Cryptocurrencies attract the attention of some of the world’s most opportunistic hackers. This week (March 12, 2018), we found a new type of a very smart crypto hack on Unix/Linux operating systems that is targeting virtual machines on Azure cloud to mine cryptocurrency.

A new cryptocurrency mining hack is targeting continuous deployment technology Jenkins, changing the servers infected into mining millions of dollars worth of Sumokoin coins. Hackers have exploited a security vulnerability in Jenkins servers written in Java – to download and install a Sumokoin miner called CrondX.

What is Jenkins?

Jenkins is a continuous integration/deployment web application built in Java. It is designed to run ‘something’ (usually tests to ensure the new code works and doesn’t break production) every time a developer commits code to a repository (Github being the most common). It then delivers that tested/working code to an environment such as a production AWS account.

Given the nature of the beast, Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code to mainly AWS and Azure.

What is Sumokoin ?

Sumokoin is an open-source cryptocurrency, which goal is to be private, untraceable, decentralised and fungible. By default all transactions use RingCT with a minimum ringsize of 12 to conceal sources/amounts transferred, as well as making the coin highly resistant to blockchain analysis.

As Sumokoin is untraceable, sending and receiving addresses are encrypted, transacted amounts are obfuscated by default, and transactions on the SUMOKOIN blockchain cannot be linked to a particular user or real-world identity.

SUMOKOIN follows Satoshi Nakamoto’s vision of a decentralized and trustless cryptocurrency; i.e. a secure digital cash operated by a network of users. Transactions are confirmed by distributed consensus and then recorded on the blockchain immutably. Third-parties do not need to be trusted to keep your Sumokoin safe.

The Crypto Hack

Jenkins’ platform vulnerability has previously been identified as the implantation of malicious content into the server without requiring authentication. The fundamental difference is that hackers found a way to do it on Unix and Linux operating systems and on SaaS Virtual machines on Azure. They have been hiding their code and crons under different names with scheduled jobs that are related to Jenkins push, with very limited CPU usage to hide from normal detection and sending their data through encrypted traffic. This has enabled hackers to install mining malware and to be able to run a CRON with a remotely-executed start command to get the malware running, and forces the victim’s computer to mine Sumokoin coins.

The hacker then uses the Virtual Machines on Azure and their encrypted channels to:

  • Send encrypted data on HTTPS to different servers where they continuously change the destination IP Address in order to get around the rules created by Azure and the customers
  • Use SSH to hack other machines and access internal network and other infected machines

The hackers did not attack the Jenkins server but the slaves (to avoid detection) and created several directories (the most notable and used one is “/tmp/.ssh/.rsync”). They then started different crons with the command “/tmp/.ssh/.rsync/a/run”. The script will then use the CPU moderately to mine without being noticed and send the informations periodically to //mine.sumo.fairpool.xyz:5555

To avoid being detected, the hackers deliberately change the name of the mining command from “minerd” to “crond”  and start the attack using scheduled jobs. The job is started automatically on different time periods or when it detects any activity from Jenkins.

The different accounts used by the hackers, that we found, has multiple nodes working meaning that they already using hundreds of Virtual machines for mining. Be Careful !

“ We found hackers in hundreds of our Virtual Machines using them to mine their currency .The miner is capable of running on many Centos/Ubuntu platforms with low CPU not to be noticed and sending traffic using encrypted traffic to get around control “

This is a great example of how crypto hacking is changing on users’ machines and browsers to Virtual Machines on the cloud with the latest example being Tesla. The hackers are using flaws within great open source technologies and using new encrypted channels and techniques to hide from traditional detection tools.

Encryption is crucial but hackers are hiding more and more on encrypted traffic to either get into systems or get data and information out, and rule based systems are becoming obsolete. New detection techniques are required to adapt to the changing behaviour.

Read more about barac Encrypted Traffic Analytics: https://barac.io/white_paper_encrypted_traffic/