Malicious crypto miners compromise academic data centers
May 22, 2020
•
4
min read
The Attack
In a possibly concerted string of attacks, malicious crypto miners target academic data centers across China, Europe, and North America, disrupting COVID-19 research.
EGI Computer Security Incident Response Team believes that the attacker moves from one victim to another using compromised SSH credentials, with intentions to mine Monero.
XMR-proxy hosts; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
Tunnel hosts (SSH tunneling) ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).