A new threat actor known as CRYSTALRAY has significantly expanded its targeting scope with new tactics and exploits, now affecting over 1,500 victims whose credentials were stolen and cryptominers deployed. Researchers at Sysdig have tracked this threat actor since February when they first reported the use of the SSH-Snake open-source worm to spread laterally on breached networks.
SSH-Snake is an open-source worm that steals SSH private keys on compromised servers and uses them to move laterally to other servers while dropping additional payloads on breached systems. Initially, Sysdig identified roughly 100 CRYSTALRAY victims impacted by SSH-Snake attacks, highlighting the worm’s capability to steal private keys and facilitate stealthy lateral network movement.
Sysdig reports that CRYSTALRAY’s operations have now scaled up to 1,500 victims, involving mass scanning, exploiting multiple vulnerabilities, and placing backdoors using various open-source security tools. The threat actor’s motivations include collecting and selling credentials, deploying cryptominers, and maintaining persistence in victim environments. Some of the open-source tools leveraged by CRYSTALRAY include zmap, asn, httpx, nuclei, platypus, and SSH-Snake.
CRYSTALRAY targets several vulnerabilities in its current operations, including:
- CVE-2022-44877: Arbitrary command execution flaw in Control Web Panel (CWP)
- CVE-2021-3129: Arbitrary code execution bug impacting Ignition (Laravel)
- CVE-2019-18394: Server-side request forgery (SSRF) vulnerability in Ignite Realtime Openfire
The attackers use the Platypus web-based manager to handle multiple reverse shell sessions on breached systems, while SSH-Snake continues to be the primary tool for propagation through compromised networks. Once SSH keys are retrieved, SSH-Snake uses them to log into new systems, copy itself, and repeat the process on new hosts. This tool not only spreads the infection but also sends captured keys and bash histories back to CRYSTALRAY’s command and control (C2) server.
CRYSTALRAY hacker expands to 1,500 breached systems using SSH-Snake tool – A new threat actor known as CRYSTALRAY has significantly broadened its targeting scope with new tactics and exploits, now counting over 1,500 victims whose credentials were stolen… https://t.co/IkuKwCzqDs
— G & R Computers (@GRComputers) July 11, 2024
CRYSTALRAY aims to steal credentials stored in configuration files and environment variables, automating the process with scripts. These stolen credentials can be sold on the dark web or Telegram for profit. Additionally, CRYSTALRAY deploys cryptominers on breached systems to generate revenue by hijacking the host’s processing power, with a script that kills any existing cryptominers to maximize profit.
As CRYSTALRAY’s threat grows, the best mitigation strategy is to minimize the attack surface through timely security updates to fix vulnerabilities as they are disclosed.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
