Cybersecurity (opens in new tab) researchers at Splunk have shared details about what they believe to be a re-emergence of a cryptocurrency (opens in new tab) botnet that’s specifically going after Windows Server (opens in new tab) running on Amazon’s cloud computing (opens in new tab) platform, Amazon Web Services (AWS (opens in new tab)).
Based on their detailed analysis, Splunk's Threat Research Team (STRT) says the campaign against AWS’ IP address space seems to originate from Chinese and Iranian IP addresses.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- Protect your devices with these best antivirus software (opens in new tab)
- These are the best malware removal (opens in new tab) software on the market
- Here are the best ransomware protection tools (opens in new tab)
After homing in on the targets, the attackers brute force their way into the virtual machines (VM (opens in new tab)) and proceed to install cryptomining (opens in new tab) tools to mine for the Monero cryptocurrency.
Telegram-powered C2 infrastructure
Interestingly, the STRT shares that all the compromised VMs had the executable binary for the Telegram (opens in new tab) Desktop client. The researchers reason that the attackers used this to help tie the compromised VMs into their botnet.
Threat actors abuse the Telegram API of the app’s desktop version, to execute commands on the compromised hosts and turn them into bots, which can then be made to automatically download additional tools and payloads.
According to STRT, the crypto wallet (opens in new tab) that the mined Monero is transferred to was also used in previous campaigns dating back to 2018.
Noting the other similarities between the current attack and the previous campaigns, including the use of similar exploitation techniques, STRT believes the current campaign is being conducted by the same threat actors that were behind the earlier campaigns.
Since the attacks don’t seem to be exploiting a software vulnerability, and are brute-forcing their way into the hosts, the researchers suggest admins review their passwords.
“As seen during our research, the best way to prevent these attack vectors is first patching your Windows servers and applying the latest security updates. The use of weak passwords is also a big factor in getting your servers compromised,” suggests STRT, adding that the use of Network Level Authentication (opens in new tab) (NLA) will also help thwart brute force attacks.
- Check our list of the best firewall apps and services (opens in new tab)