The ‘CrystalRay’ threat actor behind a February wave of attacks using the SSH-Snake penetration testing tool has significantly increased their operation, hitting thousands of victims with an expanded arsenal.
Developed by Australian security researcher Joshua Rogers to harvest SSH keys and use them for automatic network traversal, SSH-Snake made it to the headlines in February when more than 100 organizations had their credentials stolen using the tool.
A self-replicating and self-propagating fileless tool, SSH-Snake was intended for hacking purposes, acting like a worm. However, Rogers told SecurityWeek in February, the tool capitalizes on security mis-architecture and only automates what humans can already do.
Five months after the first report of SSH-Snake’s malicious use, Sysdig says that the threat actor behind the initial attack, now tracked as CrystalRay, has expanded its toolset with mass scanning, exploitation of multiple vulnerabilities, and backdoors deployed using open source software (OSS) security tools.
The malicious hackers are focused on stealing credentials that are then sold for profit, deploying crypto-miners, and establishing persistence on the compromised environments, the company said.
In addition to SSH-Snake, CrystalRay has been observed using OSS tools such as ASN (enables network data investigation and reconnaissance), Zmap (for port scanning to identify vulnerable services), Httpx (multi-purpose HTTP probing tool), and Nuclei (vulnerability scanner).
The actor also attempted to discover services such as Activemq, Confluence, Metabase, Weblogic, Solr, Openfire, Rocketmq, and Laravel, and exploiting vulnerabilities such as CVE-2022-44877, CVE-2021-3129, and CVE-2019-18394.
In some cases, CrystalRay hackers were observed using Nuclei to identify potential honeypots on the scanned ports and ensure that they remain undetected. According to Sysdig, the hackers are also using the pdtm Golang-based project to manage and maintain their open source tools and relies on SSH-Snake for lateral movement. In some instances, the adversary also attempted to move to other platforms, including service providers.
The threat actor would deploy a payload generated using the open source, cross-platform, adversary emulation/red team framework Silver for persistence and was seen using the open source tool Platypus to manage victims.
“CrystalRay is able to discover and extract credentials from vulnerable systems, which are then sold on black markets for thousands of dollars. The credentials being sold involve a multitude of services, including cloud service providers and SaaS email providers,” Sysdig added.
Additionally, the adversary would exfiltrate various files of interest from the victims’ machines and deploy cryptominers to further monetize the unauthorized access.
“CrystalRay’s operations prove how easily an attacker can maintain and control access to victim networks using only open source and penetration testing tools. Therefore, implementing detection and prevention measures to withstand attacker persistence is necessary. The first step to avoid the vast majority of these automated attacks is to reduce the attack surface through vulnerability, identity, and secrets management,” Sysdig added.
Related: Hackers Actors Abuse GitHub to Distribute Multiple Information Stealers
Related: Threat Actors Adopt Open Source ‘SapphireStealer’ Information Stealer
Related: Hackers Causing Abusing Microsoft’s WHCP to Sign Malicious Drivers
Related: Proofpoint: Watch Out for Nighthawk Hacking Tool Abuse
