Recently, it was discovered that a South Korean government server was infected by malware in 2017 and used for cryptomining. However, the problem comes from the fact that this malware has been undiscovered for several years. The hacked equipment in question was installed to measure livestock gas emission rates from nearby farms in realtime. Outlaw, the group famous for their cryptomining hacks, were revealed to be responsible for cryptojacked government IT assets. They infected this system’s server with malicious code in 2017.

The Criminal IP team analyzed activity details of the malicious IP address used for this incident with the OSINT tool, Criminal IP.

Source: SBS “No one even suspected…government-owned system cryptojacked”

South Korean local news report detailing the cryptojacking incident of government-owned servers
South Korean local news report detailing the cryptojacking incident of government-owned servers

This case study analysis is based on information reported by the media regarding cryptojacked government IT assets and data tracked down by using OSINT tools and CTI systems.

Timeline of Events as Reported by the Media

  •  10.05.2017 12:03:48 ~ 10.30.2017 16:13:14

Logs accessed from outside for about 25 days were confirmed, and the access method was assumed to be SSH.

  • 12.30.2020 22:34:06

About three years later, traces of traffic suspected of cryptomining were found in 45.9.148.99. Unfortunately, previous logs were not saved and could not be verified.

Based on the existing logs, the hacker had access to this government server since October 2017. Therefore, it’s highly likely that mining has been going on for more than three years since traces of mining were discovered in 2020.

Tracking Malicious IPs and Codes

The IP address responsible for this breach was 45.9.148.99. Further evidence corroborates that cryptomining likely continued until 2020. Therefore, tracking the 2020 data for this IP address is necessary. Furthermore, according to the media, the infringement analysis report shows that among the files found, dota3.tar.gz was highly suspected of bearing malicious code. The CIP team further analyzed this incident based on these two leads. The first important information to note is that this IP address is presumed to be hosted in the Netherlands.

6.11.2020: Outlaw’s Monero Mining Malware

An interesting article was posted on ogushantopgul.com, coincidentally around the time when cryptojacking traffic was identified (https://www.oguzhantopgul.com/2020/06/outlaw-botnet-xmrig-miner-and-shellbot.html). This article mentioned certain details regarding Outlaw‘s techniques for infecting the Monero mining malware. Their methods were executed by using the IRC bot and the SSH bruteforcing techniques. Furthermore, the article elaborates on IP addresses used by the hacker (45.9.148.99) and the package suspected of harboring malware (dota3.tar.gz). All of this information coincided with the traces left behind on the breached livestock monitoring system.

Therefore, we can suspect that the livestock monitoring system breach was caused by a malicious miner using the SSH approach.

dota3.tar.gz의 아키텍처(출처: https://www.oguzhantopgul.com/2020/06/outlaw-botnet-xmrig-miner-and-shellbot.html)
File system architecture of dota3.tar.gz (Source: https://www.oguzhantopgul.com/2020/06/outlaw-botnet-xmrig-miner-and-shellbot.html)

6.13.2019: Trend Micro Report on Outlaw Hacking Group

Whilst searching for further evidence regarding dota.tar.gz, our team found a 2019 report from Trend Micro addressing this issue. According to Trend Micro’s report (https://www.trendmicro.com/en_dk/research/19/f/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor.html), this malicious code was found in one of its honeypots, and although the 45.9.148.99 IP address used to hack the livestock monitoring system was not used, the rest of the details were the same. Furthermore, Trend Micro mentioned that more than 200,000 servers could be infected by this method and code and suggested a reliable Attack Surface Management system that could periodically monitor ports of corporate IT assets.

악성코드의 페이로드(출처 : 트렌드마이크로)
Malicious Code payload (Source: Trend Micro)

5.30.2020: Malware Source Code Exposed on GitHub

Dan Goldin, who runs a company called TripleLift, posted the dump on his GitHub, claiming that his system had been hacked, and it was very similar to the dota.tar.gz package developed by Outlaw mentioned above. The IP address used to hack the livestock monitoring system, 45.9.148.99, was also found in this dump (https://github.com/dangoldin/crypto-miner-hack). The post was published in 2020, the year of the hack of the livestock monitoring system, which suggests that mining hacks using this IP address were popular in that year.

