HONG KONG, CHINA: On-premise and cloud-based servers of organisations are compromised, abused and rented, according to Trend Micro research. The modus operandi is part of a sophisticated criminal monetization lifecycle. Trend Micro research reveals in its latest findings.
Simply to put, criminals operating underground are compromising both on-premise and cloud-based servers or infrastructure of organisations.
The findings come from the second of a three-part report series looking at how the underground hosting market operates. The findings show that cryptocurrency mining activity should be the indicator for IT security teams to be on high alert.
While cryptomining may not cause disruption or financial losses on its own, mining software is usually deployed to monetize compromised servers that are sitting idle while criminals plot larger money-making schemes.
These include exfiltrating valuable data, selling server access for further abuse, or preparing for a targeted ransomware attack. Any servers found to contain cryptominers should be flagged for immediate remediation and investigation.
“From dedicated bulletproof hosting to anonymizing services, domain name provision and compromised legitimate assets, the cybercriminal underground boasts a sophisticated range of infrastructure offerings to support monetization campaigns of all types,” said Bob McArdle, Director – Forward-looking Threat Research, Trend Micro.
“Our goal is to raise awareness and understanding of cybercriminal infrastructure to help law enforcement agencies, customers and other researchers block avenues for cybercrime and drive costs up for threat actors,” added McArdle.
The report lists the main underground hosting services available today, providing technical details of how they work and how criminals use them to run their businesses. This includes a detailed description of the typical lifecycle of a compromised server, from initial compromise to final attack.
Particularly, cloud servers are exposed to compromise and use in the underground hosting infrastructure. They may be lacking the protection of their on-premises equivalents.
“Compromised legitimate corporate assets can be infiltrated and abused whether on-premise or in the cloud. A good rule of thumb is that whatever is most exposed is most likely to be exploited,” continued McArdle.
Cybercriminals might look to exploit vulnerabilities in server software, use brute-force attacks to compromise credentials, or steal logins and deploy malware via phishing attacks.
They may even target infrastructure management software (cloud API keys), which allows them to create new instances of virtual machines or supply resources.
These cloud server assets once compromised, could be sold on underground forums, dedicated marketplaces and even social networks for use in a range of attacks.
The report also covers emerging trends for underground infrastructure services, including abuse of telephony services and satellite infrastructure, and “parasitic” computing for rent including hidden RDP and VNC.