"A new, financially motivated operation, "LABRAT," has been observed exploiting a flaw in GitLab for a Cryptojacking and Proxyjacking campaign."

Executive Summary:

“CVE-2021-22205 (CVSS 10)”, a now patched vulnerability in GitLab was exploited by hackers to gain initial access to a container and carryout “cryptojacking” and “proxyjacking” activities. This vulnerability causes GitLab to not being able to properly validate image files that were passed to a file parser which resulted in a remote command execution. Once the attacker had access to the server, they downloaded a malicious script from the C2 server. This script allowed the attacker to achieve persistence, evade defenses, and perform lateral movement through the following actions,

• Check whether or not the watchdog process was already running to kill it.
• Delete malicious files if they exist from a previous run.
• Disable Tencent Cloud and Alibaba’s defensive measures, a recurring feature of many attackers.
• Download malicious binaries.
• Create a new service with one of these binaries and if root, ran it on the fly.
• Modify various cron files to maintain persistence.
• Gather SSH keys to connect to those machines and start the process again, doing lateral movement.
• Deletes any evidence that the above processes may have generated.

Attackers were also using “trycloudflare[.]com” to obfuscate their C2 location by creating subdomains as password-protected web server that hosted a malicious shell script. These scripts act as a file dropper and try to gain persistence on the victim network, and also pivot to additional systems if SSH credentials are discovered on the compromised system. The malicious actors were also observed to be downloading binaries related to malicious activity directly from a private GitLab repository. Another attack included a “Solr” server, where the attackers downloaded a “pwnkit” (CVE-2021-4034) binary from the private repository to elevate privileges. The attackers used GSocket to create a backdoor in order to maintain persistence by running a script with the following steps,

• Download the two tar files from the private repository.
• Extract both files and concatenate them to generate a new script.
• This file self-extracts to have another script and several binaries.
• Run this last script, which deploys the server using the correct binary based on the architecture.

The utilization of undetected signature-based tools, sophisticated and stealthy cross-platform malware, command and control (C2) tools which bypassed firewalls, and kernel-based rootkits made it harder to detect the malicious activities carried out by the attackers.

IoC{Indicators of Compromise}

Hash

URLs

• hxxps://separate-discussing-refrigerator-field.trycloudflare[.]com
• hxxps://passage-television-gardening-venue.trycloudflare[.]com
• hxxps://coffee-abandoned-predicted-skype.trycloudflare[.]com
• hxxps://karma-adopt-income-jeffrey.trycloudflare[.]com

IPs

• 1.234.16[.]54
• 123.30.179[.]206
• 192.227.165[.]88
• 172.245.226[.]47
• 23.94.204[.]157
• 107.173.154[.]7
• 172.245.226[.]47

Domain

• desertplanets[.]com

Affected Products

• GitLab

Mitigation Strategies:

• Update security management solutions such as SIEMs or EDRs with the above-mentioned IOCs.
• Keep Anti-virus and other endpoint security solutions up to date.
• Conduct effective cybersecurity training for employees.

Additional Information

• Proxyjacking allows the attacker to “rent” the compromised system out to a proxy network, basically selling the compromised IP Address.
• Cryptojacking is a type of cybercrime that involves the unauthorized use of people's devices by cybercriminals to mine for cryptocurrency.

References:

Hernández, M. (2023b). LABRAT: Stealthy Cryptojacking and proxyjacking campaign targeting GitLab. Sysdig. https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/?web_view=true

The Hacker News. (n.d.-b). New LABRAT campaign exploits GitLab flaw for cryptojacking and proxyjacking activities. https://thehackernews.com/2023/08/new-labrat-campaign-exploits-gitlab.html