‘Crystalray’ Attacks Jump 10X, Using Only OSS to Steal Credentials

'Crystalray' Attacks Jump 10X, Using Only OSS to Steal Credentials

July 11, 2024 at 10:04AM

A threat actor known as “Crystalray” has been utilizing open source software (OSS) to expand its operations in credential stealing and cryptomining. Researchers observed Crystalray utilizing a range of OSS tools to carry out various stages of its attack chain. Despite its efficiency, the use of OSS opens the attacker to potential detection by defenders utilizing the same tools. The group has been observed accessing over 1,800 unique IP addresses globally, with the majority of attacks occurring in the US and China. The attackers have been seen using legitimate OSS tools for malicious purposes, including exploiting known vulnerabilities and using public proof-of-concept exploits to deploy their payloads. Crystalray’s activities also include selling stolen credentials and running two cryptominers, potentially earning them around $200 monthly. While the use of OSS tools saves time and effort for the attackers, it also exposes them to potential detection by defenders who can use the same tools for defensive purposes.

After reviewing the meeting notes, I’ve summarized the key points of the discussion on the newly discovered threat actor “Crystalray” as follows:

– Crystalray has been observed leveraging a suite of open source software (OSS) tools to dramatically scale its credential stealing and cryptomining operations, leading to increased activity with more than 1,800 unique IP addresses targeted globally.

– The threat actor’s attack chain incorporates various OSS tools such as “ASN” for initial reconnaissance, “zmap” for scanning vulnerable services, “httpx” for determining live domains, and “nuclei” for identifying known vulnerabilities including critical ones with high CVSS scores.

– Instead of developing exploit scripts, Crystalray uses public proofs-of-concept exploits to deploy its malicious payloads, which may involve OSS tools like “Sliver” and “Platypus” for command-and-control purposes.

– Crystalray also utilizes tools like “SSH-Snake, “all-bash-history,” and “Linux-smart-enumeration” to target sensitive credentials, particularly from cloud platforms and SaaS email platforms, which are then sold in black markets.

– In addition to its malicious activities, Crystalray profits from two cryptominers, but the earnings from these operations are modest, estimated at around $200 per month based on the attacker’s crypto wallet.

– The use of OSS tools by Crystalray presents both advantages and challenges for defenders. While OSS allows defenders to study and replicate attacks in their environments, the advanced nature of these tools makes detection and mitigation difficult, even for defensive purposes.

If you need further details or specific actions related to these meeting notes, please feel free to let me know.

Full Article