Where data is home
Where Data is Home

Watchdog Unleashes Multi-Stage Cryptojacking Attack

Cybercrime StoriesCybersecurity
By Editor
Securing IoT Devices
0 28

WatchDog, a hacking group, has recently launched a sophisticated multi-stage cryptojacking attack. This campaign involves the utilization of advanced intrusion techniques, worm-like propagation, evasion of security software, and the ability to pivot from one machine to an entire network. The primary targets of WatchDog’s attack are exposed Docker Engine API endpoints and exposed Redis servers. The attack lifecycle encompasses various stages, including the exploitation of misconfigured Docker Engine API endpoints, injection of the daemon to access other connected daemons, listing or modifying containers, and running arbitrary shell commands. To conceal their activities, WatchDog employs command hijacking to manipulate process contents and timestamps. Additionally, the group deploys the XMRig mining payload and incorporates a systemd service for persistence. In the third-stage payload, tools like zgrab, masscan, and pnscan are utilized to identify valid pivoting points within the network. Cado Security, through their analysis, has attributed this escalating hacking activity to the group, citing evidence such as references in their scripts and the use of the same wallet address for storing Monero. Furthermore, Cado Security has provided unique attribution data, including WatchDog’s avoidance of Golang payloads. This article will provide a comprehensive overview of WatchDog’s multi-stage cryptojacking attack, examining its elements, attack lifecycle, and attribution to TeamTNT.

Key Takeaways

  • The WatchDog cryptojacking campaign employs advanced intrusion techniques and worm-like propagation to target exposed Docker Engine API endpoints and exposed Redis servers.
  • The attack lifecycle of WatchDog involves exploiting misconfigured Docker Engine API endpoints, injecting the daemon to access other connected daemons, listing or modifying containers, and running arbitrary shell commands.
  • The third-stage payload of WatchDog includes tools like zgrab, masscan, and pnscan to find valid pivoting points in the network and download final scripts for propagating algorithms.
  • Attribution to TeamTNT is suggested by WatchDog’s scripts referencing TeamTNT, the theft of tools from TeamTNT, strong correlations between WatchDog’s campaigns and TeamTNT’s operations, and the use of the same wallet address for storing Monero.

Campaign Elements

The WatchDog cryptojacking campaign incorporates advanced intrusion techniques, worm-like propagation, and the evasion of security software to target exposed Docker Engine API endpoints and exposed Redis servers. The campaign’s worm-like propagation allows it to spread from one machine to an entire network, increasing its reach and impact. This propagation technique enables the attackers to quickly move through the network and infect multiple systems, making it challenging for security software to detect and prevent the attack. Additionally, the campaign is designed to evade security software, further complicating the detection and mitigation process. By employing these strategies, the WatchDog campaign maximizes its ability to compromise vulnerable systems and carry out its cryptojacking activities undetected.

Attack Lifecycle

During the attack lifecycle, the hackers exploit misconfigured Docker Engine API endpoints, inject the daemon to gain access to other connected daemons, and manipulate containers and shell commands to hide process contents and manipulate timestamps. This multi-stage cryptojacking attack has significant implications for targeted organizations. The exploitation of misconfigured Docker Engine API endpoints allows the hackers to gain unauthorized access to a network, potentially compromising sensitive data and resources. The ability to manipulate containers and shell commands gives them control over the network, enabling them to execute arbitrary commands and install malicious software. To prevent and mitigate such attacks, organizations should ensure that Docker Engine API endpoints are properly configured and secured. It is crucial to regularly update and patch systems, implement strong access controls, and monitor network traffic for suspicious activities. Additionally, employing intrusion detection and prevention systems can help detect and block such attacks, providing an added layer of defense.

Attribution to TeamTNT

Attribution to TeamTNT is established through the evidence of WatchDog’s scripts referencing the group without explicitly mentioning them and the strong correlations between WatchDog’s current campaign and TeamTNT’s previous activities, including the use of the same wallet address for storing Monero from mining operations. WatchDog’s connection to TeamTNT is further supported by the methods used by WatchDog for attribution. Cado Security’s researchers have observed that WatchDog avoids using Golang payloads, which is a distinctive characteristic of TeamTNT’s attacks. Additionally, Cado Security provides another clue for attribution, although the specific details are not mentioned. By analyzing WatchDog’s campaign, Cado Security has attributed the escalation in hacking activity to TeamTNT.

Evidence WatchDog TeamTNT
Script References Yes Yes
Strong Correlations Yes Yes
Same Wallet Address Yes Yes

This table highlights the key pieces of evidence connecting WatchDog to TeamTNT, including the script references, strong correlations between campaigns, and the use of the same wallet address. These factors strongly suggest a connection between the two groups.

Frequently Asked Questions

What is the purpose of the WatchDog cryptojacking campaign?

The purpose of the WatchDog cryptojacking campaign is to mine cryptocurrency by exploiting vulnerable systems. This campaign aims to exploit the resources of targeted systems to generate cryptocurrency without the knowledge or consent of the system owners.

How does WatchDog exploit misconfigured Docker Engine API endpoints?

WatchDog bypasses security measures in misconfigured Docker Engine API endpoints by exploiting open port 2375 and injecting the daemon to access other connected daemons. The consequences of WatchDog’s multi-stage cryptojacking attack include unauthorized access, propagation throughout the network, and the theft of computational resources for cryptocurrency mining.

What are the third-stage payload elements used by WatchDog?

The third-stage payload elements used by WatchDog in their attack techniques include zgrab, masscan, and pnscan. These elements are utilized to find valid pivoting points in the network and to download final scripts (c.sh and d.sh) for propagating algorithms.

How does Cado Security contribute to analyzing WatchDog’s campaign?

Cado Security contributes to analyzing WatchDog’s campaign by leveraging machine learning techniques. They collaborate with other cybersecurity firms to pool threat analysis data, enhancing their understanding of WatchDog’s tactics and aiding in attribution.

What social media platforms can users follow Cado Security on?

Users can protect themselves from cryptojacking attacks by regularly updating their software, using strong and unique passwords, installing reputable antivirus software, and being cautious of suspicious links or attachments. Signs of a cryptojacking attack on social media platforms include increased CPU usage, slow performance, and unexpected battery drain on mobile devices.

Continue Reading
Editor 1200 posts 0 comments
Das könnte dir auch gefallen Mehr vom Autor
Hinterlasse eine Antwort

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More