Cloud Threats Deploying Crypto CDN

Sysdig TRT observed an attacker exploit CVE-2021-3129 and a WordPress misconfiguration to compromise an AWS account, then used RunInstances userdata to deploy Meson Network nodes at scale. The campaign spawned nearly 6,000 EC2 micro instances across regions, downloaded and installed meson_cdn, and served/stored content to earn Meson tokens. #MesonNetwork #CVE-2021-3129 #AWS

Keypoints

Initial access achieved by exploiting CVE-2021-3129 in a Laravel application and a WordPress misconfiguration to compromise a cloud account.
Attacker performed automated reconnaissance and abused identified privileges to call RunInstances and create thousands of EC2 micro instances across multiple AWS regions.
EC2 userdata executed a wget of https://staticassets.meson.network/…/meson_cdn-linux-amd64.tar.gz, extracted the meson_cdn binary, installed it as a service, configured a token and https_port, then started the service.
Almost 6,000 Meson nodes were instantiated within minutes using a public Ubuntu 22.04 AMI (e.g., ami-0a2e7efb4257c0907) from a single source IP (13.208.251.175), resulting in significant cost exposure.
meson_cdn default.toml showed endpoint https://cdn.meson.network and a token value; m_cache folder contained images and JSON metadata indicating content storage rather than heavy CPU use.
Detection strategies suggested: monitor RunInstances CloudTrail events, track unexpected outbound connections and traffic/storage spikes, and use Falco/runtime rules to detect disallowed outbound destinations.
DockerHub image wawaitech/meson (running gaganode) was observed performing outbound connections at runtime, indicating related supply-chain/runtime risk despite benign static analysis.

MITRE Techniques

[T1190] Exploit Public-Facing Application – Attacker exploited a Laravel CVE and WordPress misconfiguration to gain initial access (‘exploited CVE-2021-3129 in a Laveral application and a misconfiguration in WordPress to gain initial access to the cloud account.’).
[T1078] Valid Accounts – Use of compromised cloud account credentials/privileges to create EC2 instances and perform actions in the victim AWS account (‘Following initial access, the attacker used automated reconnaissance techniques … then used the privileges they identified for the compromised users to create a large number of EC2 instances.’).
[T1105] Ingress Tool Transfer – Downloading the Meson binary via wget in EC2 userdata to transfer tooling onto instances (‘wget …meson_cdn-linux-amd64.tar.gz && tar -zxf meson_cdn-linux-amd64.tar.gz …’).
[T1543] Create or Modify System Process – Installing and starting meson_cdn as a service on each instance using userdata commands (‘sudo ./service install meson_cdn … sudo ./service start meson_cdn’).
[T1046] Network Service Discovery / [T1595] Active Scanning – Automated reconnaissance to discover account privileges and resource landscape prior to mass instance creation (‘the attacker used automated reconnaissance techniques to instantly uncover a lay of the land’).
[T1071] Application Layer Protocol – Instances made outbound connections to CDN endpoints and other hosts to serve/store content (‘end_point = “https://cdn.meson.network”‘ and system calls show files exchanged between the CDN).

Indicators of Compromise

[IP Address] attacker source IP – 13.208.251.175 (single origin for CloudTrail activity).
[AMI] public AMI used to spawn instances – ami-0a2e7efb4257c0907 (Ubuntu 22.04); attacker launched 500-instance batches per region.
[Domains] Meson-related download/endpoints – staticassets.meson.network (wget source), cdn.meson.network (configured endpoint).
[Container/Image] DockerHub runtime observed – wawaitech/meson (runs gaganode) showing outbound connections during execution.
[Files/Artifacts] meson binary and tarball – meson_cdn-linux-amd64.tar.gz and meson_cdn-linux-amd64 binary; m_cache folder containing image JSON metadata (and other content files).
[Tokens/Identifiers] meson config token example – token shown as ‘ami-03f4878755434977f’ in default.toml (used as node token), and other tokens present in userdata ‘–token=****’.

On compromise, the attacker automated enumeration of the AWS account, then repeatedly invoked RunInstances with userdata to bootstrap Meson Network nodes. The userdata commands downloaded a Meson tarball from staticassets.meson.network, extracted meson_cdn-linux-amd64, removed the archive, entered the directory, installed the binary as a service and ran configuration commands (including –token and –https_port=443) before starting the service.

The campaign used a public Ubuntu 22.04 AMI (example ami-0a2e7efb4257c0907) and spawned ~500 micro instances per region from a single source IP (13.208.251.175), reaching almost 6,000 instances within minutes. Each instance ran meson_cdn with a default.toml pointing to https://cdn.meson.network and writing cached objects to ./m_cache; files inspected in m_cache contained image assets and JSON metadata (NFT storage links), demonstrating the nodes were being used for storage/bandwidth rather than CPU-heavy mining.

To detect and mitigate similar abuse: monitor CloudTrail RunInstances events for unusually large instance counts or activity in unused regions; watch for spikes in outbound connections, bandwidth, and instance storage; and apply runtime detection such as Falco rules to flag disallowed outbound destinations. Example detections provided include a Falco rule for unexpected outbound connection destinations and CloudTrail-focused rules for RunInstances and AWS commands executed in disallowed regions.