Malicious crypto miners compromise academic data centers

Summary

Academic data centers across Europe, North America, and China suffered a string of attacks that may have been carried out to mine Monero.

The Attack

  • In a possibly concerted string of attacks, malicious crypto miners target academic data centers across China, Europe, and North America, disrupting COVID-19 research.
  • EGI Computer Security Incident Response Team believes that the attacker moves from one victim to another using compromised SSH credentials, with intentions to mine Monero.
  • The targeted hosts are infected with malware and are altered to serve as:
    • XMR mining hosts (by running a hidden XMR binary)
    • XMR-proxy hosts; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
    • SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
    • Tunnel hosts (SSH tunneling) ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).

Table of Contents

Request an easy and customized demo for free