Cyber security news for all

More

    CRYSTALRAY Hackers Infect Over 1,500 Victims Using Network Mapping Tool

    A notorious cybercriminal group, previously known for exploiting an open-source network mapping tool, has dramatically escalated their operations, now impacting over 1,500 victims.

    Sysdig, monitoring this group under the moniker CRYSTALRAY, reported a tenfold increase in their activities. This surge includes mass scanning, exploiting multiple vulnerabilities, and installing backdoors using various open-source security tools.

    The main aim of these attacks is to harvest and sell credentials, deploy cryptocurrency miners, and ensure ongoing access to the compromised systems.

    One key tool in the CRYSTALRAY arsenal is SSH-Snake, introduced in January 2024. This tool automates network traversal using SSH private keys found on systems. The cybersecurity firm documented CRYSTALRAY’s misuse of SSH-Snake in February, noting its use for lateral movement after exploiting known flaws in Apache ActiveMQ and Atlassian Confluence instances.

    Joshua Rogers, the creator of SSH-Snake, told The Hacker News that the tool merely automates what would otherwise be manual processes. He urged companies to identify and address existing attack paths.

    Other tools employed by CRYSTALRAY include asn, zmap, httpx, and nuclei. These tools are used to check if a domain is active and to scan for vulnerable services such as Apache ActiveMQ, Apache RocketMQ, Atlassian Confluence, Laravel, Metabase, Openfire, Oracle WebLogic Server, and Solr.

    CRYSTALRAY leverages its initial access to undertake extensive credential discovery, surpassing mere server-to-server movements via SSH. Persistent access is maintained through a legitimate command-and-control (C2) framework known as Sliver and a reverse shell manager named Platypus.

    To further monetize the compromised assets, CRYSTALRAY deploys cryptocurrency miner payloads to illicitly exploit victim resources. They also take measures to terminate any competing miners that might already be present on the machines.

    “CRYSTALRAY can discover and extract credentials from vulnerable systems, which are then sold on black markets for significant sums,” stated Sysdig researcher Miguel Hernández. “The credentials being sold encompass a wide range of services, including Cloud Service Providers and SaaS email providers.”

    Recent Articles

    Related Stories