CRYSTALRAY Hackers Exploiting Popular pentesting Tools To Evade Detections
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The threat actor Crystalray, previously observed using SSH-Snake, has significantly expanded operations, targeting over 1,500 victims.
Employing mass scanning, exploiting multiple vulnerabilities, and utilizing tools like zmap, asn, httpx, nuclei, platypus, and SSH-Snake, CRYSTALRAY aims to steal and sell credentials, deploy cryptominers, and persist within victim environments.
The self-modifying SSH-Snake worm aids in lateral movement and credential discovery, enhancing stealth and efficiency compared to traditional SSH worms.
Crystalry leverages the ASN tool from ProjectDiscovery to gather network intelligence efficiently, and by querying Shodan for data on specified countries, it generates precise IPv4 and IPv6 CIDR blocks using Marcel Bischoff’s country-ip-blocks repository.
complete command to have a file ready for automation.
This targeted scanning approach allows for comprehensive reconnaissance without directly probing target systems, providing detailed information on open ports, vulnerabilities, software, and hardware.
The attacker automates this process using a combination of ASN, jq, and shell scripting to create scannable IP lists for specific countries, enhancing operational efficiency.
.webp)
Zmap ports command
Subsequently, httpx, a rapid HTTP toolkit, was employed to validate live hosts from the zmap results and gather additional information, expediting the identification of potential targets for further exploitation, researchers said.
Crystalry employs a multi-stage attack process leveraging open-source tools, as they use zmap for port scanning, followed by httpx for HTTP probing, while nuclei, a vulnerability scanner, is used to identify exploitable vulnerabilities, primarily focusing on confluence-related CVEs.
To evade detection, nuclei are also used to detect honeypots. The attacker then modifies publicly available proof-of-concept exploits to inject their malicious payload, often Platypus or Sliver clients, targeting vulnerable systems.
.webp)
percentage of IPs per region affected
It employs SSH-SNAKE, an open-source worm, to propagate across a victim’s network using discovered SSH keys and credentials, exfiltrating captured keys and bash histories.
Additionally, the threat actor searches for credentials in environment variables, leveraging found credentials for lateral movement to cloud platforms and subsequent sales on black markets.
.webp)
Ssh snake
Crystalray is a threat actor that utilizes open-source tools to compromise systems and exfiltrate sensitive data. These tools employ bash command history extraction, Sliver for persistence, and Platypus for command-and-control.
The group aggressively collects and stores command histories to mine for credentials and tokens, and they leverage the Sliver framework for maintaining persistent access and lateral movement while using Platypus to manage compromised systems.
.webp)
Platypus Dashboard
According to Sysdig, it compromises systems to steal credentials for various services, including cloud and SaaS providers, which are then sold on black markets and stored on the attacker’s C2 server.
It also deploys cryptominers to monetize compromised systems, using both older, less sophisticated scripts and newer, more complex configurations, which terminate competing cryptominers on infected hosts.
#Cyber_Attack #Cyber_Security_News #Hacking_Tools #Vulnerability #cyber_security_news #Cybersecurity_Tools #THREAT_INTELLIGENCE #Vulnerability_Exploitation
Оригинальная версия на сайте:
CRYSTALRAY Hackers Exploiting Popular pentesting Tools To Evade Detections
Author: Aman MishraThe threat actor Crystalray, previously observed using SSH-Snake, has significantly expanded operations, targeting over 1,500 victims.
Employing mass scanning, exploiting multiple vulnerabilities, and utilizing tools like zmap, asn, httpx, nuclei, platypus, and SSH-Snake, CRYSTALRAY aims to steal and sell credentials, deploy cryptominers, and persist within victim environments.
The self-modifying SSH-Snake worm aids in lateral movement and credential discovery, enhancing stealth and efficiency compared to traditional SSH worms.
Crystalry leverages the ASN tool from ProjectDiscovery to gather network intelligence efficiently, and by querying Shodan for data on specified countries, it generates precise IPv4 and IPv6 CIDR blocks using Marcel Bischoff’s country-ip-blocks repository.
complete command to have a file ready for automation.This targeted scanning approach allows for comprehensive reconnaissance without directly probing target systems, providing detailed information on open ports, vulnerabilities, software, and hardware.
The attacker automates this process using a combination of ASN, jq, and shell scripting to create scannable IP lists for specific countries, enhancing operational efficiency.
Zmap ports commandSubsequently, httpx, a rapid HTTP toolkit, was employed to validate live hosts from the zmap results and gather additional information, expediting the identification of potential targets for further exploitation, researchers said.
Crystalry employs a multi-stage attack process leveraging open-source tools, as they use zmap for port scanning, followed by httpx for HTTP probing, while nuclei, a vulnerability scanner, is used to identify exploitable vulnerabilities, primarily focusing on confluence-related CVEs.
To evade detection, nuclei are also used to detect honeypots. The attacker then modifies publicly available proof-of-concept exploits to inject their malicious payload, often Platypus or Sliver clients, targeting vulnerable systems.
percentage of IPs per region affectedIt employs SSH-SNAKE, an open-source worm, to propagate across a victim’s network using discovered SSH keys and credentials, exfiltrating captured keys and bash histories.
Additionally, the threat actor searches for credentials in environment variables, leveraging found credentials for lateral movement to cloud platforms and subsequent sales on black markets.
Ssh snakeCrystalray is a threat actor that utilizes open-source tools to compromise systems and exfiltrate sensitive data. These tools employ bash command history extraction, Sliver for persistence, and Platypus for command-and-control.
The group aggressively collects and stores command histories to mine for credentials and tokens, and they leverage the Sliver framework for maintaining persistent access and lateral movement while using Platypus to manage compromised systems.
Platypus DashboardAccording to Sysdig, it compromises systems to steal credentials for various services, including cloud and SaaS providers, which are then sold on black markets and stored on the attacker’s C2 server.
It also deploys cryptominers to monetize compromised systems, using both older, less sophisticated scripts and newer, more complex configurations, which terminate competing cryptominers on infected hosts.
#Cyber_Attack #Cyber_Security_News #Hacking_Tools #Vulnerability #cyber_security_news #Cybersecurity_Tools #THREAT_INTELLIGENCE #Vulnerability_Exploitation
Оригинальная версия на сайте:
