CRYSTALRAY Cybercriminals Infect More Than 1,500 Victims Using Network Mapping Utility
An anonymous group that was formerly seen operating with a freely available network mapping utility has significantly broadened its activities to contaminate more than 1,500 targets.
Sysdig, which is observing the group’s activities under the label CRYSTALRAY, claimed the actions have encountered a 10x increase, stating it comprises “extensive scanning, exploiting various vulnerabilities, and embedding unauthorized access points using multiple [open-source software] security utilities.”
The primary aim of these assaults is to gather and peddle access codes, deploy digital currency miners, and sustain control in the victims’ environments.
One of the key open-source programs utilized by the group is SSH-Snake, which was initially unveiled in January 2024. It’s described as a tool for carrying out automatic network traversal by leveraging discovered SSH private keys on systems.
The misuse of this software by CRYSTALRAY was recorded by the cybersecurity firm earlier this February, with the tool used for lateral movement after exploiting known security loopholes in public-facing instances of Apache ActiveMQ and Atlassian Confluence.
Joshua Rogers, the creator of SSH-Snake, mentioned to The Hacker News that the tool merely streamlines tasks which would otherwise be manual, and urged organizations to “detect existing attack routes and rectify them.”
Some of the alternate tools harnessed by the attackers encompass asn, zmap, httpx, and nuclei to validate domain activity and launch assessments for susceptible services such as Apache ActiveMQ, Apache RocketMQ, Atlassian Confluence, Laravel, Metabase, Openfire, Oracle WebLogic Server, and Solr.
CRYSTALRAY further exploits its initial entry point to carry out an extensive access code discovery process surpassing server transitions accessible via SSH. Sustained access to the infiltrated environment is made possible using a lawful command-and-control (C2) structure called Sliver and a inverted shell manager coded as Platypus.
Additionally, in a bid to derive financial benefits from the compromised resources, digital currency miner loads are distributed clandestinely to exploit victim resources for financial gain while concurrently taking actions to shut down rival miners already active on the devices.
“CRYSTALRAY has the capability to expose and extract access codes from vulnerable systems, subsequently marketed on dark markets for substantial amounts,” stated Sysdig researcher Miguel Hernández. “The sold credentials encompass various services, such as Cloud Service Providers and SaaS email services.”
About Author
