Experts showed how to make money on hacked servers.
A new campaign targeting vulnerable Docker services is deploying the XMRig miner and the 9hits app, enabling a dual-monetization strategy on compromised hosts. This is the first documented case of the 9Hits app being used as malware, according to a Cado Security report.
9Hits is a traffic sharing system that allows users to drive traffic to their sites. To do this, use the 9hits viewer app, which is installed on clients ' devices and runs on a standalone instance of the Chrome browser. Users earn points by visiting the sites of other members of the system, and spend these points to get visitors to their site. Since this is an automated way to increase site traffic, the resulting traffic is not organic and may not contribute to real engagement or conversion.
According to Cado Security, attackers deploy the 9hits viewer application on compromised Docker hosts, exploiting the resources of compromised systems in order to generate credits for themselves. A Shodan network scanner is probably used to detect vulnerable servers, and then malicious containers are deployed via the Docker API.
Containers are presented in images obtained from Dockerhub to reduce suspicion. The distribution script written in the Cado decoy uses the Docker CLI to set the DOCKER_HOST variable and makes typical API calls to retrieve and launch containers.
One of the containers runs the XMRig miner, which mines the Monero cryptocurrency for the attacker using the resources of the cloud system. The miner connects to a private mining pool, which makes it impossible to track the scale of the campaign or profit. It is noted that the domain used for the mining pool involves the use of dynamic DNS services by attackers to maintain control.
The 9hits container runs the script (nh.sh) with a session token that allows it to authenticate and generate credits for an attacker by visiting a list of websites. The session token system is designed to work securely even in untrusted environments, allowing hackers to make a profit without the risk of being banned. The choice of the 9hits app is based on such features as, for example, allowing pop-ups or visiting adult sites, but prohibiting visiting sites related to cryptocurrency.
The main impact of the campaign on compromised hosts is resource depletion, as the XMRig miner uses all available CPU resources, while 9hits consumes a large amount of bandwidth, memory, and the remaining amount of CPU. As a result, workloads on infected servers will not be able to work properly.
The detected campaign shows that attackers are constantly exploring alternative monetization channels outside of traditional methods, such as cryptocurrency mining. They diversify their attacks and follow more hidden paths. Platforms used by attackers, such as 9hits, require more stringent security checks and policies to prevent unauthorized use of their applications, which can lead to financial losses and disruptions in the work of organizations.
Businesses investing in cloud computing environments must navigate a complex landscape. This requires the use of Zero Trust models, Cloud Workload Protection Platforms (CWPP), and Cloud Security Posture Management (CSPM) to improve visibility, configuration management, and protection of vulnerable assets.
A new campaign targeting vulnerable Docker services is deploying the XMRig miner and the 9hits app, enabling a dual-monetization strategy on compromised hosts. This is the first documented case of the 9Hits app being used as malware, according to a Cado Security report.
9Hits is a traffic sharing system that allows users to drive traffic to their sites. To do this, use the 9hits viewer app, which is installed on clients ' devices and runs on a standalone instance of the Chrome browser. Users earn points by visiting the sites of other members of the system, and spend these points to get visitors to their site. Since this is an automated way to increase site traffic, the resulting traffic is not organic and may not contribute to real engagement or conversion.
According to Cado Security, attackers deploy the 9hits viewer application on compromised Docker hosts, exploiting the resources of compromised systems in order to generate credits for themselves. A Shodan network scanner is probably used to detect vulnerable servers, and then malicious containers are deployed via the Docker API.
Containers are presented in images obtained from Dockerhub to reduce suspicion. The distribution script written in the Cado decoy uses the Docker CLI to set the DOCKER_HOST variable and makes typical API calls to retrieve and launch containers.
One of the containers runs the XMRig miner, which mines the Monero cryptocurrency for the attacker using the resources of the cloud system. The miner connects to a private mining pool, which makes it impossible to track the scale of the campaign or profit. It is noted that the domain used for the mining pool involves the use of dynamic DNS services by attackers to maintain control.
The 9hits container runs the script (nh.sh) with a session token that allows it to authenticate and generate credits for an attacker by visiting a list of websites. The session token system is designed to work securely even in untrusted environments, allowing hackers to make a profit without the risk of being banned. The choice of the 9hits app is based on such features as, for example, allowing pop-ups or visiting adult sites, but prohibiting visiting sites related to cryptocurrency.
The main impact of the campaign on compromised hosts is resource depletion, as the XMRig miner uses all available CPU resources, while 9hits consumes a large amount of bandwidth, memory, and the remaining amount of CPU. As a result, workloads on infected servers will not be able to work properly.
The detected campaign shows that attackers are constantly exploring alternative monetization channels outside of traditional methods, such as cryptocurrency mining. They diversify their attacks and follow more hidden paths. Platforms used by attackers, such as 9hits, require more stringent security checks and policies to prevent unauthorized use of their applications, which can lead to financial losses and disruptions in the work of organizations.
Businesses investing in cloud computing environments must navigate a complex landscape. This requires the use of Zero Trust models, Cloud Workload Protection Platforms (CWPP), and Cloud Security Posture Management (CSPM) to improve visibility, configuration management, and protection of vulnerable assets.
