Hackers with possible ties to the notorious North Korea-linked Lazarus Group are exploiting a recent critical vulnerability in Palo Alto Network's PAN-OS software to run a sophisticated cryptomining operation that likely has nation-state backing.
In a report Thursday, threat researchers with Akamai said the bad actors behind this variant of the RedTail cryptomining malware are changing tactics, incorporating the PAN-OS flaw - tracked as CVE-2024-3400 - as well as using advanced evasion and persistence techniques and their own mining pools rather than public crypto wallets.
Some of the techniques mirror those used by the Lazarus Group - something that other researchers have suggested - and display a level of complexity and cost that suggest a nation-state like North Korea is behind the cryptomining campaign.
The RedTail cryptominer was first detected in December 2023 by researchers with Cyber Security Associates, who published a detailed report about it the following month.
At the time, it was seen abusing the infamous Log4j vulnerability to mine Monero cryptocurrency using the same commands that the Akamai researchers wrote they found in the latest campaign.
A Lazarus advanced persistent threat subgroup called Andariel was detected late last year by Cisco's Talos group running a campaign that exploited the Log4j flaw.
Targeting the Palo Alto vulnerability to launch the operation is new, Barnett, Kupchik, and Zavodchik wrote.
The cryptomining group behind the latest RedTail campaign in the past had targeted flaws found in TP-Link Router, VMware's Workspace ONE Access and Identity Manager, ThinkPHO file inclusion and remote code execution through pearcmd, and ThinkPHP RCE. The list also includes two bugs - CVE-2023-46805 and CVE-2024-21887 - in Ivanti's SecureConnect, one of several of the software company's products that have been hampered in recent months by vulnerabilities.
Cybersecurity firm GrayNoise detected the abuse of the Ivanti flaws in cryptomining campaigns in January.
Palo Alto disclosed the PAN-OS zero-day vulnerability in an advisory April 11 that had been exploited by a threat group identified as UTA0218 to export device configuration data and to use it as an entry point into victims' networks, according to report by Veloxity researchers that month.
The specific malware servers that served the RedTail variant they tracked were active between early April and the beginning of this month, with the exploitation of the PAN-OS bug beginning at least April 21.
The researchers said initial research into the RedTail malware found that it could be used for distributed denial-of-service and cryptomining campaigns, then determine cryptomining was the bad actor's goal.
It's a variant of XMRig - a legitimate cryptomining tool that often is used by cybercriminals - though there were significant differences from previous RedTail versions.
The malware's infrastructure uses multiple unrelated servers that are hosted by legitimate hosting companies.
Among the modifications was an encrypted mining configuration that the malware eventually decrypts before handing control over to the XMRig code.
The threat actors also didn't use a public crypto wallet, suggesting they opted to run their own mining pools or pool proxies, suggested a sophisticated operation in which they wanted greater control of the mining outcomes even those it meant increased operation and financial costs that come with running a private server.
By exploiting the VMware and other flaws, the RedTail bad actors target Internet of Things devices, web applications, SSL-VPNs, and security devices, such as Ivanti's Connect Secure and Palo Alto's GlobalProtect.
That would be in line with North Korea, which runs cyberattacks to steal information and to fund it nuclear and ballistic missile operations.
Reuters reported in February that United Nations investigators were looking at 58 cryptocurrency-related cyberattacks on companies by North Korea that brought in $3 billion that the country used for its weapons programs.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 30 May 2024 15:13:06 +0000