a dump on his personal Github account, posting that his system was hacked. The contents of this dump was very similar to what was observed in the dota.tar.gz packaged developed by Outlaw. The IP address used to hack the livestock monitoring system, 45.9.148.99, was also found in this dump (https://github.com/dangoldin/crypto-miner-hack). This dump was posted in 2020, which fits the timeline for when the livestock monitoring system was hacked. We can presume that cryptomining hacks of this variety was quite common, especially ones through this particular IP address.

Dan Goldin이 깃허브에 올린 해킹 덤프 내역
Source code dump by Dan Goldin on his Github page

2020.06.18  SSH brute force attack posted on Reddit

A user on Reddit posted that they were experiencing SSH brute force attack in June of 2020. As seen in the previous case, IP address 45.9.148.99 was the one responsible for this attack. The attack vector was also identical with the livestock monitoring system hack. All of this compiled evidence supports the possibility that Outlaw was the group behind this particular attack (https://www.reddit.com/r/linux4noobs/)

레딧에 게시된 SSH brute force 공격 내용 포스팅
Reddit post showing SSH brute force attack
시스템을 공격하고 있는 IP 주소로 45.9.148.99가 확인된다
45.9.148.99 found to be the IP responsible for attacking the system

All the examples shown above are tracked using OSINT methods, which allowed our team to find plenty of data such as specific IP addresses, hacking methods etc.

2020.08.03 Attack vector records found with Criminal IP

Criminal IP’s Abuse Record feature reveals traces of malicious hacks in attack logs recorded by KISA (Korea Internet & Security Agency)’s C-TAS.

https://www.criminalip.io/asset/report/45.9.148.99

Criminal IP의 Asset Search에서 IP 주소 45.9.148.99를 검색한 결과
Criminal IP Asset Search results shown for 45.9.148.99

 

Government systems were affected. Is this an APT attack?

The comprehensive timeline as shown below:

  • 2019.06.13 Trend Micro’s Analysis report released, reveals findings that include Outlaw’s trademark SSH attack + Monero Mining Malware
  • 2020.05.30 TripleLift attacked in the same methods used in the Livestock Monitor hack (First instance of 45.9.148.99 mentioned)
  • 2020.06.11 oguzhantopgul.com releases write-up on Outlaw’s hacking methods (Outlaw’s signature SSH attack + Monero Mining Malware carried out with 45.9.148.99)
  • 2020.06.18 Post found on Reddit about a user being attacked with SSH attack technique (45.9.148.99 – same IP address)
  • 2020.08.03 Found record of 45.9.148.99‘s attack log on Criminal IP
  • 2020.12.30 Hacking records found in government-owned livestock monitoring system, found to have cryptojacked government IT assets (45.9.148.99 – same IP address)

According to this timeline, this IP address was used to spread malicious code for over six months. Furthermore, other media channels have been reporting this phenomena continuously for the same period. This is quite unusual, as APT attacks don’t tend to leave traces of activity prior to the hack. Hackers also take great care to erase traces of their presence by removing IP address information.

It’s likely that managing cryptojacked government IT assets weren’t intended in the first place. Instead, it’s likelier that the hacker spread malicious code with 45.9.148.99 to all vulnerable attack vectors. The government’s livestock monitoring system fit the criterion to fall prey to the widespread attack. Therefore, it is unlikely that Outlaw executed a customized APT attack at the livestock monitoring system. This attack was a preventable hack in the first place (Trend Micro’s report noted that almost 200,000 systems are at risk of infection). It seems the prevention was possible with the right application of OSINT precautions and sufficient knowledge of IP intelligence, as well as the implementation of next-generation firewalls with cryptomining detection features.

Implement Attack Surface Management for your systems today!

With information & communication technology developing in leaps and bounds throughout the years, countries are striving to keep up to date with the latest administrative systems. However, this rapid adaptation leaves many government services vulnerable, with attack surfaces exposed for exploitation. A good example of this phenomenon is the livestock monitoring system hack. It showed how vulnerabilities can be exploited by malicious hackers. This livestock monitoring system incident was a product of a lack of management and neglect. Despite the severity of this incident, many government IT assets are still neglected and vulnerable.

Furthermore, since government IT assets is host to sensitive information such as personal data and national secrets, investing in Attack Surface Management is a must to keep data secure. We recommend users to supplement their current understanding regarding the severity of this issue by reading Criminal IP’s comprehensive post on cryptojacking.

Source : Criminal IP (https://www.criminalip.io)

Related Article(s) :