DIVD-2022-00004 - Post-Log4J Open Database C2 and Monero Miner Infections
| Our reference | DIVD-2022-00004 |
| Case lead | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Product | To be published |
| Versions | any |
| Recommendation | Check your system for active Monero mining software, check for unknown users and SSH keys, and when applicable ensure your database instances are properly secured. |
| Status | Closed |
| Last modified | 12 Aug 2022 11:21 CEST |
Summary
During the Log4J crisis, there was an active campaign going on by Team TNT to infect servers using the Log4Shell vulnerability (CVE-2021-44228) and install crypto miners. In this campaign, open database instances were used to control the infected servers, forming a botnet. The first attack was discovered on Sunday, December 13th, and multiple thousands of servers still seem to be used for this purpose, and with these thousands, a similar number of servers mining Monero for Team TNT.
What you can do
- Ensure you are patched to the latest Log4J version and ensure any open database instances are properly secured. If you run Log4J, please check for any unknown SSH keys and users and the Monero miner software XMrig. Common user names are zoor and hilde. If you run an unprotected database instance, check for any keys of which the value contains a URL ending with .sh. If you find this malware or are unsure, we recommend you reinstall your server to eliminate any possibilities or malware remaining on the server.
What we are doing
- DIVD is currently ensuring that the owners of databases with sensitive data are being notified.
- DIVD is investigating if we can start informing individuals who were compromised.
Timeline
| Date | Description |
|---|---|
| 13 Dec 2021 | Team TNT Log4J payload found in IPS logging. |
| 12 Jan 2022 | Open database instances found used for C2. |
| 13 Jan 2022 | Case Opened |
| 13 Jan 2022 | DIVD started scanning for open database instances. |
| 15 Jan 2022 | DIVD created a first list of servers used for C2. |
| 16 Jan 2022 | DIVD took notice of present data leaks on victim servers. |
| 19 Jan 2022 | First version of this case file. |
| 25 Jan 2022 | DIVD starts first round of notifications. |
| 09 Feb 2022 | DIVD finishes data leak notifiications. |
| 16 Feb 2022 | DIVD notified 9.354 server owners of malicious activity internationally. |
| 18 Feb 2022 | Dutch Security Information Clearinghouse notifies 291 server owners within the Netherlands. |
| 18 Feb 2022 | DIVD starts monitoring for improvement of the situation. |
| 18 Apr 2022 | DIVD initiates a second round of notifications to unpatched parties. |
| 25 May 2022 | DIVD starts closing procedure including reporting. |
gantt
title DIVD-2022-00004 - Post-Log4J Open Database C2 and Monero Miner Infections
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2022-00004 - Post-Log4J Open Database C2 and Monero Miner Infections (132 days) :2022-01-13, 2022-05-25
section Events
Team TNT Log4J payload found in IPS logging. : milestone, 2021-12-13, 0d
Open database instances found used for C2. : milestone, 2022-01-12, 0d
Case Opened : milestone, 2022-01-13, 0d
DIVD started scanning for open database instances. : milestone, 2022-01-13, 0d
DIVD created a first list of servers used for C2. : milestone, 2022-01-15, 0d
DIVD took notice of present data leaks on victim servers. : milestone, 2022-01-16, 0d
First version of this case file. : milestone, 2022-01-19, 0d
DIVD starts first round of notifications. : milestone, 2022-01-25, 0d
DIVD finishes data leak notifiications. : milestone, 2022-02-09, 0d
DIVD notified 9.354 server owners of malicious activity internationally. : milestone, 2022-02-16, 0d
Dutch Security Information Clearinghouse notifies 291 server owners within the Netherlands. : milestone, 2022-02-18, 0d
DIVD starts monitoring for improvement of the situation. : milestone, 2022-02-18, 0d
DIVD initiates a second round of notifications to unpatched parties. : milestone, 2022-04-18, 0d
DIVD starts closing procedure including reporting. : milestone, 2022-05-25, 0d