A cybercriminal operation aiming to spread among web-application servers has had moderate success, using compromised systems for Monero cryptomining, to create a botnet for denial-of-service attacks and to further spread into enterprise networks, researchers with Palo Alto Networks said on Wednesday.
The developers of the attack tool appear to be aiming to create a general-purpose platform for a wide variety of attacks, from distributed denial-of-service (DDoS) attacks to cryptomining to the creation of botnets, the company warned. Called Satan DDoS by the developers, the tool will likely not only target Windows computers and Linux servers but Internet of Things devices and systems that run on the ARM and MIPS processors, according to messages found in the code.
So far, the malware has had some success, especially in the Asia-Pacific region, says Ken Hsu, senior security researcher at Unit 42 for Palo Alto Networks.
"Because it's able to monetize its attacks, as well as establish a command-and-control operation, it appeals to a wide variety of attackers," he says. "The number of alerts we observed suggests that companies should step up their security measures, not just via patching software but also by strengthening security policy and compliance, [such as] password strengthening."
The spread of the DDoS and cryptojacking malware highlights that cybercriminals do not have to use the most recent exploits to successfully compromise servers on the Internet. The Palo Alto researchers initially discovered the malware after it repeatedly compromised web applications using an exploit for a 16-month-old vulnerability (CVE-2019-9081) in the Laravel PHP framework.
Among the vulnerabilities exploited by the software are a single vulnerability reported in 2020 and another from 2019, but mainly older issues — three vulnerabilities from 2018, five from 2017, and a single flaw from 2014. The exploits target the Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. All issues are considered high or critical severity, Palo Alto researchers stated in the advisory. The malware also uses credential stuffing on remote-access and Microsoft SQL ports, using a short list of usernames and passwords.
Once on a server, the software loads and runs several well-known exploits taken from the trove of cyberattack tools leaked from the National Security Agency, including EternalBlue, EternalRomance, and the DoublePulsar backdoor. While the vulnerabilities are old, the software has successfully spread in the wild, the report said.
"While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it's utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance," the researchers stated in the advisory.
The researchers discovered two versions of the malware: one that started spreading on May 29, and the other that became active on June 11. The developer of the malware refers to it as Satan DDoS, but due to other malware families using a similar name, the Palo Alto researchers decided to brand the malware "Lucifer."
The second version of the software continues its focus on cryptomining, attempting to install a component called XMRig for mining. In addition, the developer added rudimentary anti-sandbox functionality to stymy reverse engineers from analyzing the code. The newer software adds functions for infecting through four other protocols — the File Transfer Protocol (FTP), for example — and checks to see if the default language is Chinese.
The malware has not been particularly successful at mining Monero, amassing only 0.49 XMR, about US$32. However, cryptomining has become a big focus of cybercriminals looking for an easy way to monetize compromised systems. In October, for example, some 2,000 Docker hosts were infected by a relatively basic worm that exploited misconfigurations to download and run cryptojacking software as a container. The program, dubbed Graboid by the attackers, looks for unprotected Docker daemons and then sends commands to install malicious images from Docker Hub.
Far more pernicious is the malware's ability to use a variety of methods — such as Windows exploits and dictionary attacks — to move laterally inside of a network, Hsu says. Many of these are old, but malware authors don't need to use the latest exploits, because they know the old ones should suffice, he says.
"Lucifer is capable of self-propagation and credential brute-forcing, so attackers can have a tremendous impact on their victims once they gain a foothold," Hsu says.
Companies should keep systems up to date, implement strong password policies, and have threat intelligence to adapt to the latest attacks, Hsu says. For the most part, holes in firms' cybersecurity coverage continue to provide opportunity for attackers, even using older exploits.
"Not all companies have strong cybersecurity awareness," he says. "Doing cybersecurity properly requires non-trivial resource allocation, and cybersecurity isn't always their No. 1 priority for companies."