Agile Approach to mass cloud credential harvesting and crypto mining sprints ahead
Tags
| cmtmf-attack-pattern: | Masquerading |
| country: | Ethiopia Germany Laos |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Cloud Services - T1021.007 Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Software - T1592.002 Ssh - T1021.004 Tool - T1588.002 Masquerading - T1036 Masquerading |
Common Information
| Type | Value |
|---|---|
| UUID | ad4519de-fe8f-4b30-84c9-a84b765b4c19 |
| Fingerprint | 3807c0b10a4fa258 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | July 16, 2023, 1 p.m. |
| Added to db | Nov. 6, 2023, 6:29 p.m. |
| Last updated | Nov. 17, 2024, 6:31 p.m. |
| Headline | Summary |
| Title | Agile Approach to mass cloud credential harvesting and crypto mining sprints ahead |
| Detected Hints/Tags/Attributes | 58/4/90 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 193 | ✔ | Cloud Chronicles | https://permiso.io/blog/rss.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 15 | blog.aquasec.com |
|
| Details | Domain | 5 | ap-northeast-1.compute.internal.anondns.net |
|
| Details | Domain | 16 | aws.sh |
|
| Details | Domain | 4 | everlost.anondns.net |
|
| Details | Domain | 4 | tmate.sh |
|
| Details | Domain | 5 | silentbob.anondns.net |
|
| Details | Domain | 6 | ipv4.icanhazip.com |
|
| Details | Domain | 4 | everfound.anondns.net |
|
| Details | Domain | 4 | grab.sh |
|
| Details | Domain | 11 | user.sh |
|
| Details | Domain | 4 | int.sh |
|
| Details | Domain | 17 | clean.sh |
|
| Details | Domain | 3 | xc3.sh |
|
| Details | Domain | 39 | run.sh |
|
| Details | Domain | 8 | data.sh |
|
| Details | Domain | 23 | permiso.io |
|
| Details | 3 | daniel.bohannon@permiso.io |
||
| Details | File | 10 | credentials.db |
|
| Details | File | 9 | access_tokens.db |
|
| Details | File | 3 | last_update_check.json |
|
| Details | File | 3 | adc.json |
|
| Details | File | 6 | azure.json |
|
| Details | File | 2 | upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html |
|
| Details | File | 97 | upload.php |
|
| Details | File | 8 | grafana.ini |
|
| Details | File | 19 | in.php |
|
| Details | File | 6 | keys.php |
|
| Details | File | 3 | postgresuser.txt |
|
| Details | File | 3 | postgrespassword.txt |
|
| Details | File | 2 | awsaccesskey.txt |
|
| Details | File | 2 | awskey.txt |
|
| Details | File | 4 | gscat.php |
|
| Details | File | 3 | tmate.php |
|
| Details | File | 3 | metadata.php |
|
| Details | File | 5 | censys.cfg |
|
| Details | File | 10 | filezilla.xml |
|
| Details | File | 34 | recentservers.xml |
|
| Details | File | 5 | queue.sql |
|
| Details | File | 25 | accounts.xml |
|
| Details | md5 | 2 | 28165d28693ca807fb3d4568624c5ba9 |
|
| Details | md5 | 2 | b9113ccc0856e5d44bab8d3374362a06 |
|
| Details | md5 | 2 | d9ecceda32f6fa8a7720e1bf9425374f |
|
| Details | md5 | 2 | 0855b8697c6ebc88591d15b954bcd15a |
