There is an ongoing hacking campaign targeting GitLab servers that are vulnerable to a known flaw, researchers say. The aim of the campaign is proxyjacking and crypojacking.
Earlier this week, Sysdig cybersecurity researchers published a report detailing a new threat actor they named LABRAT. This group goes to great lengths to remain hidden by deploying cross-platform malware, kernel rootkits and numerous obfuscation techniques, and exploiting legitimate cloud services as much as possible.
The report reads: “This operation was far more sophisticated than many of the attacks typically observed by the Sysdig TRT… the stealthy and evasive techniques and tools used in this operation make defense and detection more challenging.”
Refined campaign
To successfully compromise endpoints, attackers exploit CVE-2021-22205. This is a two-year-old malvalidation vulnerability with a severity score of 10.0.
It was found in three separate versions of GitLab – 13.8.8, 13.9.6 and 13.10.3, but a patch is available as of April 2021. The campaign once again underlines the importance of frequent patching and keeping it up to date dating both software and hardware.
When the attackers find a vulnerable endpoint and establish persistence, they go for proxyjacking or cryptojacking. The first is the practice of renting unused victim bandwidth to a proxy network and making money in the process.
The latter, on the other hand, refers to installing cryptocurrency miners on vulnerable devices, without the owner’s knowledge or consent.
Although cryptojackers are popular among the cybercrime community, they are relatively easy to spot. Since mining crypto requires a lot of computing power, the computer cannot work on anything else while it is running; it will be slow and almost unresponsive. In addition, victims can expect a sky-high electricity bill.
It is not yet known how successful the campaign really is.