Skip to the content.

DIVD-2022-00004 - Post-Log4J Open Database C2 and Monero Miner Infections

Our reference DIVD-2022-00004
Case lead Max van der Horst
Researcher(s)
CVE(s)
Product To be published
Versions any
Recommendation Check your system for active Monero mining software, check for unknown users and SSH keys, and when applicable ensure your database instances are properly secured.
Status Open
Last modified 18 Feb 2022 10:00

Summary

During the Log4J crisis, there was an active campaign going on by Team TNT to infect servers using the Log4Shell vulnerability (CVE-2021-44228) and install crypto miners. In this campaign, open database instances were used to control the infected servers, forming a botnet. The first attack was discovered on Sunday, December 13th, and multiple thousands of servers still seem to be used for this purpose, and with these thousands, a similar number of servers mining Monero for Team TNT.

What you can do

What we are doing

Timeline

Date Description
13 Dec 2021 Team TNT Log4J payload found in IPS logging.
12 Jan 2022 Open database instances found used for C2.
13 Jan 2022 Case Opened
13 Jan 2022 DIVD started scanning for open database instances.
15 Jan 2022 DIVD created a first list of servers used for C2.
16 Jan 2022 DIVD took notice of present data leaks on victim servers.
19 Jan 2022 First version of this case file.
25 Jan 2022 DIVD starts first round of notifications.
09 Feb 2022 DIVD finishes data leak notifiications.
16 Feb 2022 DIVD notified 9.354 server owners of malicious activity internationally.
18 Feb 2022 Dutch Security Information Clearinghouse notifies 291 server owners within the Netherlands.
18 Feb 2022 DIVD starts monitoring for improvement of the situation.
gantt title DIVD-2022-00004 - Post-Log4J Open Database C2 and Monero Miner Infections dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00004 - Post-Log4J Open Database C2 and Monero Miner Infections (still open) :2022-01-13, 2022-05-23 section Events Team TNT Log4J payload found in IPS logging. : milestone, 2021-12-13, 0d Open database instances found used for C2. : milestone, 2022-01-12, 0d Case Opened : milestone, 2022-01-13, 0d DIVD started scanning for open database instances. : milestone, 2022-01-13, 0d DIVD created a first list of servers used for C2. : milestone, 2022-01-15, 0d DIVD took notice of present data leaks on victim servers. : milestone, 2022-01-16, 0d First version of this case file. : milestone, 2022-01-19, 0d DIVD starts first round of notifications. : milestone, 2022-01-25, 0d DIVD finishes data leak notifiications. : milestone, 2022-02-09, 0d DIVD notified 9.354 server owners of malicious activity internationally. : milestone, 2022-02-16, 0d Dutch Security Information Clearinghouse notifies 291 server owners within the Netherlands. : milestone, 2022-02-18, 0d DIVD starts monitoring for improvement of the situation. : milestone, 2022-02-18, 0d

More information