Watch out for CRYSTALRAY, an open source aficionado with a hunger for crypto
The CRYSTALRAY group, tracked by Sysdig, is using a suite of open source tools to find and compromise targets for cryptomining.
Researchers at the Sysdig Threat Research Team are tracking a cybercriminal group it calls CRYSTALRAY, and warning that the group is expanding its reach rapidly, with operations that “have scaled 10x to over 1,500 victims” in the last few months.
The threat actor was first identified in February 2024, and was notable for its use of the SSH-Snake open source software (OSS) penetration testing tool in a campaign that exploited vulnerabilities in Confluence software.
SSH-Snake is described as “a powerful tool designed to perform automatic network traversal using SSH private keys discovered on systems, with the objective of creating a comprehensive map of a network and its dependencies.” Armed with SSH-Snake, a red team or attacker can identify “to what extent a network can be compromised using SSH and SSH private keys starting from a particular system.”
It works by searching through known credential locations and shell history files, looking for SSH credentials that it can use to start spreading itself through a network.
Sysdig writes that the CRYSTALRAY group use the ASN tool to generate IP address blocks for specific countries, and the Zmap tool to identify vulnerable services on IP addresses within those blocks:
CRYSTALRAY creates a range of IPs for specific countries to launch scans with more precision than a botnet, but less precision than an APT or ransomware attack.
Results are further refined with the Httpx and Nuclei, with the latter being used to identify known vulnerabilities that the group can exploit with customized proof-of-concept exploit code.
Once it has access to a target, CRYSTALRAY reportedly uses one of two open source software packages: Platypus, which manages multiple reverse shells, or Sliver, an adversary emulation framework used for security testing.
Once a foothold is established, SSH-Snake is put to work to find and send captured keys and bash histories back to its command and control (C2) server.
But lateral movement is not limited to the network. The attacker also tries to move to other platforms, such as cloud providers.
According to Sysdig, the group uses the access it achieves to deploy two different cryptominers, while attempting to remove other cryptominers deployed by rivals.
The credentials the group harvests are put up for sale, which means that the misery for affected organizations likely doesn’t end with CRYSTALRAY’s activities. It’s worth noting that ransomware gangs often buy access to compromised systems from third-parties.
We donât just report on vulnerabilitiesâwe identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.