Details of the hacking dump posted by Dan Goldin on GitHub
Details of the hacking dump posted by Dan Goldin on GitHub

6.18.2020: SSH brute force attack posted on Reddit

A user on Reddit posted that they were experiencing SSH brute force attack in June of 2020. As seen in the previous case, IP address 45.9.148.99 was responsible for this attack, and the attack vector was identical to the livestock monitoring system hack, which supports the possibility that Outlaw was the group behind this particular attack (https://www.reddit.com/r/linux4noobs/).

레딧에 게시된 SSH brute force 공격 내용 포스팅
Reddit post showing SSH brute force attack
시스템을 공격하고 있는 IP 주소로 45.9.148.99가 확인된다
45.9.148.99 found to be the IP responsible for attacking the system

ll the examples shown above are tracked using OSINT methods, which allowed our team to find plenty of data, such as specific IP addresses, hacking methods, etc.

8.03.20202: Attack vector records found with Criminal IP

Criminal IP’s Abuse Record feature reveals traces of malicious hacks in attack logs recorded by KISA (Korea Internet & Security Agency)’s C-TAS.

https://www.criminalip.io/asset/report/45.9.148.99

Criminal IP의 Asset Search에서 IP 주소 45.9.148.99를 검색한 결과
Criminal IP Asset Search results shown for 45.9.148.99

 

Government systems were affected. Is this an APT attack?

The comprehensive timeline is shown below:

  • 6.13.2019 Trend Micro’s Analysis report released reveals findings that include Outlaw’s trademark SSH attack + Monero Mining
  • 5.30.2020 TripleLift was attacked in the same way used in the Livestock Monitor hack (First instance of 45.9.148.99 mentioned)
  • 6.11.2020 oguzhantopgul.com releases write-up on Outlaw’s hacking methods (Outlaw’s signature SSH attack + Monero Mining Malware carried out with 45.9.148.99)
  • 6.18.2020 Post was found on Reddit about a user being attacked with an SSH attack technique (45.9.148.99 – same IP address)
  • 8.03.2020 Found record of 45.9.148.99 in attack logs with Criminal IP
  • 12.30.2020 Hacking records found in government-owned livestock monitoring system (45.9.148.99 – same IP address)

According to this timeline, this IP address was used to spread malicious code for over six months. Furthermore, other media channels have been reporting similar incidents several times over the same period. This is quite unusual, as APT attacks don’t tend to leave traces of activity prior to the hack. Hackers also take great care to erase traces of their presence by removing IP address information.

Therefore, the hack of the government’s livestock monitoring system was not a customized APT attack by hackers but more likely the result of multiple attacks by hackers using 45.9.148.99 to infect malware, and the livestock monitoring system, which was operating in a vulnerable state, fell victim to it (Trend Micro’s report also mentioned that more than 200,000 systems were at risk). The attacks could have been prevented with OSINT and IP intelligence,  and it seems that detection was possible even with the mining detection function provided by next-generation firewalls.

Implement Attack Surface Management for your systems today!

With information & communication technology developing in leaps and bounds throughout the years, countries are striving to keep up to date with the latest administrative systems. However, this rapid adaptation leaves many government services vulnerable, with attack surfaces exposed for exploitation. A good example of this phenomenon is the livestock monitoring system hack.  It showed how malicious hackers could exploit vulnerabilities. This livestock monitoring system incident resulted from a lack of management and neglect. Despite the severity of this incident, many government IT assets are still neglected and vulnerable.

In particular, since hacking government agency equipment is a highly sensitive issue where important personal information or national secrets can be leaked in a single attack, it is necessary to have complete attack surface management that proactively protects against hacker attacks. Please refer to our article “Cryptojacking: Your Device is Mining Crypto Behind Your Back” for relevant information.

Source : Criminal IP (https://www.criminalip.io)

Related Article(s) :

Cryptojacking : Your Device is Mining Crypto Behind Your Back