There is an ongoing hacking campaign targeting GitLab servers vulnerable to a known flaw, researchers are saying. The goal of the campaign is proxyjacking and crypojacking.
Earlier this week, cybersecurity researchers from Sysdig published a report, detailing a novel threat actor they named LABRAT. This group has gone above and beyond to stay hidden, deploying cross-platform malware, kernel rootkits, and numerous obfuscation techniques, as well as abusing legitimate cloud services as much as possible.
The report reads: “This operation was much more sophisticated than many of the attacks the Sysdig TRT typically observes… the stealthy and evasive techniques and tools used in this operation make defense and detection more challenging.”
Sophisticated campaign
To successfully compromise endpoints, the attackers are abusing CVE-2021-22205. This is a two year-old improper validation vulnerability that has a severity score of 10.0.
It was found in three separate versions of GitLab – 13.8.8, 13.9.6, and 13.10.3, but a patch has been available since April 2021. The campaign once again underlines the importance of frequent patching and keeping both software and hardware up to date.
When the attackers find a vulnerable endpoint and establish persistence, they will go for either proxyjacking, or cryptojacking. The former is the practice of renting out unused victim bandwidth to a proxy network and earning money in the process.
The latter, on the other hand, refers to installing cryptocurrency miners on vulnerable devices, without the owner’s knowledge or consent.
Cryptojackers, while popular among the cybercriminal community, are relatively easy to spot. As mining crypto requires heavy computing power, the computer can’t work on anything else while it’s active; it will be sluggish and close to unresponsive. Furthermore, victims can expect a highly inflated electricity bill.
There is no word yet on how successful the campaign really is.