|
| Details | md5 | 2 | f7df739f865448ac82da01b3b1a97041 |
|
| Details | md5 | 2 | 1a37f2ef14db460e5723f3c0b7a14d23 |
|
| Details | md5 | 3 | 99f0102d673423c920af1abc22f66d4e |
|
| Details | md5 | 3 | 5daace86b5e947e8b87d8a00a11bc3c5 |
|
| Details | md5 | 3 | 92d6cc158608bcec74cf9856ab6c94e5 |
|
| Details | md5 | 3 | cfb6d7788c94857ac5e9899a70c710b6 |
|
| Details | md5 | 3 | 7044a31e9cd7fdbf10e6beba08c78c6b |
|
| Details | md5 | 2 | 58b92888443cfb8a4720645dc3dc9809 |
|
| Details | md5 | 3 | f60b75ddeaf9703277bb2dc36c0f114b |
|
| Details | md5 | 3 | 2044446e6832577a262070806e9bf22c |
|
| Details | md5 | 2 | c2465e78a5d11afd74097734350755a4 |
|
| Details | md5 | 3 | f13b8eedde794e2a9a1e87c3a2b79bf4 |
|
| Details | md5 | 4 | 87c8423e0815d6467656093bff9aa193 |
|
| Details | md5 | 2 | 9e174082f721092508df3f1aae3d6083 |
|
| Details | md5 | 3 | 203fe39ff0e59d683b36d056ad64277b |
|
| Details | md5 | 2 | 2514cff4dbfd6b9099f7c83fc1474a2d |
|
| Details | md5 | 2 | dafac2bc01806db8bf19ae569d85deae |
|
| Details | md5 | 3 | 3e2cddf76334529a14076c3659a68d92 |
|
| Details | IPv4 | 11 | 45.9.148.108 |
|
| Details | IPv4 | 3 | 207.154.218.221 |
|
| Details | Url | 3 | https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack |
|
| Details | Url | 2 | https://administrator.de/tutorial/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html |
|
| Details | Url | 3 | http://everlost.anondns.net/upload.php |
|
| Details | Url | 2 | http://everlost.anondns.net/cmd/tmate.sh |
|
| Details | Url | 3 | http://silentbob.anondns.net/bin/chattr |
|
| Details | Url | 3 | http://silentbob.anondns.net/bin/a |
|
| Details | Url | 3 | http://silentbob.anondns.net/cmd/grab.sh |
|
| Details | Url | 3 | http://silentbob.anondns.net/cmd/clean.sh |
|
| Details | Url | 3 | http://silentbob.anondns.net/cmd/aws.sh |
|
| Details | Url | 3 | http://silentbob.anondns.net/cmd/xc3.sh |
|
| Details | Url | 3 | http://silentbob.anondns.net/bin/sysfix/curl.full |
|
| Details | Url | 3 | http://silentbob.anondns.net/insert/gscat.php |
|
| Details | Url | 3 | http://silentbob.anondns.net/insert/tmate.php |
|
| Details | Url | 2 | http://ap-northeast-1.compute.internal.anondns.net/aws_bin/a |
|
| Details | Url | 3 | http://ap-northeast-1.compute.internal.anondns.net/insert/keys.php |
|
| Details | Url | 2 | http://everlost.anondns.net/data.sh |
|
| Details | Url | 2 | http://everlost.anondns.net/bin/a |
|
| Details | Url | 2 | http://everlost.anondns.net/cmd/aws.sh |
|
| Details | Url | 2 | http://silentbob.anondns.net/insert/metadata.php |
|
| Details | Url | 2 | https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining |
|
| Details | Yara rule | 2 | rule P0_Hunting_AWS_EnvVarNames_1 {
meta:
description = "Detecting presence of scripts searching for numerous environment variables containing sensitive AWS credential information. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected."
