Attackers performed network scanning and deactivated threat detection systems.
Internet service providers in China and on the U.S. west coast were subjected to an extensive brute-force attack campaign spreading information-stealing malware and cryptocurrency mining payloads.
According to research from the Splunk Threat Research Team, after achieving initial compromise through the abuse of weak credentials, attackers performed network scanning and deactivated threat detection systems.
As reported by The Hacker News, the attackers then proceeded with infostealer and XMRig cryptominer deployment, which not only obtained screenshots, but also compromised cryptocurrency wallet addresses.
Additional findings showed impacted devices to be injected with a binary that facilitated the execution of the Auto.exe file for brute-force intrusions and the Masscan.exe multi masscan tool.
"This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for [command-and-control] operations," said researchers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
