Over 90% Attacks on Cloud Servers Attempt Cryptomining, Study Reveals

Tencent Security has reported a new botnet malware prowling the web—from the past few months—for Microsoft SQL servers. Meanwhile, a different report asserts that most attacks on cloud servers abuse public cloud compute resources for cryptocurrency mining.

Making the headlines

A cybercriminal group has been discovered launching brute-force attacks on thousands of MSSQL servers to deploy a cryptomining malware dubbed MrbMiner in compromised systems.
  • The wallet used by the MSSQL version contained 7 XMR (~$630).
  • According to researchers, the MrbMiner malware was written to target Linux servers and ARM-based systems as well.
  • The analysis found 3.38 XMR (~$300) in the wallet for the Linux version of the malware.

Modus operandi

  • Upon getting access to the system, attackers download an assm.exe file to establish a (re)boot persistence mechanism and create a backdoor to enable future access.
  • After creating an account, the malicious code connects to the C2 server to download a Monero (XMR) cryptocurrency miner that runs on the local server.
  • The researchers found the backdoor account credential with username Default and the password @fg125kjnhn987.

The rise in mining intent of cybercriminals

Aqua Security's 2020 Cloud Native Threat Report reveals a growing, organized, and increasingly sophisticated pattern of attacks on cloud-native infrastructure.
  • The firm tracked and analyzed 16,371 attacks on honeypot servers between June 2019 and July 2020.
  • In 95% of the cases, attackers deployed a malicious container image aimed toward mining cryptocurrency.
  • The rest were used for setting up DDoS infrastructure.
  • As per experts, adversaries’ intrusion methods have diversified and malware complexity has shown signs of improvement.

The takeaway

We recently published an analysis on how hackers are obsessed with cryptocurrency and it’s only intensifying. However, to thwart the threats associated with MrbMiner, researchers have published the IOCs for this campaign. In addition, system admins are advised to check their MSSQL servers for the presence of backdoors.