The document presents a case study titled 'Cloud Wars: Episode V - The Cryptojacker Strikes Back' by James Condon, detailing various attacks against cloud services including Redis, Confluence, and campaigns like Pacha vs Rocke. It discusses methods of exploitation, eradication tactics, and provides links to further reading on related cyber threats. The content emphasizes security measures and is aimed at enhancing cloud security awareness among professionals.

1. @laceworklabs
Cloud Wars: Episode V - The Cryptojacker Strikes Back
James Condon
BSides Denver 2019

2. @laceworklabs
whoami
• James Condon, Director of Research @ Lacework
• Former USAF OSI, Mandiant, and ProtectWise
• Network Forensics, Incident Response, Threat Intelligence, Cloud Security
Twitter: @laceworklabs, @jameswcondon
Email: james@lacework.com
Blog: www.lacework.com/blog/

3. @laceworklabs
Group Discussion

4. @laceworklabs

5. @laceworklabs
CASE STUDY #1: REDIS HONEY POT

6. @laceworklabs
SETTING UP OUR HONEYPOT
• Ubuntu 14.04
• apt get install redis-server
• Redis 2.8.4
• Allow external access to TCP port
6379

7. @laceworklabs
Redis Recon

8. @laceworklabs
Cronjob Attempts

9. @laceworklabs
Cronjob Attempts

10. @laceworklabs
SSH Key Add
Attempt

11. @laceworklabs
SSH Key Add
Attempt

12. @laceworklabs
LUA Exploit

13. @laceworklabs
cURL Install Script

14. @laceworklabs
Pid Grep & Kill

15. @laceworklabs
Pid Grep & Kill

16. @laceworklabs
Group Discussion

17. @laceworklabs
CASE STUDY #2: CONFLUENCE ATTACKS

18. @laceworklabs
Pkill in RCE!

19. @laceworklabs
Hit List (Process
Killing)

20. @laceworklabs
Process Killing from Established Connections

21. @laceworklabs
Kill Processes w/ CPU Great Than 30%

22. @laceworklabs

23. @laceworklabs
Group Discussion

24. @laceworklabs
CASE STUDY #3: PACHA VS ROCKE

25. @laceworklabs
Linux.GreedyAntd (File & Process Blacklisting)

26. @laceworklabs
Rocke IPs Scoped to Host

27. @laceworklabs
Rocke IPs added
to routing table
with Host Scope
@laceworklabs
Group Discussion

28. @laceworklabs
CASE STUDY #4: CRYPTOSINK

29. @laceworklabs
Download Install Script

30. @laceworklabs
Symbols Left in
Binary

31. @laceworklabs
Redirect to
Localhost

32. @laceworklabs
Replace rm for Persistence

33. @laceworklabs
Rocke IPs added
to routing table
with Host Scope
@laceworklabs
Group Discussion

34. @laceworklabs
FINAL THOUGHTS
• Common eradication tactics
• Scan process listings for keywords
• Scan process listings for CPU usage
• Search for known files
• Scan established connections
• Sinkhole IPs
• Sinkhole DNS
• Sounds like Blue Team?

35. @laceworklabs
resources
1. Anatomy of a Redis Exploit (https://www.lacework.com/anatomy-of-a-redis-exploit/)
2. A Deep Dive Into Three Popular CVE-2019-3396 PoCs Used in Confluence Attacks
(https://www.lacework.com/cve-2019-3396-poc-deep-dive/)
3. Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud
(https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/)
4. “CryptoSink” Campaign Deploys a New Miner Malware (https://www.f5.com/labs/articles/threat-intelligence/-
cryptosink--campaign-deploys-a-new-miner-malware)
5. https://news.ycombinator.com/item?id=18622528
6. Sustes Malware doesn’t infect victims by itself, but it is spread via brute-force activities with special focus on IoT
and Linux servers. (https://securityaffairs.co/wordpress/76394/malware/sustes-malware-cpu-monero.html)
7. A Dive into malicious Docker Containers
https://isc.sans.edu/diary/A+Dive+into+malicious+Docker+Containers/24388

36. @laceworklabs
QUESTIONS
Twitter: @laceworklabs, @jameswcondon
Email: james@lacework.com
Blog: www.lacework.com/blog/