author = "daniel.bohannon@permiso.io (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "3e2cddf76334529a14076c3659a68d92"
md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_04 = "28165d28693ca807fb3d4568624c5ba9"
md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
md5_06 = "f7df739f865448ac82da01b3b1a97041"
md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_08 = "99f0102d673423c920af1abc22f66d4e"
md5_09 = "99f0102d673423c920af1abc22f66d4e"
md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$shellHeader_01 = "#!/bin/sh"
$shellHeader_02 = "#!/bin/bash"
$envVarAWSPrefixSyntax_01 = " $AWS_ "
$envVarAWSPrefixSyntax_02 = " ${AWS_"
$envVarAWS_01 = "AWS_ACCESS_KEY_ID"
$envVarAWS_02 = "AWS_SECRET_ACCESS_KEY"
$envVarAWS_03 = "AWS_SESSION_TOKEN"
$envVarAWS_04 = "AWS_SHARED_CREDENTIALS_FILE"
$envVarAWS_05 = "AWS_CONFIG_FILE"
$envVarAWS_06 = "AWS_DEFAULT_REGION"
$envVarAWS_07 = "AWS_REGION"
$envVarAWS_08 = "AWS_EC2_METADATA_DISABLED"
$envVarEcho = "then echo "
$linPEAS_01 = "#-------) Checks pre-everything (---------#"
$linPEAS_02 = "--) FAST - Do not check 1min of procceses and su brute"
condition:
(any of ($shellHeader*)) and (1 of ($envVarAWSPrefixSyntax*)) and (4 of ($envVarAWS*)) and (#envVarEcho >= 4) and not (all of ($linPEAS*))
} |
|
| Details | Yara rule | 2 | rule P0_Hunting_AWS_SedEnvVarExtraction_1 {
meta:
description = " Detecting presence of scripts using native sed (Stream Editor) utility extracting numerous environment variables containing sensitive AWS credential information "
author = " daniel.bohannon@permiso.io (@danielhbohannon) "
date = " 2023-07-12 "
reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
md5_01 = " 3e2cddf76334529a14076c3659a68d92 "
md5_02 = " b9113ccc0856e5d44bab8d3374362a06 "
md5_03 = " d9ecceda32f6fa8a7720e1bf9425374f "
md5_04 = " 28165d28693ca807fb3d4568624c5ba9 "
md5_05 = " 0855b8697c6ebc88591d15b954bcd15a "
md5_06 = " f7df739f865448ac82da01b3b1a97041 "
md5_07 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
md5_08 = " 99f0102d673423c920af1abc22f66d4e "
md5_09 = " 99f0102d673423c920af1abc22f66d4e "
md5_10 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
strings:
$grepPropAWS = " | grep 'AccessKeyId\\|SecretAccessKey\\|Token\\|Expiration' | "
$awsCliConfigureCmd = " aws configure set aws_ "
$sedPropAWS_01 = " sed 's# \"AccessKeyId\" : \"#\\n\\naws configure set aws_access_key_id #g' "
$sedPropAWS_02 = " sed 's# \"SecretAccessKey\" : \"#aws configure set aws_secret_access_key #g' "
$sedPropAWS_03 = " sed 's# \"Token\" : \"#aws configure set aws_session_token #g' "
$sedPropAWS_04 = " sed 's# \"Expiration\" : \"#\\n\\nExpiration : #g' "
condition:
all of them
} |
|
| Details | Yara rule | 2 | rule P0_Hunting_Azure_EnvVarNames_1 {
meta:
description = " Detecting presence of scripts searching for numerous environment variables containing sensitive Azure credential information "
author = " daniel.bohannon@permiso.io (@danielhbohannon) "
date = " 2023-07-12 "
reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
md5_01 = " b9113ccc0856e5d44bab8d3374362a06 "
md5_02 = " d9ecceda32f6fa8a7720e1bf9425374f "
md5_03 = " 0855b8697c6ebc88591d15b954bcd15a "
md5_04 = " f7df739f865448ac82da01b3b1a97041 "
md5_05 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
md5_06 = " 99f0102d673423c920af1abc22f66d4e "
md5_07 = " 99f0102d673423c920af1abc22f66d4e "
md5_08 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
strings:
$envVarAzurePrefixSyntax_01 = " $AZURE_ "
$envVarAzurePrefixSyntax_02 = " ${AZURE_"
$envVarAzure_01 = "AZURE_CREDENTIAL_FILE"
$envVarAzure_02 = "AZURE_GUEST_AGENT_CONTAINER_ID"
$envVarAzure_03 = "AZURE_CLIENT_ID"
$envVarAzure_04 = "AZURE_CLIENT_SECRET"
$envVarAzure_05 = "AZURE_TENANT_ID"
$envVarAzure_06 = "AZURE_SUBSCRIPTION_ID"
$envVarEcho = "then echo "
condition:
(1 of ($envVarAzurePrefixSyntax*)) and (3 of ($envVarAzure*)) and (#envVarEcho >= 3)
} |
|
| Details | Yara rule | 2 | rule P0_Hunting_GCP_EnvVarNames_1 {
meta:
description = "Detecting presence of scripts searching for numerous environment variables containing sensitive GCP credential information"
author = "daniel.bohannon@permiso.io (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
