Ethical Hacking News
A massive cyber attack has left over 4,000 Internet Service Provider (ISP) networks across China and the U.S. West Coast compromised, with malicious actors deploying information stealers and cryptocurrency miners on the targeted systems. To understand the motivations behind this unprecedented assault and learn more about the attack's impact, read our in-depth report on the subject.
The massive cyber attack has compromised over 4,000 Internet Service Provider (ISP) networks across China and the U.S. West Coast. The attackers used weak credential brute force to gain access to the target systems, deploying cryptocurrency miners and crimeware. The malware disabled remote access, enabled persistence, self-termination, and pivot attacks, making it challenging for experts to understand motivations. The attack involved minimal intrusive operations, utilizing scripting languages like Python and Powershell to avoid detection. Experts observed the deployment of text files listing target IPs and passwords, focusing on ISPs in China and the U.S. West Coast. The attackers used PowerShell scripts to prepare the compromised system for further payload execution, disabling security features and terminating services. The malware captures screenshots and retrieves cryptocurrency wallet addresses from the clipboard, sending data to a Telegram bot for control and revenue generation.
In a shocking turn of events, a massive cyber attack has left over 4,000 Internet Service Provider (ISP) networks across China and the U.S. West Coast compromised. The attack, attributed to malicious actors from Eastern Europe, has deployed information stealers and cryptocurrency miners on the targeted systems, leaving experts scrambling to understand the motivations behind this unprecedented assault.
According to a report published by Splunk's Threat Research Team, the attackers employed weak credential brute force to gain access to the target systems, which were then used to deploy cryptocurrency miners and crimeware with capabilities such as data exfiltration, persistence, self-termination, and pivot attacks. The malware also disables remote access to entrench itself further.
The attackers' approach was characterized by minimal intrusive operations, with the exception of artifacts created by accounts already compromised. To avoid detection, the threat actors utilized scripting languages such as Python and Powershell, allowing them to perform under restricted environments and use API calls for command-and-control (C2) operations via Telegram.
Upon gaining access to the systems, the attackers used PowerShell to drop binaries in a folder named "Migration" and employed tools like masscan.exe for network scanning. Before execution, they disabled security features and terminated services that detect cryptominers. The payloads observed by experts included information stealers, crypto miners, and SSH-based C2 connections.
The attack also involved the deployment of text files listing over 4,000 target IPs and passwords, focusing on ISPs in China and the U.S. West Coast. These details suggest a specific targeting of ISP infrastructure, likely with the purpose of performing cryptomining operations (XMR).
One of the most striking aspects of this attack is the attackers' use of PowerShell scripts to prepare the compromised system for further payload execution. This preparation involves disabling security product features and terminating or stopping services associated with cryptominer detection.
Furthermore, the malware captures screenshots of the compromised host and retrieves cryptocurrency wallet addresses from the clipboard, sending the captured data to its C2 server via a Telegram bot. This approach allows the attackers to maintain control over the compromised systems while also generating revenue through cryptomining operations.
The Splunk Threat Research Team's report concluded that the actions observed by this actor during the entrenchment and subsequent operations within the targeted hosts appear to rely on scripting languages, reducing the footprint of these operations to the minimum. The team noted that these actions could be described as "just enough" to successfully operate on victims and obtain as much processing power as possible.
This massive cyber attack serves as a stark reminder of the ever-evolving nature of cybersecurity threats. As attackers continue to adapt and innovate, it is essential for organizations and individuals alike to remain vigilant and take proactive measures to protect themselves against such attacks.
In light of this incident, experts are urging ISPs and other affected organizations to conduct thorough security audits and implement robust measures to prevent similar breaches in the future.
As the cybersecurity landscape continues to evolve, it is crucial to stay informed about emerging threats and take steps to mitigate their impact. In the coming days and weeks, Security Affairs will continue to provide in-depth coverage of this developing story, keeping readers abreast of any further developments and updates.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Massive-Cyber-Attack-4000-ISP-Networks-Compromised-by-Malicious-Actors-ehn.shtml
https://securityaffairs.com/174873/cyber-crime/massive-attack-deploy-info-stealers-crypto-miners.html
Published: Tue Mar 4 06:44:19 2025 by llama3.2 3B Q4_K_M
