{"id":27195,"date":"2019-05-23T18:30:46","date_gmt":"2019-05-23T18:30:46","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=89464"},"modified":"2019-05-23T18:30:46","modified_gmt":"2019-05-23T18:30:46","slug":"uncovering-linux-based-cyberattack-using-azure-security-center","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/uncovering-linux-based-cyberattack-using-azure-security-center\/","title":{"rendered":"Uncovering Linux based cyberattack using Azure Security Center"},"content":{"rendered":"

As more and more enterprises move to the cloud, they also bring their own set of security challenges. Today, almost half of Azure virtual machines (VMs) are running on Linux, and as the Linux server population grows, so are the attacks targeting them. As detection capabilities advance, attackers are using new and stealthier techniques to stay undetected and persist with their motives. Azure Security Center, Microsoft\u2019s cloud-based cyber solution, helps customers safeguard their cloud workloads as well as protect them from these threats.<\/p>\n

In this blog post, we detail a real-world Linux attack whose purpose initially looked like crypto mining, but it turned out that the attacker\u2019s intent was to use the compromised host as a launchpad for further large-scale attacks.<\/p>\n

Incident details<\/h3>\n

<\/p>\n

After the initial successful SSH brute force compromise, the attacker proceeds to download a first stage \u2018tddwrt7s.sh\u2019 script using utilities like \u2018wget\u2019 that delivers further payload to the host. Azure Security Center surfaces this behavior via a \u201cDetected suspicious file download\u201d alert.<\/p>\n

Post stage 1 download, the attacker executed the script to find \u2018dota.tar.gz\u2019 by enumerating multiple hosting URLs. Once a live hosting IP was found, the second stage file gets delivered in directory \u2018\/tmp\/.mountfs.\u2019 Most of these exploitation and persistence techniques are observed from the \/tmp folder. In this case all activities were tracked under \/tmp\/.mountfs and \/tmp\/.mountfs\/.rsync directories. Creating directories with a dot keeps the activity hidden from the user interface, a common technique used by attackers.<\/p>\n

<\/a><\/p>\n

Later, we see traffic to different mining pools including \u2018mine.moneropool.com\u2019 but nothing further that would confirm the purpose as mining cryptocurrency. The \u201cDetected suspicious network activity\u201d analytic triggered on this activity along with \u201cDigital currency mining\u201d analytic. This was followed by reconnaissance grep activity used by the attacker to get more information on the target machine to see if it had already been compromised and in use by other actors.<\/p>\n

<\/a><\/p>\n

The attackers then used a bash script to search and kill processes on some of the above-mentioned miners that they grepped using command:<\/p>\n

\u201cps auxf|grep -v grep|grep \u201cxmrig\u201d | awk \u2018{print $2}\u2019|xargs kill -9\u201d<\/p>\n

Let\u2019s talk more about what this command does. The first command helps to show a tree view of parent-child processes in the output of ps (process status).The first grep removes the grep process from this list and the second grep will extract any xmrig (a well-known miner) process in the filtered list. Awk pattern matches the specified pattern and xargs executes the SIGKILL signal.<\/p>\n

What follows next is a series of pkill commands to kill processes using couple of techniques that:<\/p>\n

    \n
  1. Match the entire process and argument list pattern.<\/li>\n
  2. Forcefully terminate a process.<\/li>\n<\/ol>\n

    To get the maximum CPU usage and efficiency, attackers generally start deleting the existing coin miner instances and focus on deploying new instances of mining payload.<\/p>\n

    <\/a><\/p>\n

    Generally, after this activity, the traces of cryptocurrency wallet or other activities related to mining becomes evident but what followed next was a little surprise.<\/p>\n

    It turns out that this machine appeared to have been used to target 20,000 different endpoints based on our timeline of attack analysis detailed below:<\/p>\n

    <\/a><\/p>\n

    Azure Security Center caught most of the suspicious activities observed above that triggered security alerts. To further our investigation, we collaborated with our internal memory forensics team. The analysis of the ELF payload unfolded even more details in this attack campaign:<\/p>\n