Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,223
- Points
- 113
1,500 victims in just a few months. And this is just the beginning…
Researchers from Sysdig reported on a new cybercrime group, CRYSTALRAY, which since February of this year has stolen the credentials of more than 1,500 victims and installed cryptominers on their systems.
This hacker association uses the SSH-Snake worm, which steals SSH keys from compromised servers and independently spreads over compromised networks. Previously, about 100 victims were known as part of the activities of cybercriminals, but now their number has grown to the above-mentioned 1500.
CRYSTALRAY uses mass scanning through services like Shodan, exploits vulnerabilities and installs backdoors. In their attacks, criminals use the tools zmap, asn, httpx, nuclei, platypus, and SSH-Snake.
The main purpose of the group is to steal and sell credentials, install cryptominers, and maintain access to victims ' systems. They use modified exploits and the Sliver toolkit.
CRYSTALRAY actively uses the following vulnerabilities in its operations:
Sysdig reports that Atlassian Confluence products are likely also targeted, based on observed exploitation patterns resulting from attempts to hack 1,800 IP addresses, a third of which are located in the United States.
CRYSTALRAY uses the Platypus web manager to handle multiple reverse shell sessions on compromised systems. At the same time, SSH-Snake continues to be the main tool used to achieve distribution over compromised networks.
After receiving the SSH keys, the SSH-Snake worm uses them to log in to new systems, copy itself, and repeat the process on new hosts. Moreover, SSH-Snake not only spreads the infection, but also sends the captured keys and attack histories back to the hackers ' C2 server, providing opportunities for further attacks.
CRYSTALRAY sells stolen credentials on the darknet and Telegram. In addition, hackers earn about $200 a month due to cryptominers in hacked systems. Since April, the attackers have changed the configuration, so their current income is unknown.
As the CRYSTALRAY threat grows, the best mitigation strategy is to minimize the attack surface with timely security updates to address vulnerabilities as they are exposed.
Source
Researchers from Sysdig reported on a new cybercrime group, CRYSTALRAY, which since February of this year has stolen the credentials of more than 1,500 victims and installed cryptominers on their systems.
This hacker association uses the SSH-Snake worm, which steals SSH keys from compromised servers and independently spreads over compromised networks. Previously, about 100 victims were known as part of the activities of cybercriminals, but now their number has grown to the above-mentioned 1500.
CRYSTALRAY uses mass scanning through services like Shodan, exploits vulnerabilities and installs backdoors. In their attacks, criminals use the tools zmap, asn, httpx, nuclei, platypus, and SSH-Snake.
The main purpose of the group is to steal and sell credentials, install cryptominers, and maintain access to victims ' systems. They use modified exploits and the Sliver toolkit.
CRYSTALRAY actively uses the following vulnerabilities in its operations:
- CVE-2022-44877: vulnerability in the Control Web Panel (CWP);
- CVE-2021-3129: error in Ignition (Laravel);
- CVE-2019-18394: vulnerability in Ignite Realtime Openfire.
Sysdig reports that Atlassian Confluence products are likely also targeted, based on observed exploitation patterns resulting from attempts to hack 1,800 IP addresses, a third of which are located in the United States.
CRYSTALRAY uses the Platypus web manager to handle multiple reverse shell sessions on compromised systems. At the same time, SSH-Snake continues to be the main tool used to achieve distribution over compromised networks.
After receiving the SSH keys, the SSH-Snake worm uses them to log in to new systems, copy itself, and repeat the process on new hosts. Moreover, SSH-Snake not only spreads the infection, but also sends the captured keys and attack histories back to the hackers ' C2 server, providing opportunities for further attacks.
CRYSTALRAY sells stolen credentials on the darknet and Telegram. In addition, hackers earn about $200 a month due to cryptominers in hacked systems. Since April, the attackers have changed the configuration, so their current income is unknown.
As the CRYSTALRAY threat grows, the best mitigation strategy is to minimize the attack surface with timely security updates to address vulnerabilities as they are exposed.
Source
