Researchers from Sysdig are warning of an ongoing attack campaign against vulnerable GitLab servers that results in deployment of cryptojacking and proxyjacking malware. The attacks use cross-platform malware, kernel rootkits, and multiple layers of obfuscation and try to evade detection by abusing legitimate services.
“This operation was much more sophisticated than many of the attacks the Sysdig TRT typically observes,” researchers from security firm Sysdig said in a new report. “Many attackers do not bother with stealth at all, but this attacker took special care when crafting their operation. The stealthy and evasive techniques and tools used in this operation make defense and detection more challenging.”
The attackers behind the attack campaign, which Sysdig has dubbed LABRAT, search for GitLab servers vulnerable to a known critical security issue tracked as CVE-2021-22205. This flaw stems from improper validation of image files when GitLab processes them with ExifTool and can result in remote code execution. It was patched in GitLab in April 2021 in versions 13.8.8, 13.9.6 and 13.10.3, but exploits for it are still actively used in attacks, meaning hackers find enough unpatched servers to justify its use.
Attackers exploit TryCloudflare to gain an advantage
Once they gain remote code execution, the attackers run a curl command to download and execute a malicious script for a command-and-control (C2) server with a trycloudflare.com hostname. TryCloudflare is a free-tier service provided by Cloudflare for users to evaluate various platform features. Attackers have been known to abuse it to obfuscate their actual C2 server location since Cloudflare’s CDN acts as a proxy in between.
Once executed on a system the script checks if the watchdog process is running and tries to kill it, deletes files from previous infections, disables Tencent Cloud and Alibaba defensive measure, downloads additional malicious binaries, sets up new system services, modifies cron jobs to achieve persistence, collects locally stored SSH keys which are then used to perform lateral movement to other systems.
To obfuscate their communication with the C2 servers, the attackers deployed the CloudFlare Tunnel, a powerful traffic tunneling solution that allows users to expose local services through the secure Cloudflare network without changing firewall settings or doing port forwarding. Researchers from GuidePoint Security recently reported an increase in the number of attacks that abused the Cloudflare Tunnel and TryCloudflare.