- Supercomputer incidents in several European countries reveal that malware has been used to exploit its computational power to mine Monero.
- Potential attackers have used Monero mining proxy hosts with a configuration to avoid detection.
Several reports from various European institutions reveal incidents related to illegal mining of the cryptocurrency Monero using malware to infect supercomputers. The incidents occurred in different European countries. Among the countries affected are the United Kingdom, Germany, Switzerland and Spain. Similarities between the incidents indicate to the researchers that all attacks could be related to a single group or entity. However, there is no definitive evidence in that regard.
Monero mining safety failures
The first report that referred to an incident involving Monero mining malware was published by the UK’s National Supercomputing Service, ARCHER. Published on May 11, the report announces the deactivation of access to the ARCHER system. The deactivation was initially due to an exploitation of a vulnerability in ARCHER’s login nodes, as the report states.
In subsequent entries and after more exhaustive investigations, it was possible to conclude that the problem was related to a series of incidents that affected the systems of several European institutions. A report by bwHPC Germany also announced on May 11 that it will disable the following High Performance Computing (HPC) systems: bwUniCluster 2.0, ForHLR II, bwForCluster JUSTUS, bwForCluster BinAC, and Hawk.
Another report from the National Supercomputing Center in Zurich confirmed the initial researchers’ theory. Released days later, on May 16, the report states that various academic data centers and HPC systems around the world were “fighting cyber attacks and therefore had to be deactivated”. As in previous reports, there is no mention of Monero mining in this last one. Possibly pending further investigation.
However, Cado Security co-founder Chris Doman published the results of his company’s investigation into the incidents. Cado Security claims that the incidents are related because they all refer to a file with the same name, “fonts”. This file is used as a loader in conjunction with another file called “low” that is used to clean up the logs and hide clues about the attacks. Cado’s report states:
(los atacantes) They maybe using one or more methods for the privilege escalation, possibly CVE-2019-15666. Right now the UK national facility ARCHER is off line as they have suffered a root exploit.
The actors are coming from the following IP addresses, 22.214.171.124 and 126.96.36.199, you get zero guesses which country these are from.
These same IP addresses were recorded as part of other incidents at Shanghai Jiaotong universities and the China Science and Technology Network. Cado was also able to conclude that the “Uploaded” and “Cleaner” files were uploaded to VirutsTotal from the European countries mentioned.
Similarly, a separate report from the European Computer Security Response Team states that attackers use compromised SSH credentials to jump between different victims. Attackers then convert the CPU they infect with the malware to one of the different roles listed below:
XMR mining hosts (running a hidden XMR binary)
XMR-proxy hosts ; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
Tunnel hosts (SSH tunneling) ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).