Summary:
The adversary behind the RedTail cryptocurrency mining malware has added a new exploit, Palo Alto PAN-OS CVE-2024-3400, to their attack vector quiver. The addition of the PAN-OS vulnerability is not the only upgrade added to the adversary’s toolkit. The cryptocurrency malware has received its own updates which now incorporate new anti-analysis techniques. The attackers have taken a step forward by employing private cryptomining pools for greater control over mining outcomes despite the increased operational and financial costs. This closely resembles tactics used by the Lazarus group, leading to speculation about attack attribution. The malware spreads by using at least six different web exploits, targeting Internet of Things (IoT) devices, web applications, SSL-VPNs, and security devices like Ivanti Connect Secure and Palo Alto GlobalProtect that are widely-employed by organizations over various critical sectors. This specific activity has been seen active from early April 2024 to early May 2024.

The configuration also shows that the threat actors are trying to optimize the mining operation as much as possible, indicating a deep understanding of cryptomining. They use the newer RandomX algorithm, which makes use of nonuniform memory access (NUMA) nodes to enhance efficiency, and also use the hugepages configuration. By zooming out and looking at all the attacks observed by Akamai that involved the same malware server that was serving the new malware variant, they observed that this threat actor was also targeting additional CVEs, including the recent Ivanti Connect Secure SSL-VPN CVE-2023-46805 and CVE-2024-21887.

Analyst Comment:
When critical CVEs such as this are announced,organizations often see a flurry of activity that isn’t necessarily malicious. Especially if there is a public exploit proof of concept, researchers and defenders often will play around with it themselves, causing a significant spike in activity. This can make it more difficult for CSaaS companies to accurately and efficiently sift through false positives for critical vulnerability intrusions.

In January, 2024, GrayNoise also observed a cryptomining gang abusing Ivanti SSL-VPN CVEs. However, the malicious activity observed was different enough for Akamai to speculate that this is a different threat actor and the tactics that were utilized closely resemble tactics used by the Lazarus group.The investments required to run a private cryptomining operation are significant, including staffing, infrastructure, and obfuscation. This sophistication may be another indication that this is the work of a nation-state threat group. Just like any for-profit organizations, threat groups must go through significant product testing to achieve a polished malware such as RedTail, alluding that this group has substantial financial backing. Notably, the Log4Shell exploits observed in the threat group’s first activity documented in January 2024 were not utilized in this activity cluster.

Suggested Corrections:
Relevant IOCs have been published in Akamai researchers’ technical report.

Link(s):
https://thehackernews.com/2024/05/redtail-crypto-mining-malware.html

https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit