CRYSTALRAY Group Targets 1,500 Organizations in 6 Months – Source: www.databreachtoday.com

Cryptocurrency Fraud
,
Cybercrime
,
Fraud Management & Cybercrime

Relatively New Threat Actor Uses Open-Source Tools, Focuses on US and China

Prajeet Nair (@prajeetspeaks) •
July 12, 2024    

A relatively new threat actor has compromised over 1,500 organizations worldwide since February, using open-source security tools to automate and streamline attack processes.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

The group, tracked as CRYSTALRAY, initially used the SSH-Snake penetration testing tool to exploit vulnerabilities in Confluence and has since expanded its toolkit to include ASN for initial network data investigation, Nuclei for vulnerability scanning, SSH-Snake for penetration, Sliver for maintaining connections to compromised systems and Platypus for managing ongoing attacks.

The attackers employ automated IP address scanning and vulnerability-checking services to identify potential targets. They primarily focus on known vulnerabilities in Activemq, Confluence, Laravel, Openfire, Rocketmq, Solr and Weblogic. Once they gain initial access, hackers conduct lateral movement attacks to uncover additional credentials, which are then sold on the dark web and used to deploy cryptomining operations.

CRYSTALRAY targets a wide range of countries, and the United States and China account for more than half of the attacked organizations. Other countries affected include Germany, Russia, France, India and the United Kingdom.

Researchers at Sysdig revealed in a report that the group’s operations have scaled tenfold since their initial attack. Tactics now include mass scanning, exploiting multiple vulnerabilities and placing backdoors with multiple OSS security tools.

Sysdig’s Threat Research Team first identified the SSH-Snake threat actor in February. Further investigation into the group, now identified as CRYSTALRAY, showed rapid expansion.

CRYSTALRAY’s motivations are to collect and sell credentials, deploy cryptominers and maintain persistence in victim environments. Some of the open-source tools used include Zmap, ASN, Httpx, Nuclei, Platypus and SSH-Snake.

Released on Jan. 4, SSH-Snake is a self-modifying worm that uses SSH credentials discovered on a compromised system to propagate throughout the network. It searches through known credential locations and shell history files, providing greater stealth, flexibility and configurability than typical SSH worms.

CRYSTALRAY’s reconnaissance processes and tools include numerous legitimate OSS tools from ProjectDiscovery. Attackers use a package manager called PDTM to manage and maintain these tools. The ASN tool helps the group generate IP ranges for specific countries, allowing for more precise scans compared to botnets or APT attacks. They combine ASN with Zmap for efficient multi-port scanning, identifying vulnerable services in targeted IP ranges.

Once they have Zmap results, CRYSTALRAY hackers use Httpx to verify if domains are live or false positives. This step is crucial for maintaining reliability in results before checking for known vulnerabilities using Nuclei, an open-source vulnerability scanner capable of operating at scale.

The group’s exploitation phase involves leveraging existing proofs of concept for vulnerabilities they identify. After verifying potential vulnerabilities, CRYSTALRAY exploits them to gain access, often using tools such as Platypus or Sliver to deliver malicious payloads.

To maintain access, CRYSTALRAY employs Sliver, an open-source adversary emulation framework. This tool supports C2 over various protocols and allows the group to persist in victim environments.