A new threat group has launched cryptomining attacks around the globe and is using exploits from the National Security Agency to spread its malware.
The threat group, dubbed ‘Panda,’ was revealed this week in a new report from Cisco Talos. Christopher Evans and Dave Liebenberg, threat researcher and head of strategic intelligence, respectively, at Cisco Talos, wrote that although the group is “far from the most sophisticated” it has been very active and willing to “update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts.”
“Panda’s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,” Evans and Liebenberg wrote in a blog post. “Our threat traps show that Panda uses exploits previously used by Shadow Brokers and Mimikatz, an open-source credential-dumping program.”
The NSA exploits include EternalBlue, which attacks a vulnerability in Microsoft’s Server Message Block (SMB) protocol. The researchers first became aware of Panda’s cryptomining attacks in the summer of 2018 and told SearchSecurity that over the past year they’ve seen daily activity in the organization’s honeypots.
“We see them in several of our honeypots nearly every day, which tells me they’re targeting a large portion of the internet,” Evans said. “Our honeypots are deployed throughout the world, and I’ve never seen a geographic focus of their attacks in the data. The applications they target are widely deployed, and without patching are easy targets.”
Since January, the researchers saw Panda’s cryptomining attacks changing by targeting different vulnerabilities — first a ThinkPHP web framework issue, then an Oracle WebLogic flaw — and using new infrastructure both in March and again over the past month.
“They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and [are] quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch,” the researchers wrote. “And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware.”
Liebenberg told SearchSecurity, “It appears that instead of employing good OpSec they focus on volume. That’s one reason why they’ll keep using old, burned infrastructure while still deploying new ones.”
Evans and Liebenberg said in their research that the Panda group has made approximately 1,215 Monero (a cryptocurrency that emphasizes privacy), which equates to almost $100,000 today. One Monero is currently equal to $78, but the value of Monero has fluctuated — beginning the year around $50 and peaking over $110 in June.
The researchers have confirmed Panda cryptomining attacks against organizations in the banking, healthcare, transportation, telecommunications and IT services industries. Evans and Liebenberg also told SearchSecurity that the best way for organizations to detect if they have been attacked would be to “look for prolonged high system utilization, connections to mining pools using common mining ports (3333, 4444), watching for common malware persistence mechanisms, watching for DNS traffic to known mining pools and enabling the appropriate rules in your IDS.”