GitLab servers have been found to be vulnerable in an ongoing hacking campaign targeting a known flaw allowing proxyjacking and crypojacking attacks. According to a Sysdig report the critical GitLab remote code execution flaw, tracked as CVE-2021-22205, attackers fetch a dropper shell script from a C2 server to establish persistence as system-based SSH credentials.
GitLab, a well-known platform used for collaborative software development, experienced a major security incident that revealed the increasing complexity and audacity of modern cyber threats.
The attack, labeled as a “novel proxyjacking attack,” showcased the hackers’ ability to exploit software vulnerabilities for monetary gain in an unconventional manner.
Attackers obfuscated their communication with the C2 servers and deployed a CloudFlare Tunnel, a powerful traffic tunneling solution that allows users to expose local services through the secure Cloudflare network without changing firewall settings or doing port forwarding.
Researchers from GuidePoint Security recently reported an increase in the number of attacks that abused the Cloudflare Tunnel and TryCloudflare.
Researchers also discovered the dropper script’s retrieval of the open-source Global Socket utility to enable cryptojacking and proxyjacking through the ProxyLite and IPRoyal services, as well as a Go-based executable that terminates other mining processes in targeted systems.
A report was released by cybersecurity experts at Sysdig, outlining the activities of a new threat actor they’ve dubbed LABRAT. The group has displayed an extraordinary level of effort to maintain their anonymity, employing a range of techniques such as cross-platform malware, kernel rootkits, and various methods to obscure their actions. Additionally, they’ve exploited legitimate cloud services extensively.
According to the report, “The tactics and tools employed in this campaign surpass the complexity of most incidents encountered by Sysdig TRT. The utilisation of covert and elusive methods in this operation heightens the difficulty of both defense and identification.”
Discovered within three distinct versions of GitLab – 13.8.8, 13.9.6, and 13.10.3 – a patch for the vulnerability has been available since April 2021. This occurrence serves as a reminder of the vital significance of regular updates and the upkeep of both software and hardware.
Upon identifying a vulnerable endpoint and establishing a foothold, the attackers will pursue either proxyjacking or cryptojacking. The former entails leasing unused victim bandwidth to a proxy network, generating revenue in the process.
On the other hand, the latter involves surreptitiously installing cryptocurrency mining software on susceptible devices, without the owner’s awareness or authorisation.
Despite their popularity among cybercriminals, cryptojackers are relatively easy to detect. Due to the resource-intensive nature of crypto mining, the compromised computer becomes sluggish and almost unresponsive while active, as it diverts significant computing power to the mining process.
Proxyjacking Explored: A New Breed of Cyber Attack
Proxyjacking is a type of cyber-attack where hackers compromise a network or system and turn it into a proxy server without the owner’s knowledge.
These proxy servers are then rented or sold on the dark web to various parties, offering them an opportunity to hide their online activities and IP addresses.
The attack on GitLab highlighted a new variant of this technique, where hackers exploited the platform’s infrastructure to create a distributed network of proxy servers.
The Intrusion: Breach of GitLab’s Security
The breach was detected when GitLab users began experiencing slow response times and erratic system behavior. Upon further investigation, GitLab’s security team uncovered unauthorised modifications to the system’s codebase. These modifications allowed the attackers to manipulate the platform’s infrastructure, effectively turning its servers into proxy nodes.
Monetizing Excess Bandwidth
Taking advantage of GitLab’s substantial bandwidth resources, the attackers began renting out the compromised servers’ proxy services to various cybercriminal groups and individuals seeking to anonymize their online activities.
This exploitation allowed the hackers to profit from the excess bandwidth by selling it for cash payments, effectively creating a makeshift botnet that operated as a network of proxy servers.
GitLab went public on the Nasdaq on October 14, 2021 under the ticker symbol “GTLB.”, and its shares haven’t performed too strongly in the intervening months.
The remote-first company currently has a market cap of around $7 billion, substantially down on its $15 billion IPO day valuation and its $19 billion peak a few months later.
The GitLab proxyjacking incident underscores the evolving tactics employed by cybercriminals to exploit vulnerabilities in even the most trusted platforms.
Media Release – Tech News
