Tenfold increase in OSS Crystalray credential theft attacks

Tenfold increase in OSS Crystalray credential theft attacks

A newly discovered threat actor is leveraging an arsenal of open source software (OSS) to exponentially scale its credential theft and crypto mining activities.

“Crystalray” was first discovered in February when it used a penetration testing program called “SSH-Snake” to exploit known vulnerabilities in Atlassian’s Confluence platform. Since then, researchers at Sysdig have observed that it combines a number of other OSS tools to facilitate nearly every step of its attack chain.

Perhaps thanks to the time saved by writing its own malware, Crystalray’s activity exploded this spring. It now affects over 1,800 unique IP addresses worldwide, and has hundreds of infections active at any given time. More than half of the attacks occurred in the United States and China.

Crystalray’s OSS attack chain

The first tool in Crystalray’s kit, designed to perform initial reconnaissance, is called “ASN.” This command-line tool allows its users to query Shodan for open ports, known vulnerabilities, and a lot of other useful data about potential targets, such as what software and hardware they might be running. As announced in the readme file on GitHub, ASN does all this and more “without ever sending a single packet to the target.”

The attackers then supplement ASN with “zmap,” which scans the web for specific ports on which vulnerable services are running.

With the results from zmap in hand, the threat actor runs the HTTP toolkit “httpx” to check if the domain they may be targeting is active.

Now that Crystalray has clearly identified its prey, it uses the vulnerability scanner’s “nuclei” to check for known vulnerabilities the poor victim might have. So far, this process has probably identified one or more Confluence bugs as well as CVE-2022-44877 in the CentOS Control Web Panel; CVE-2021-3129 in Ignition for Laravel; and CVE-2019-18394 in Ignite Realtime Open Fire – all three have achieved critical 9.8 out of 10 CVSS scores. Nuclei offers the added benefit of allowing its users to scan for potential honeypots.

Crystalray does not bother to develop exploit scripts to compromise these exposed domains. Instead, it uses public Proof-of-Concept Exploits (PoCs) to drop its malicious payload.

Both malicious and legitimate OSS payloads

The malicious payload could be Sliver – a cross-platform red team framework used for command and control – or Platypus – a Go-based tool for managing multiple reverse shells (in the case of Crystalray, up to 400 simultaneously).

“Some of these are not legitimate open source tools,” notes Michael Clark, head of threat research at Sysdig. Platypus, for example, may be like the other OSS, but “I don’t think they’re pretending to be a legitimate tool. They’re offering it for bad purposes. But the project detection tools like Nuclei are all for defenders, so there’s a bit of a mix there.”

One such tool aimed at defenders – although it is almost certainly more useful to attackers – is SSH-Snake. The program is a worm that enables lateral network movement by gradually collecting and logging data. SSH key it uses to replicate itself. Crystalray also targets other types of credentials, for example by using all-bash-history and Linux-smart-enumeration to discover sensitive credentials in Bash command history files.

The group specifically seeks credentials for cloud platforms and software-as-a-service (SaaS) email platforms, which it sells on the black market. Their other source of income is two cryptominers, which, according to the attacker’s crypto wallet, earn them a paltry sum – about $200 per month.

Cost-benefit ratio of using OSS cyberattack tools

Clark says: “The strange thing is that we see a lot of attacks – hundreds a year – and most of them use much simpler scripts that they wrote themselves or tools they bought on the dark web. We rarely see this kind of malicious use of legitimate open source security software.”

Despite the time and effort savings, hackers have a very good reason to avoid OSS: “Because Defenders can also use itand that’s the great thing about open source. They can reproduce it exactly to see what it looks like in their environment,” he notes. “If I’m a defender, I could install Sliver – play with it, see how it works, see how it works against my defense tools. With a closed source version, it’s much harder to get hold of.”

On the other hand, he adds: “Sometimes these are sophisticated tools. Even if you have them, it can be difficult to detect them because people put a lot of effort into making these tools very good. Even if they are used for defensive purposes, they want the defenders to be able to mimic sophisticated attacks.”