Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Cado Security explains about SSWW and other operations.
According to a new study by Cado Security, attackers have begun to actively use the Cloudflare WARP service to conduct attacks on vulnerable Internet resources.
Cloudflare WARP is a free VPN service that optimizes traffic by routing it through the Cloudflare international network. The service uses its own implementation of the WireGuard protocol to tunnel data to the nearest Cloudflare data center.
Experts note that the main danger of malicious use of WARP lies in the high level of trust in Cloudflare IP addresses. Many network administrators tend to skip such traffic, considering it part of normal business processes. Moreover, some experts even recommend allowing the entire range of Cloudflare IP addresses in firewalls.
One example is the SSWW campaign aimed at cryptocurrency mining. Attackers attack open Docker containers using WARP for initial access. The first such incident was recorded on February 21, 2024.
It all starts with creating a container that has elevated privileges and access to the host system. To do this, use the following HTTP request:
IPv4 TCP (PA) 104.28.247.120:19736 -> redacted:2375 POST /containers/create
HTTP/1.1
Host: redacted:2375
Accept-Encoding: identity
User-Agent: Docker-Client/20.10.17 (linux)
Content-Length: 245
Content-Type: application/json
{"Image": "61395b4c586da2b9b3b7ca903ea6a448e6783dfdd7f768ff2c1a0f3360aaba99", "Entrypoint": ["sleep", "3600"], "User": "root", "HostConfig": {"Binds": ["/:/h"], "NetworkMode": "host", "PidMode": "host", "Privileged": true, "UsernsMode": "host"}}
Next, a script is launched that performs a number of actions:
Analysts found out that the attackers use a Monero wallet with the address 44EP4MrMADSYSxmN7r2EERgqYBeB5EuJ3FBEzBrczBRZZFZ7cKotTR5airkvCm2uJ82nZHu8U3YXbDXnBviLj3er7XDnMhP. At the time of publication of the report, hackers managed to extract about 9.57 XMR (approximately $ 1,567).
Despite the fact that WARP is used to hide traces, researchers were able to determine that the attacks originated from the Cloudflare data center in Zagreb, Croatia.
The SSWW campaign isn't the only threat using WARP. Cado Security experts have recorded a significant increase in attacks on SSH services through this platform. By the end of 2023, the number of such hacking attempts reached several thousand every month. A particularly disturbing fact was the migration of many well-known hacker groups from traditional VPS providers to Cloudflare WARP for their operations.
Probably, cybercriminals use WARP not so much for anonymity, but to bypass locks. Cloudflare IP addresses are perceived as "clean" and rarely get blacklisted, unlike addresses belonging to well-known hosting providers.
Source
According to a new study by Cado Security, attackers have begun to actively use the Cloudflare WARP service to conduct attacks on vulnerable Internet resources.
Cloudflare WARP is a free VPN service that optimizes traffic by routing it through the Cloudflare international network. The service uses its own implementation of the WireGuard protocol to tunnel data to the nearest Cloudflare data center.
Experts note that the main danger of malicious use of WARP lies in the high level of trust in Cloudflare IP addresses. Many network administrators tend to skip such traffic, considering it part of normal business processes. Moreover, some experts even recommend allowing the entire range of Cloudflare IP addresses in firewalls.
One example is the SSWW campaign aimed at cryptocurrency mining. Attackers attack open Docker containers using WARP for initial access. The first such incident was recorded on February 21, 2024.
It all starts with creating a container that has elevated privileges and access to the host system. To do this, use the following HTTP request:
IPv4 TCP (PA) 104.28.247.120:19736 -> redacted:2375 POST /containers/create
HTTP/1.1
Host: redacted:2375
Accept-Encoding: identity
User-Agent: Docker-Client/20.10.17 (linux)
Content-Length: 245
Content-Type: application/json
{"Image": "61395b4c586da2b9b3b7ca903ea6a448e6783dfdd7f768ff2c1a0f3360aaba99", "Entrypoint": ["sleep", "3600"], "User": "root", "HostConfig": {"Binds": ["/:/h"], "NetworkMode": "host", "PidMode": "host", "Privileged": true, "UsernsMode": "host"}}
Next, a script is launched that performs a number of actions:
- Stops the services of competing miners
- Checks whether the system is already infected with the SSWW campaign
- Disables SELinux
- Configures huge pages and enables drop_caches to optimize XMRig
- Downloads and installs the XMRig miner with the built-in configuration
- Loads and compiles a simple script to hide processes
- Adds a process hiding script to /etc/ld. so. preload to work as a custom rootkit
- Creates and activates the SystemD unit for autorun of the miner
Analysts found out that the attackers use a Monero wallet with the address 44EP4MrMADSYSxmN7r2EERgqYBeB5EuJ3FBEzBrczBRZZFZ7cKotTR5airkvCm2uJ82nZHu8U3YXbDXnBviLj3er7XDnMhP. At the time of publication of the report, hackers managed to extract about 9.57 XMR (approximately $ 1,567).
Despite the fact that WARP is used to hide traces, researchers were able to determine that the attacks originated from the Cloudflare data center in Zagreb, Croatia.
The SSWW campaign isn't the only threat using WARP. Cado Security experts have recorded a significant increase in attacks on SSH services through this platform. By the end of 2023, the number of such hacking attempts reached several thousand every month. A particularly disturbing fact was the migration of many well-known hacker groups from traditional VPS providers to Cloudflare WARP for their operations.
Probably, cybercriminals use WARP not so much for anonymity, but to bypass locks. Cloudflare IP addresses are perceived as "clean" and rarely get blacklisted, unlike addresses belonging to well-known hosting providers.
Source
