Aussie web hosts compromised in malware campaign

Eight Australian web hosting providers were compromised in a malware attack in May last year, with customers’ websites accessed and used as a front for “financial gain”.

The attack was detailed this morning by the Australian Cyber Security Centre (ACSC), which said it detected and then worked with the providers to mitigate against the attack.

None of the eight web hosts is named by the ACSC.

“While we will not be identifying the web hosting providers, it is important to note that all affected web hosting providers were advised to take remediation actions and we commend them for working collaboratively with us,” ACSC head Alastair MacGibbon said in a statement.

The attackers wanted access to legitimate websites “to add validity to their activities”, which included “search engine optimisation (SEO), advertising injection and cryptocurrency mining”, the ACSC said in a detailed technical report [pdf] accompanying the disclosure.

The attackers used vulnerabilities within web applications to gain initial access to web servers before installing malware including password stealing tools and the “Gh0st” Remote Access Tool (RAT).

Gh0st was used for “remote access to victims systems” as well as “to both upload and download files without the user’s knowledge or consent”, the ACSC said.

ACSC said that the attackers rarely needed privilege escalation in order to carry out their activities once inside - due to “misconfigured web servers” - but they were resourceful and persistent enough to get it where required.

“The actor’s privilege escalation tools were all public proof of concepts (POC) and demonstrated an ability to quickly use new POC exploits,” the centre said.

One vulnerability used for privilege escalation - CVE-2018-1038, also known as TotalMeltdown - “was released publicly in late April 2018 and uploaded to a web hosting provider a few days later,” the ACSC said.

Two compromised hosts were used for mining the cryptocurrency Monero. The ACSC tracked the takings: “As of 18 June 2018, the actor had made a total of 22.57 XMR (Monero) with an approximate value of $3868 AUD,” it said.

The ACSC said that the actor also “modified other sites on hosting providers to boost SEO rankings or to redirect legitimate traffic to sites selling illegitimate products.”

In the wake of the malware campaign and attacks - which the ACSC has dubbed ‘Manic Menagerie’ - the centre advised hosts and others to patch web applications and CMSs, disable plugins, and reset user credentials.