게시일: 2021. 1. 27 오전 7:21:56
Recently, Sophos security researchers disclosed additional details about the crypto-miner called MrbMiner, describing its modus operandi. MrbMiner botnet came into the limelight first in September 2020 while launching brute-force attacks against Microsoft SQL Servers (MSSQL) databases to gain access to administrator accounts with various weak passwords.
Sophos has analyzed malware payloads, domain data, and server information and found several clues that link the operators of the MrbMiner botnet to a legitimate Iranian business.
The origin of the botnet is connected to a domain vihansoft[.]ir, registered to a small boutique software development company operating from the city of Shiraz, Iran. The domain’s owner was implicated in spreading the malware.
The attackers have misused the server hosting service of vihansoft[.]ir to host multiple MrbMiner domains to host the crypto miner payloads.
Besides, the vihansoft[.]ir domain was used as the C&C and payload server for the MrbMiner operation.
A few days ago, TeamTNT botnet was discovered stealing Docker API logins and AWS credentials, in addition to deploying the XMRig mining tool to mine Monero cryptocurrency.
In December, a Linux-based cryptocurrency mining botnet named PGMiner was seen exploiting a disputed PostgreSQL RCE vulnerability.
In the same month, the Bismuth APT group was observed using crypto-mining campaigns to hide the purpose of its activity and avoid triggering high-priority alerts.
Threat actors have swiftly followed the rising value of cryptocurrencies to make money. Advanced feature-embedded crypto-mining malware and custom cryptojacking tools are becoming major threats to many corporations and infrastructure around the world. Furthermore, the use of web hosting capabilities of legitimate businesses to create a dead drop demonstrates the evolving cryptojacking tactics that need immediate attention from cybersecurity agencies and professionals.
====================================================
세줄 요약
1. 2020년 후반 MrbMiner라는 암호 추출(브루트 포싱) 툴을 이용해 SQL 권한을 탈취하는 공격이 일어남.
2. 공격당한 컴퓨터는 소규모 여성용 옷가게(앱)로 등록된 곳의 vihansoft[.]ir라는 도메인에 연결되어 있었음.
3. 최근에는 암호화폐털이뿐 아니라 도커 API 로그인이나 아마존웹서비스(AWS) 권한 탈취 공격도 일어남.
느낀 점
여러 이슈를 보다보면 언제나 새로운 기법을 통한 공격이 행해진다기보다, 브루트포싱을 이용한 공격인 경우가 많다. 브루트 포싱은 원시적이지만, 시간 효율적이며 빠르기 때문에 선제적인 방어가 그만큼 어려울 것이라 생각한다. 브루트 포스 공격을 선제적으로 완전히 차단하는 것이 가능할까?