Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Resource Hijacking
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Resource Hijacking
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Resource Hijacking

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.(Citation: GoBotKR)

ID: T1496
Tactic(s): Impact
Platforms: Containers, IaaS, Linux, macOS, Windows
Data Sources: Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation, Sensor Health: Host Status
Impact Type: Availability
Version: 1.3
Created: 17 Apr 2019
Last Modified: 18 Apr 2022

Procedure Examples
Name Description
Lucifer

Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.(Citation: Unit 42 Lucifer June 2020)
Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)
Lazarus Group

Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.(Citation: Kaspersky Lazarus Under The Hood Blog 2017)
CookieMiner

CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency. (Citation: Unit42 CookieMiner Jan 2019)
Rocke

Rocke has distributed cryptomining malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)
Bonadan

Bonadan can download an additional module which has a cryptocurrency mining extension.(Citation: ESET ForSSHe December 2018)
LoudMiner

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.(Citation: ESET LoudMiner June 2019)

Blue Mockingbird

Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.(Citation: RedCanary Mockingbird May 2020)
Imminent Monitor

Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.(Citation: Imminent Unit42 Dec2019)
TeamTNT

TeamTNT has deployed XMRig Docker images to mine cryptocurrency.(Citation: Lacework TeamTNT May 2021)(Citation: Cado Security TeamTNT Worm August 2020) TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.(Citation: Cisco Talos Intelligence Group)
APT41

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)
Hildegard

Hildegard has used xmrig to mine cryptocurrency.(Citation: Unit 42 Hildegard Malware)
Kinsing

Kinsing has created and run a Bitcoin cryptocurrency miner.(Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing November 2020)

Mitigations
Mitigation Description
Resource Hijacking Mitigation

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

Detection

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.

References

  1. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
  2. Zuzana Hromcová. (2019, July 8). Malicious campaign targets South Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
  3. Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency Miners: A Battle for Resources. Retrieved April 6, 2021.
  4. Oliveira, A. (2019, May 30). Infected Containers Target Docker via Exposed APIs. Retrieved April 6, 2021.
  5. CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.
  6. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  7. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  8. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  9. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  10. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  11. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  12. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  13. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  14. Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021.
  15. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  16. Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
  17. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  18. Huang, K. (2020, November 23). Zoom into Kinsing. Retrieved April 1, 2021.
  19. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  20. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  21. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
Навигация

Каталоги

БДУ ФСТЭК:
УБИ.208 Угроза нецелевого использования вычислительных ресурсов средства вычислительной техники
Угроза заключается в возможности использования вычислительных ресурсов средств вычислительной техники для осуществления сторонни...

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.