A new threat actor is finding success in relying on open-source software (OSS) security tools and a networking mapping tool called SSH-Snake in its campaigns.
The group, which researchers with Sysdig call CrystalRay, launches attacks with the purpose of moving laterally across victims' networks, exfiltrating and selling credentials and deploying cryptomining malware. A key tool here for the threat actor is SSH-Snake, which was released on January 4. The threat actor uses SSH-Snake to spread through the network and automatically search for credentials in various locations. The tool then leverages any SSH keys and credentials it discovers to propagate to new systems, while sending captured keys and bash histories back to the command-and-control server.
Sysdig’s threat research team first discovered SSH-Snake being used by threat actors in February, in a campaign exploiting Confluence flaws. Since this activity was first uncovered, CrystalRay has utilized SSH-Snake to vastly scale its operations, and many of the 1,500 victims targeted by the threat actor (up to 36 percent) are U.S.-based, said researchers. One unique component of SSH-Snake is its ability to modify itself - deleting comments and unnecessary functions - after it is first executed to make itself smaller, said researchers.
“This is done out of necessity due to the way the shell script passes arguments and allows it to remain fileless,” said Miguel Hernandez with Sysdig in a Thursday analysis. “Compared to previous SSH worms, its initial form is much larger due to the expanded functionality and reliability… Unlike traditional scripts, SSH-Snake is designed to work on any device. It’s completely self-replicating and self-propagating — and completely fileless.”
At the same time, CrystalRay has used a variety of OSS tools to expand its abilities to scan for and exploit vulnerabilities. For instance, it leverages the ZMap scanner and the asn compiler for vulnerability discovery. Other OSS tools that the threat actor has relied on include Platypus, nuclei and httpx.
“Once they gain access, they install one of several backdoors to keep control of the target,” said Hernandez. “SSH-snake is then used to spread throughout a victim’s network and collect credentials to sell. Cryptominers are also deployed to gain further monetary value from the compromised assets.”
The threat group uses existing vulnerability proof-of-concept exploits in order to target known flaws as a method of initial access. Researchers have seen the group targeting flaws like an unauthenticated remote code execution vulnerability in Control Web Panel (CVE-2022-44877), a remote code execution bug in the Laravel framework (CVE-2021-3129) and a server side request forgery vulnerability in Ignite Realtime (CVE-2019-18394).
“Based on their exploitation patterns, CRYSTALRAY likely also took advantage of newer vulnerability tests for Confluence available in nuclei,” said Hernandez. “In some cases, they used nuclei tags argument to detect possible honeypots on ports where they scanned, to avoid launching their tools on those targets in order to remain undetected.”
Vulnerability exploitation is the biggest initial access vector here, so organizations are urged to prioritize vulnerability remediation as a top way to avoid this threat. Researchers also recommended that organizations implement identity and vulnerability management policies to block CrystalRay’s automated attacks.
“CRYSTALRAY’s operations prove how easily an attacker can maintain and control access to victim networks using only open source and penetration testing tools,” said researchers. “Therefore, implementing detection and prevention measures to withstand attacker persistence is necessary.”