Sysdig Threat Research Team highlights several cloud-native threats observed around Black Hat 2024, including LLM credential abuse (LLMjacking), a self-spreading SSH worm (SSH-Snake), a Mirai-based Rebirth Botnet for DDoS, a crypto-mining operation (AMBERSQUID) across AWS services, and Meson Network abuse to inflate cloud costs. The report also covers related CVEs (OpenSSH and liblzma backdoors) and how runtime detection with Sysdig Secure can mitigate these threats.
#LLMjacking #SSHSnake #RebirthBotnet #AMBERSQUID #MESONNetwork #CVE-2024-6387 #CVE-2024-3094 #Confluence #OpenSSH
#LLMjacking #SSHSnake #RebirthBotnet #AMBERSQUID #MESONNetwork #CVE-2024-6387 #CVE-2024-3094 #Confluence #OpenSSH
Keypoints
- The TRT observed LLM credential theft (LLMjacking) targeting ten cloud-hosted LLM services to exfiltrate credentials and access local cloud-hosted models, potentially incurring high costs and enabling data exfiltration.
- SSH-Snake is a self-modifying worm that spreads via discovered SSH credentials, with a C2 server collecting outputs and targeting Confluence-exploited systems; ~300 victims were identified as of writing.
- The Rebirth Botnet, a Mirai-based DDoS service, is promoted via Telegram and a storefront, targeting gaming platforms with plans offering API access, C2 nodes, and high attack throughput—potentially large-scale, rented DDoS power.
- AMBERSQUID describes a cloud-native cryptojacking campaign using AWS services (Amplify, Fargate, SageMaker), often overlooked due to its use of uncommon cloud services and potential daily losses exceeding $10,000.
- The MESON NETWORK campaign abused a blockchain-based Meson service to spin up thousands of nodes, incurring significant cloud costs and highlighting runtime-only detection via network activity (gaganode behavior).
- Two CVEs are highlighted: CVE-2024-6387 (regreSSHion) in OpenSSH, and CVE-2024-3094 (backdoored liblzma) impacting SSHD authentication, with guidance on detection and remediation.
- Sysdig Secure, powered by Falco, provides runtime detection and correlation across containers, workloads, and cloud services to identify anomalous behavior and mitigate these threats in real time.
MITRE Techniques
- [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1203] Exploitation of Vulnerability – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1498] Distributed Denial of Service – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1068] Privilege Escalation – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1496] Resource Hijacking – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1573] Cloud Service Dashboard – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
Indicators of Compromise
- [Domain] – rebirthltd.com – DDoS botnet domain used for the Rebirth Botnet operations
- [Domain] – rebirthltd.mysellix.io – storefront domain advertising the botnet services
- [File name] – liblzma.so.5.6.0 – backdoored library loaded into SSHD (CVE-2024-3094)
- [File name] – liblzma.so.5.6.1 – backdoored library loaded into SSHD (CVE-2024-3094)
- [File name] – gaganode – binary executed by Meson Network activity, connecting to malicious IPs
Read more: https://sysdig.com/blog/sysdig-threat-research-team-black-hat-2024/