Security vendor eSentire has warned Kaseya that a Monero cryptocurrency miner is still targeting its users. The attack first started on January 19th and according to eSentire: “the threat leveraged Kaseya Ltd’s Virtual Systems Administrator (VSA) agent to gain unauthorized access to multiple customer assets.”
In its latest update eSentire said: “eSentire has observed several changes in infrastructure and persistence techniques since 2018-01-30. The infrastructure used to host deployment scripts and binaries has moved away from Dropbox to various VPS hosts. eSentire has blocked access to the new infrastructure across our customers, but are not publicly sharing these indicators at this time.”
eSentire first warned its customers of the problem on 29th Jan and at the time said that Kaseya was actively working to mitigate the issue. Kaseya responded with its own update to customers. It accepted that there was a vulnerability with its software and issued patches to deal with the problem.
Since then the attack has continued to evolve. On 30th Jan there were new PowerShell scripts that were distributed via Dropbox. Now there is a move from Dropbox to Virtual Private Servers (VPS) and a new infrastructure. This is now the third warning from eSentire about this issue.
Yet another cryptocurrency mining attack
At the moment this appears to be just one more cryptocurrency mining attack. Kaseya claims there is: “no evidence to suggest that this vulnerability was used to harvest personal, financial, or other sensitive information.” However, eSentire is less clear. It’s latest press release states it: “Looking at the company’s latest security advisory, it appears that attacks are still ongoing, even after initial patches from Kaseya.”
What is interesting from the little additional detail from eSentire is that this attack is now using an updated version of xmrig. It says that it has detected a variant that was compiled on 5th Feb and has now submitted that code to VirusTotal. It has also seen a number of new registry keys on newly infected machines.
What does this mean?
The rise in value of cryptocurrencies and the increasing cost of mining them has made this type of attack lucrative for criminals. They are able to leverage their victims hardware and make money quickly. There is a shortage of computer chips, especially GPUs, that are ideal for cryptocurrency mining. The cost of those chips is also rising quickly and putting other types of computing, such as scientific work, at risk.
This is also a low risk attack for criminals. The majority of attacks start when a user visits an infected website. Javascript code on the site runs in the background on the users machine. Browser company Opera has already introduced cryptocurrency mining protection in its mobile browsers. Other browser owners are likely to do the same.
In this case, the code is not run through the browser but installed on the local machine. This is, therefore, a much more serious attack. While eSentire and Kaseya are saying no data has been lost, there is nothing to stop the next version of code being more malicious. Kaseya has also said that this problem only affects on-premises installations and advised customers to upgrade and patch. It has already patched its SaaS and Hosted solutions and believes that those are now safe. However, this latest warning from eSentire calls that into question.