![]() Unit 42 researchers have identified three XMR wallet addresses within WatchDog configuration files. Prisma Cloud also detects the usage of malicious XMRig processes used by the WatchDog miner operating in cloud environments that have Prisma Cloud Compute Defender installed. Palo Alto Networks Prisma Access is configured to detect each of WatchDog’s 18 IP addresses, seven domains and their associated URL addresses through PAN-OS. ![]() It is highly likely these actors could find IAM-related information on the cloud systems they have already compromised, due to the root and administrative access acquired during the implantation of their cryptojacking software. the capturing of cloud platform identity and access management (IAM) credentials, access ID or keys), there could be potential for further cloud account compromise. While there is currently no indication of additional cloud compromising activity at present (i.e. It is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations. WatchDog, on the other hand, does not rely on a third-party site to host its malicious payload, allowing it to have remained active for more than two years at the time of this writing. However, Graboid was only known to operate for up to three months before its Docker Hub images were removed. Additionally, Graboid could have also achieved higher processing speeds due to the configuration script utilizing all available container central processing units (CPUs). ![]() Each Graboid miner was operational 65% of the time, meaning around 1,300 compromised Docker containers were mining at any one time. At the time of its operation, it consisted of at least 2,000 exposed and compromised Docker Daemon APIs systems. Graboid was the largest known mining operation to date in terms of the total number of active systems. Unit 42 reported on Graboid, a wormable Monero mining operation on Docker Hub, in October 2019. They have identified 18 root IP endpoints and seven malicious domains, which serve at least 125 malicious URL addresses used to download its toolset. Researchers have mapped out the infrastructure behind the mining operations. Windows and NIX, as long as the Go Language platform is installed on the target system. WatchDog’s usage of Go binaries allows it to perform the stated operations across different operating systems using the same binaries, i.e. Finally, the third Go binary script will initiate a mining operation on either Windows or NIX operating systems (OS) using custom configurations from the initiated bash or PowerShell script. The second Go binary downloads a configurable list of IP addresses net ranges before providing the functionality of targeted exploitation operations of identified NIX or Windows systems discovered during the scanning operation. The binaries perform specific functionality, one of which emulates the Linux watchdogd daemon functionality by ensuring that the mining process does not hang, overload or terminate unexpectedly. The WatchDog miner is composed of a three-part Go Language binary set and a bash or PowerShell script file. ![]() Within this blog, Unit 42 researchers provide an overview of the WatchDog cryptojacking campaign. The global market for blockchain, the technology behind cryptocurrency, is anticipated to reach $60.7 billion by 2024, and criminal organizations and actor groups are trying to cash in on this. This increase is primarily caused by the meteoric rise in cryptocurrencies’ valuation. Malicious cryptojacking operations are currently estimated to affect 23% of cloud environments, up from 8% in 2018. Researchers have determined that at least 476 compromised systems, composed primarily of Windows and NIX cloud instances, have been performing mining operations at any one time for over two years.Ĭryptojacking is the process of performing cryptomining operations on systems which are not owned and maintained by the mining operators. 27, 2019, and has collected at least 209 Monero (XMR), valued to be around $32,056 USD. The WatchDog mining operation has been running since Jan. The operation is called WatchDog, taken from the name of a Linux daemon called watchdogd. Unit 42 researchers are exposing one of the largest and longest-lasting Monero cryptojacking operations known to exist.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |