At least eight Australian web hosting providers were found to have suffered “extensive compromises “from criminals during an investigation conducted in May 2018 by the Australian Cyber Security Center (ACSC).
The report of the ACSC [ PDF] on what was known as Operation Manic Menagerie was published Tuesday. It shows that since at least November 2017, the criminals have compromised hosting servers and that their motivation has been financial gain.
To insert advertising and support search engine optimization (SEO) for other websites, websites running on compromised servers have been modified.
Two of the compromised servers, although the revenue was minimal, were also used for cryptocurrency mining. By June 2018, the total was 22.57 XMR (Monero) worth approximately AU$3868 from these and other network servers.
The ACSC analyzed the volume of transactions in the cryptocurrency account of the criminals and the amount of computer power required to carry out this volume of mining. ” This indicates that the actor still has a Monero miner installed on 13 to 38 machines, although only targeting servers have been observed, the number of compromised hosts is probably at the bottom of this range, “they wrote. ”
There was no evidence that the actor tried to move laterally to other hosts on the network. “The report also highlights the sophistication of the criminals, who developed their techniques both during and between their campaigns, but still manually ran parts of their process.” The actor demonstrated the ability to tailor their tools to the environment they compromised, including the exploitation of incorrectly configured services and the uploading of additional binaries to help increase privilege, “the ACSC said.
The malware used to compromise the servers was a variant of the Gh0st remote access tool, one with “significant changes in the network communication protocol “on which the criminals continued to work.” In one incident, the Gh0st dropper was detected and quarantined by the victim’s anti-virus software. The actor then disconnected from the compromised environment only to return several hours later to deploy a new instance of the dropper that evaded the anti-virus of the victim. “Just a week before, the Gh0st droppers received expired SSL certificates from “Fujian identical investment co.,Ltd.
“Another tool, the RID hijack tool, was signed by Shanghai YuLian Software Technology co with another certificate that was stolen just a week before it was used. But the criminals also exploited servers manually and deployed malware, which the ACSC said took “an hour or, in one case, several days.”
“Analysis of web logs from compromised hosts indicated that the actor used a web browser to manually interact with websites for vulnerability identification.” Once the vulnerability was identified, it was exploited manually to create a web shell on the server to allow future steps. The actor used several publicly available web shells, including ChinaChopper variants, “wrote ACSC.” Once the web shell was in place, the actor switched from using a web browser to using a controller to interact with the web shell in the future. “However, even with these manual processes, administrators could still have access to targeted servers in less than 70 minutes in some cases.
The ACSC report provides two sets of advice, one for hosting providers with full server control and one for customers with limited access. “If the hosting provider is not secure, a trivial vulnerability in another website hosting the same service will ultimately result in a compromise between all websites co-hosted on that provider, “wrote the ACSC.
Many of the recommended mitigations by the hosting provider are already in the Essential Eight of the ACSC, such as patching the operating system and web applications such as a content management system (CMS); not running web services with administrator privileges; and white listing applications.
The ACSC also recommends monitoring hosted sites for the creation of signs of web shells; account auditing to detect new accounts created by the attackers; and resetting all credentials on affected servers. “It is highly unlikely that a customer can secure whatever they host on the provider without a secure underlying provider, “the ACSC writes.” If the hosting provider is not secure, a trivial vulnerability in another website hosted on the same service will ultimately lead to a compromise between all websites co-hosted on that provider.
“ACSC suggests that customers add data and service security requirements to the contract with the hosting provider.” Customers are advised to investigate whether their hosting provider provides the underlying security required by the customer for the sensitivity of the data or service they host.
“They also recommend that customers patch their web applications and CMS; deactivate unnecessary plugins and applications; monitor website modifications; and reset their hosting provider’s credentials.
“Credentials may include the authentication process ‘ usernames, passwords and/or certificates. This includes credentials for the management of the host service and the management of specific sites in the host service. ”