A threat actor known as Crystalray has recently come to light for using open source software (OSS) to expand its operations of stealing credentials and cryptomining on a large scale. The emergence of Crystalray was first noticed in February, utilizing a penetration testing program called “SSH-Snake” to exploit known vulnerabilities in Atlassian’s Confluence platform. Since then, researchers from Sysdig have observed the group incorporating various OSS tools to streamline every stage of their attack process.
Due to the efficiency gained from not having to create their own malicious software, Crystalray’s activities have significantly increased this spring. The threat actor has targeted over 1,800 unique IP addresses worldwide, with hundreds of ongoing infections at any given time. The majority of the attacks have been concentrated in the United States and China.
Crystalray’s attack chain begins with the use of “ASN” for initial reconnaissance, enabling the querying of Shodan for open ports, vulnerabilities, and other valuable data about potential targets without directly sending any packets. This is followed by the application of “zmap” to scan the web for specific ports hosting vulnerable services. Subsequently, the HTTP toolkit “httpx” is employed to verify the live status of the identified domains.
Once the target is identified, Crystalray employs the vulnerability scanner “nuclei” to identify known vulnerabilities in the victim’s system. These vulnerabilities have included critical bugs in various platforms like Confluence, CentOS Control Web Panel, Ignition for Laravel, and Ignite Realtime Open Fire, all of which have received high CVSS scores. Crystalray avoids developing exploit scripts, opting instead to use public proofs-of-concept exploits to deliver malicious payloads.
The malicious payloads employed by Crystalray may involve tools like Sliver and Platypus, with the latter capable of managing multiple reverse shells simultaneously. Despite some of these tools being legitimate open source software, the intention behind their usage by Crystalray is malicious. The group also targets credentials associated with cloud platforms and SaaS email services, selling them on black markets. Additionally, Crystalray generates income through two cryptominers, earning a modest sum of around $200 per month.
Michael Clark, director of threat research at Sysdig, highlights the uncommon utilization of legitimate open source security software for malicious activities by Crystalray. While OSS offers efficiency and convenience for hackers, the ability for defenders to access and understand these tools also poses a threat to the attackers. The advanced nature of these tools contributes to detection challenges, as they are meticulously developed to replicate sophisticated attacks.
In summary, Crystalray’s exploitation of OSS in conducting cyberattacks reflects a new and concerning trend in the cybersecurity landscape. The group’s strategic use of open source tools underscores the importance of vigilance and rapid response measures to safeguard against such threats in the digital realm.