Ransomware Actor Exploited CoinMiner Attacker’s Proxy Server

Hackers can hide their names and access blocked websites or networks by using proxy servers, which help make these systems anonymous. 

Compromised proxy servers can be employed as pipes for launching attacks, circulating malicious software, and engaging in illegal activities while covering up the actual origins of traffic. 

There is also a risk of further infiltration into the network through any proxy server where vulnerabilities have been found.

Cybersecurity researchers at ASEC recently discovered that a ransomware actor exploited the proxy server of a CoinMiner attacker.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Ransomware Actor Exploited CoinMiner

Cyberattacks target not just companies but threat actors themselves.

A CoinMiner group’s proxy server used to control an infected botnet was exposed, allowing a ransomware actor’s RDP scan attack to infiltrate and infect the botnet with ransomware. 

The initial CoinMiner breach likely involved scanning for MS-SQL server administrator (sa) accounts, using xp_cmdshell to install a backdoor downloading the CoinMiner malware from a C2 server. 

This demonstrates how the infrastructures of threat actors can become compromised targets themselves.

An exposed reverse RDP proxy server was set up by the CoinMiner group using a modified Fast Reverse Proxy tool to enter their infected bots.

However, this exposed proxy server became a target for an RDP port scanning and brute force attack launched by ransomware actors.

The absence of login restrictions allowed the ransomware actor to gain admin access via the proxy and then move laterally before distributing ransomware throughout the CoinMiner botnet and network with tools.

CoinMiner is a threat actor to whom, for a specific ransomware attacker, it could have been either deliberate or coincidental that his RDP scan attack included using a proxy server.

Hypothesis 1:-

The proxy server was just another target with an exposed RDP port, as the ransomware actor had seen it accidentally.

Hypothesis 2:-

Since systems that had been compromised previously are more likely to contain vulnerabilities this time around, the ransomware actor decided to target systems attacked by other actors, which the attacker knew very well were proxies.

The repeated access into the affected system attached to the proxy suggests that the ransomware actor may have noticed strange behavior, indicating they were traversing between compromised systems.

Usually, rather than directly targeting and exploiting other actors’ infrastructure, threat actors trade credentials, malware, and services on dark web markets.

However, when assessing the attacks that use compromised infrastructures of other actors unknowingly, it is not easy to tell apart which individual behaviors and intentions are involved within this scenario.

If such cases become more common, threat actors may begin intentionally hacking each other’s infrastructure to launch more effective attacks by leveraging these systems and resources.

There is an emerging trend in which different groups of actors purposely infiltrate rival groups’ infrastructure, which could considerably complicate attribution and defense.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo