CyberWire Daily - LemonDucks evading detection. [Research Saturday]
Episode Date: June 4, 2022Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and research... suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency. LemonDuck was caught trying to disguise it's attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how it’s unknown which organizations have been targeted and just how much cryptocurrency has been stolen. The research can be found here: LemonDuck Targets Docker for Cryptomining Operations Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
I've been really focusing a lot on the adversary's leveraging of the cloud.
And so we were very curious to know how the adversary maybe is starting to look towards cloud environments as a primary place to start pivoting into their threat factors.
That's Scott Fanning. He's Senior Director of Product Management at CrowdStrike.
The research we're discussing today is titled,
Lemon Duck Targets Docker for Crypto Mining Operations.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context. Thank you. can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Crypto mining has been around for a while.
It takes advantage of GPU,
graphical cards, video cards,
such as your NVIDIAs and AMDs and such.
It takes advantage of compute cycles
to generate cryptocurrency normally.
And this is done for legitimate reasons.
For Bitcoin generation, people do it all the time.
But it also can be used for not so good purposes
because of the anonymity principles around Bitcoin. So in this particular case, it uses a
Bitcoin called Monero, which is a Bitcoin mining technology that doesn't actually take advantage of
your GPU. It actually leverages regular old CPU cycles to be able to do that.
It actually leverages regular old CPU cycles to be able to do that.
And in this case, the threat actors are targeting folks who are using Docker instances?
Yeah, so, you know, Docker is a very popular containerization technology.
It allows you to run microservices in public clouds or in private clouds.
And, you know, to be able to operate these things, they have APIs.
And these APIs, in this particular case, are exposed to the public.
So, you know, the adversary is able to scan the environment, find these public APIs, and then take advantage of them.
I see. Well, let's walk through this together.
I mean, how did this initially come to your attention?
So we've been doing a lot of
primary security threat research at CrowdStrike. We always have, and we've been really focusing a
lot on the adversary's leveraging of the cloud. Although the cloud is definitely more secure,
it has infrastructure taken care of by the cloud providers, a lot of that security is also a shared
responsibility. And so we were very curious to know how the adversary
maybe is starting to look towards cloud environments
as a primary place to start pivoting into their threat factors
versus just on-prem.
And we were just doing some research,
setting up some honeypots
and seeing what the adversary was doing,
and we noticed this.
Well, tell me about Lemonduck. I mean, that's the group here. What do we know about them coming into
this? So Lemonduck is a botnet. It's been around for some time. It traditionally would target
Windows and Linux machines. And it primarily uses a series of proxy servers to masquerade not only their intent,
but also the wallets of the Bitcoin mining operation. So it's a fully anonymous botnet
that allows you to kind of contact, reach people out, anything that quacks is a target and basically allows you to do command and control
over various instances and workloads and such. Well, let's go through it together here. I mean,
how would someone find themselves a victim of this? Well, I mean, typically you would find
these things. It's very well masqueraded. So it starts off, obviously, someone has found these open APIs
and then basically puts in a small file that basically then loads the crypto miner.
Usually, you'll see XR as a process name.
But basically, it will reach out, download the file.
It tries to disguise itself.
Initially, it will look like a PNG file. It tries to disguise itself.
Initially, it'll look like a PNG file, which
makes very little sense, but it comes out as
core.png, downloads the file,
and then it executes
a script,
grabs the actual CryptoMiner payload,
which is also masqueraded,
and then it starts to execute.
And you'll notice this because CPU
utilization on these Docker containers will starts to execute. And you'll notice this because CPU utilization
on these Docker containers will start to rise.
You'll also see it do some pretty interesting things
in terms of not letting anyone else crypto-mine
on those instances as well.
Yeah, that was something I noticed in your research here
is that one of the things it does is it kind of cleans house
and tries to get rid of any other potential crypto miners?
Yeah, I mean, they want the CPU cycles all for themselves, right?
So they'll look for different process names and kill their competition.
It will also disable some monitoring services.
On Alibaba Cloud, there's a monitoring service that explicitly finds and then turns it off.
And then it's able to do its thing.
So yeah, it kind of just cleans the kitchen to cook the duck.
Yeah.
Now, in terms of CPU usage here, does it show any sort of restraint here to try to not draw attention to itself,
or does it pretty much hit the accelerator pedal down to the floor?
We've noticed that it doesn't really, because it's in a virtual environment,
in a containerized environment, if you look at it from a host perspective,
it might not look like it's using a lot of CPU. But if you look at the actual Docker container itself,
we've seen it put on the gas pedal there pretty hard.
So it's not super quiet,
but it definitely takes advantage of what it has in front of it.
And you point out that it's making use of XMRig
for the actual mining?
That's correct.
Yeah.
Can you describe to me,
one of the things that you mentioned here is a crypto mining proxy pool.
What exactly is that?
So, you know, a proxy is basically a way to abstract one IP address and then behind it is a bunch of more sophisticated IP address network and routing capabilities. So basically, it's a pool of these proxies
that in the back end is connected to various wallets
that it's able to move the cryptocurrency contribution into.
It does a couple of things.
It lets you masquerade the actual connection, right?
So it's standing in the way of you seeing that.
But also, it allows it to scale as well. So it's like any good service provider. It makes sure it provides the service
at scale with some anonymity. Now, for someone who's fallen victim to this, is this a case where
if they had something set up to keep an eye on their CPU usage, that could
signal them that something's awry, or would they get
an unhappy surprise when they got their bill at the end of the month?
Sadly, you could see your bill go up a little bit.
Basically, it's really going to be about actively looking
for unusual CPU utilization that's happening in your Docker containers.
And then, of course, providing some tools to be able to understand what your process trees are looking like in terms of executing that job.
Although it does disguise itself, at the end of the day, you do see XR rig operating in there. So you'll see a
process that runs, you know, pretty obvious called XR that allows you to know, hey, it's
probably the XR rig. And in terms of sort of spreading out here, it tries to make use of
some lateral movement? Yeah. So, you know, like all things of nature, it tries to find a way.
So it'll look for SSH keys on the local file system.
And then if it sees those, it'll try to laterally spread to somewhere else,
connect, and provide the same dropper and bring in the miner.
So in terms of mitigation and prevention here,
what are you all recommending?
Well, it always comes down to best principles here.
You should, first of all,
don't expose your cloud resources to the internet, right?
So use zero trust policies and principles to isolate that.
Make sure your API usages are authenticated.
Configure Docker and Kubernetes runtime.
Only look at signed images from a trusted registry.
You may want to take a look at your shift left strategy,
how your developers are building their images.
Make sure mining software or SSH keys
aren't part of your build images as well.
Many scanning tools will provide that capability.
Again, authenticate those APIs. Just like any APIs that are public,
if they're available to the public,
they're going to be found. It didn't take very long for the adversary to find these ones.
And then, of course, monitor for your workloads for any kind of rogue containers or high CPU
utilization. So it just gets down to keeping vigilant.
It strikes me that ransomware really, you know, is sort of the loud element in the room here.
But crypto mining is still active and taking place out there.
And this is a sign of that.
Yeah.
You know, why do bank robbers rob banks?
Because that's where the money is.
Why do bank robbers rob banks?
Because that's where the money is.
So I think in this case,
as long as there's free real estate for an adversary to take advantage of
and they feel it's a victimless crime,
then they're able to monetize that.
And LemonDuck makes it very, very simple
to be able to do that.
The infrastructure has been there for some time
and it's just found a new place to generate currency.
Our thanks to Scott Fanning from CrowdStrike for joining us. The research is titled Lemon Duck Targets Docker for Crypto Mining Operations. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, Thank you. a default-deny approach can keep your company safe and compliant. technologies. Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.