md5_04 = "f7df739f865448ac82da01b3b1a97041"
md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_06 = "99f0102d673423c920af1abc22f66d4e"
md5_07 = "99f0102d673423c920af1abc22f66d4e"
md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$shellHeader_01 = "#!/bin/sh"
$shellHeader_02 = "#!/bin/bash"
$envVarGCPPrefixSyntax_01 = " $GOOGLE_ "
$envVarGCPPrefixSyntax_02 = " ${GOOGLE_"
$envVarGCP_01 = "GOOGLE_API_KEY"
$envVarGCP_02 = "GOOGLE_DEFAULT_CLIENT_ID"
$envVarGCP_03 = "GOOGLE_DEFAULT_CLIENT_SECRET"
$envVarEcho = "then echo "
condition:
(any of ($shellHeader*)) and (1 of ($envVarGCPPrefixSyntax*)) and (2 of ($envVarGCP*)) and (#envVarEcho >= 2)
} |
|
| Details | Yara rule | 2 | rule P0_Hunting_Common_TeamTNT_CredHarvesterOutputBanner_1 {
meta:
description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing specific section banner output commands"
author = "daniel.bohannon@permiso.io (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
md5_04 = "f7df739f865448ac82da01b3b1a97041"
md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_06 = "99f0102d673423c920af1abc22f66d4e"
md5_07 = "99f0102d673423c920af1abc22f66d4e"
md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$sectionBanner_01 = "-------- AWS INFO ------------------------------------------"
$sectionBanner_02 = "-------- EC2 USERDATA -------------------------------------------"
$sectionBanner_03 = "-------- GOOGLE DATA --------------------------------------"
$sectionBanner_04 = "-------- AZURE DATA --------------------------------------"
$sectionBanner_05 = "-------- IAM USERDATA -------------------------------------------"
$sectionBanner_06 = "-------- AWS ENV DATA --------------------------------------"
$sectionBanner_07 = "-------- PROC VARS -----------------------------------"
$sectionBanner_08 = "-------- DOCKER CREDS -----------------------------------"
$sectionBanner_09 = "-------- CREDS FILES -----------------------------------"
condition:
(5 of them)
} |
|
| Details | Yara rule | 2 | rule P0_Hunting_Common_TeamTNT_CredHarvesterTypo_1 {
meta:
description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common typo for 'CREFILE' variable name (assuming intended name is 'CREDFILE' since it is iterating file names in input array"
author = "daniel.bohannon@permiso.io (@danielhbohannon)"
date = "2023-07-12"
reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
md5_01 = "3e2cddf76334529a14076c3659a68d92"
md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
md5_04 = "28165d28693ca807fb3d4568624c5ba9"
md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
md5_06 = "f7df739f865448ac82da01b3b1a97041"
md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
md5_08 = "99f0102d673423c920af1abc22f66d4e"
md5_09 = "99f0102d673423c920af1abc22f66d4e"
md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
strings:
$varNameTypo = "for CREFILE in ${"
$findArgs = "find / -maxdepth "
$xargs = " | xargs -I % sh -c 'echo :::%; cat %' >> $"
condition:
all of them
} |
|
| Details | Yara rule | 2 | rule P0_Hunting_Common_TeamTNT_CurlArgs_1 {
meta:
description = " Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common curl arguments including 'Datei' (German word for 'file' ) and specific 'Send=1' arguments found in German blog post https://administrator.de/tutorial/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html which details using curl (with these specific arguments) to upload files to upload.php "
author = " daniel.bohannon@permiso.io (@danielhbohannon) "
date = " 2023-07-12 "
reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
md5_01 = " b9113ccc0856e5d44bab8d3374362a06 "
md5_02 = " d9ecceda32f6fa8a7720e1bf9425374f "
md5_03 = " 0855b8697c6ebc88591d15b954bcd15a "
md5_04 = " f7df739f865448ac82da01b3b1a97041 "
md5_05 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
md5_06 = " 99f0102d673423c920af1abc22f66d4e "
md5_07 = " 99f0102d673423c920af1abc22f66d4e "
md5_08 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
strings:
$curlFileArgGerman = " \"Datei=@\" "
$curlArgSend = " -F \"Send=1\" "
$curlArgUsername = " -F \"username= "
$curlArgPassword = " -F \"password= "
condition:
all of them
} |