At least eight Australian web hosting providers were found to have suffered "extensive compromise" by criminals during an Australian Cyber Security Centre (ACSC) investigation conducted in May 2018.
The ACSC's report [PDF] on what was dubbed Operation Manic Menagerie was released on Tuesday. It shows that the criminals had been compromising hosting servers since at least November 2017, and that their motivation was financial gain.
Websites running on compromised servers were modified to insert advertising, and to support search engine optimisation (SEO) for other websites.
Two of the compromised servers were also used for cryptocurrency mining, though the revenue was minimal. The total by June 2018 was 22.57 XMR (Monero), worth about AU$3868, from these and other servers in their network.
The ACSC analysed the volume of transactions on the criminals' cryptocurrency account, and the amount of computing power needed to perform that volume of mining.
"This indicates the actor still has a Monero miner installed on between 13 and 38 machines although as they have only been observed targeting servers, it is likely the number of compromised hosts is at the lower end of this range," they wrote.
"There was no evidence that the actor attempted to move laterally to other hosts on the network."
The report also highlights the sophistication of the criminals, who evolved their techniques even during their campaigns as well as between them, yet they still ran parts of their process manually.
"The actor demonstrated the ability to tailor their tools to suit the environment they were compromising, including exploiting misconfigured services and uploading additional binaries to assist with privilege escalation," the ACSC wrote.
The malware used to compromise the servers was a variant of the Gh0st remote access tool, one with "significant modifications to the network communications protocol" that the criminals kept working on.
"In one incident, the Gh0st dropper was detected by the victim's anti-virus software and quarantined. The actor then disconnected from the compromised environment only to return several hours later to deploy a new instance of the dropper which evaded the victim's anti-virus."
The Gh0st droppers were signed with expired SSL certificates just a week before from "Fujian identical investment co.,Ltd". Another tool, the RID hijack toil, was signed with another certificate stolen just a week before it was used, from "上海域联软件技术有限公司' (Shanghai YuLian Software Technology co. Ltd.)"
But the criminals also manually exploited servers and deployed malware, which the ACSC said was taking them "an hour or, in one case, multiple days".
"Analysis of the web logs from compromised hosts indicated the actor used a web browser to manually interact with web sites to identify vulnerability.
"Once identified, the vulnerability was manually exploited to create a web shell on the server to enable future steps. The actor used multiple publicly available web shells including variants of ChinaChopper," the ACSC wrote.
"Once the web shell was in place, the actor switched from using a web browser to using a controller to perform future interactions with the web shell."
But even with those manual processes, the criminals in some cases could still gain administrator access to targeted servers in less than 70 minutes.
The ACSC's report offers two sets of advice, one for the hosting providers who have full control of the servers, and one for the customers who have only limited access.
"If the hosting provider is not secure, a trivial vulnerability in another website hosted on the same service will ultimately lead to a compromise of all websites co-hosted on that provider," the ACSC wrote.
Many of the recommended hosting provider mitigations are already in the ACSC's Essential Eight, such as patching the operating system and web applications such as a content management system (CMS); not running web services with administrator privileges; and application whitelisting.
The ACSC also recommends monitoring hosted sites for signs of web shells being created; account auditing to detect new accounts created by the attackers; and resetting all credentials on affected servers.
"Without a secure underlying provider, it is highly unlikely a customer can secure whatever they host on the provider," the ACSC writes.
"If the hosting provider is not secure, a trivial vulnerability in another website hosted on the same service will ultimately lead to a compromise of all websites co-hosted on that provider."
The ACSC suggests that customers add data and service security requirements to the hosting provider contract.
"Customers are advised to investigate if their hosting provider will provide the underlying security the customer requires for the sensitivity of the data or service being hosted."
They also recommend customers to patch their web applications and CMS; disable unnecessary plugins and applications; monitor for modifications to the web site; and reset credentials for their hosting provider.
"Credentials may include usernames, passwords and/or certificates used for an authentication process. This includes credentials to manage the hosted service, and manage the specific sites on the hosted service."
Cryptojackers like CoinHive top Check Point's 'most wanted' malware list – but Smoke Loader's first entry points to what might be to come.
Academics say malware authors might have cashed out at least $57 million worth of Monero over the course of the last four years.
Malware targeting IoT devices grew 72% in Q3 alone (TechRepublic)
Total malware samples grew 34% over the past year, with major rises in coinmining and fileless attacks, according to a McAfee Labs report.
Japanese government wants to secure IoT devices before Tokyo 2020 Olympics and avoid Olympic Destroyer and VPNFilter-like attacks.