In a recent digital forensic analysis activity that was conducted in February 2022 by CYE’s Critical Cyber Operations group, our team analyzed an image of a client’s suspicious Linux server that was reported to be sending brute force attacks worldwide. The team concluded that not only had the server indeed been breached, but they found a range of malicious tools including scripts and malware installed on it. Two highly active tools were designed for conducting crypto mining and SSH brute forcing additional servers.
Relying on the identified IOCs (SSH-key comment, malicious tools & script names, directory hierarchy) we can conclude that it is very similar to an attack that was conducted back in April 2020 by the “Outlaw Hacking Group”. The Outlaw Hacking Group was first spotted by TrendMicro in 2018 when the cybercriminals targeted the automotive and financial industries. This activity and attacker assets have led us to the belief that the attacker never stopped their activity rather they changed some IOCs. To the best of our knowledge, the malware they are using is changing frequently making it hard for conventional antiviruses to catch.
Although Outlaw is believed to be a financial actor attacking networks for Cryptocurrency harvesting, we are concerned they might do more than that if an opportunity presents itself. We assess that we discovered the incident at the beginning before any breached companies even noticed. And as before, they have attacked extensively in Europe. This is probably the case this time as well, but there is still no evidence from other companies. This attack was not targeted to this specific company but as part of a wider attack which is why it’s crucial to alert it. To our knowledge, “Outlaw” hasn’t been active since 2020, Some of the tools that he used this time around are new to him and they indicate a certain evolution in his conduct.
In a recent investigation by CYE’s Critical Cyber Operations group, we have encountered renewed activities from this group, with some surprising changes in the detected Tactics, Techniques, and Procedures (TTP’s). The group has incorporated new tools and tactics in their attack that are worth mentioning with the use of XORDDOS tool first spotted by TrendMicro in 2020.
The investigation showed that the attacker was using two methods in order to gain persistence. First, their tools create init startup scripts and cron jobs, then they drop their SSH key into the “authorized_keys” file to be able to log in to the attacked machine even if the victim user changes their password. Moreover, the attacker has changed the root password for the server. One of the files that were downloaded contained tens of thousands of IP addresses for the SSH brute force to attack.
From our investigation, we conclude that the last successful log-in by the attacker to the server was from the following IP: 18.104.22.168. VirusTotal indeed shows that this IP is recognized as malicious by some engines.
Generally, to mitigate the risk of threats like this, we recommend disabling the possibility to log in with credentials and allowing login only with SSH-key, locking out the possibility for root login from outside the company network and changing the default SSH port. In addition, we recommend always keeping the system up to date. To further lower the risk, it is recommended to conduct proactive measures such as a continued CTI effort to help identify and assess emerging threats and "Threat Hunting" operations within the organization.
Block the identified malicious IP 22.214.171.124 to block additional potential attempts by the attacker in the near future.
Ingest the following IOC list into your security systems to detect other potentially breached machines within the organization.