Drupal, Phishing and A New Cryptomining Botnet – Blog | Imperva
At Imperva, we use pattern anomaly detection as one of the tools to identify emerging threats and build new defenses. Our security researchers analyze the detected patterns from time to time, and this is how we learned about the existence of the Ash botnet.
Using pattern anomaly detection as one of the tools to identify emerging threats and build new defenses, Imperva security researchers recently analyzed detected patterns to learn about the existence of a new botnet using cryptomining.
While investigating attempts to attack close to 1,000 of its customers, Imperva researchers discovered that the payload was being delivered from a group of several hundred IPs belonging to a large group of sites it protects, over a period spanning more than 30 days. The specificity and distinctiveness of this payload, as well as the fact that it was being delivered by the same hacking tool, strongly suggests that all these IPs were part of a single botnet.
Nadav Avital, threat research manager at Imperva, explained, “The unique thing about this particular botnet is that we were able to clearly see its activity from beginning to end. It’s not often that we see this kind of an anatomy of an attack.
“The dynamics in the Ash botnet are interesting, a mix of dedicated machines of the attackers combined with the long tail of the machines recruited into the botnet without anyone knowing. We could call it a “victimless crime” because the machines do all the work for the attackers as innocent bystanders.
“The fact that it leveraged cryptomining isn’t really a surprise – the purpose was to infect servers with cryptomining malware, an easy way for hackers to make money today. The Ash botnet is an example of how cyber attacks are evolving. The technological bar for hackers is constantly getting lower and the time from an attack to actually getting paid is getting shorter.”
According to the researchers, unless the payload is blocked by existing security rules, which is not the case in zero-day attacks, the victim has a hard time detecting such a distributed attack campaign. A wider perspective encompassing multiple target sites – like that of a cloud-based security provider – is required.
From such a viewpoint, behavioral correlations between IPs across different target sites become evident, and it can serve to identify synchronized attacks such as those performed by the Ash botnet. Moreover, in subsequent attacks by the botnet, mitigation can be achieved by blocking requests from IPs belonging to the botnet whenever synchronic and correlated activity is detected among the botnet’s IPs.
Imperva offers two basic suggestions to avoid or mitigate such an attack:
- Stay up to date with the latest security patches
- Deploy a security solution that has a global view to detect and block such malicious activities that are not visible from a single application point of view