Attackers performed network scanning and deactivated threat detection systems.
Internet service providers in China and on the U.S. west coast were subjected to an extensive brute-force attack campaign spreading information-stealing malware and cryptocurrency mining payloads.
According to research from the Splunk Threat Research Team, after achieving initial compromise through the abuse of weak credentials, attackers performed network scanning and deactivated threat detection systems.
As reported by The Hacker News, the attackers then proceeded with infostealer and XMRig cryptominer deployment, which not only obtained screenshots, but also compromised cryptocurrency wallet addresses.
Additional findings showed impacted devices to be injected with a binary that facilitated the execution of the Auto.exe file for brute-force intrusions and the Masscan.exe multi masscan tool.
"This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for [command-and-control] operations," said researchers.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
