A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign.
"The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig said in a report shared with The Hacker News.
"Furthermore, the attacker abused a legitimate service, TryCloudflare, to obfuscate their C2 network."
Proxyjacking allows the attacker to rent the compromised host out to a proxy network, making it possible to monetize the unused bandwidth. Cryptojacking, on the other hand, refers to the abuse of the system resources to mine cryptocurrency.
A notable aspect of the campaign is the use of compiled binaries written in Go and .NET to fly under the radar, with LABRAT also providing backdoor access to the infected systems. This could ultimately pave the way for follow-on attacks, data theft, and ransomware.
The attack chains begin with the exploitation of CVE-2021-22205 (CVSS score: 10.0), a remote code execution vulnerability that has been exploited in the wild by Indonesian-origin actors in the past to deploy crypto miners.
A successful break-in is followed by the retrieval of a dropper shell script from a C2 server that sets up persistence, conducts lateral movement using SSH credentials found in the system, and downloads additional binaries from a private GitLab repository.
"During the LABRAT operation, TryCloudflare was used to redirect connections to a password-protected web server that hosted a malicious shell script," Miguel Hernández said. "Using the legitimate TryCloudFlare infrastructure can make it difficult for defenders to identify subdomains as malicious, especially if it is used in normal operations too."
TryCloudflare is a free tool that can be used to create a Cloudflare Tunnel without adding a site to Cloudflare's DNS. It launches a process that generates a random subdomain on trycloudflare.com, thereby allowing internal resources to be exposed to the public internet.
The development adds to the abuse of cloudflared to establish covert communication channels from compromised hosts and main access to victim networks.
In a second variation of the attack, the adversary is said to have used a Solr server instead of TryCloudflare to download an exploit for the PwnKit (CVE-2021-4034) from the same GitLab repository to elevate privileges, along with another file that's no longer accessible.
Some of the payloads retrieved by the dropper script include an open-source utility known as Global Socket (gsocket) for remote access and binaries to conduct cryptojacking and proxyjacking via known services such as IPRoyal and ProxyLite. The mining process is concealed using a kernel-based rootkit called hiding-cryptominers-linux-rootkit.
Also delivered is a Go-based executable designed to ensure persistence and kill competing mining processes or older versions of itself in order to fully harness the machine's resources and maximize their earnings.
"Since the goal of the LABRAT operation is financial, time is money," Hernández said. "The longer a compromise goes undetected, the more money the attacker makes and the more it will cost the victim."
Update
GitLab shared the following statement with The Hacker News following the publication of the story -
Users impacted by CVE-2021-22205 should follow their organization's Security Incident and Disaster Recovery processes to deprovision the compromised instance and restore the latest good working backup to a new GitLab instance. The vulnerability has been patched since 2021 and the impact is on customers who remain on vulnerable versions. We issued a blog post regarding the vulnerability and a forum post about how users can determine if they have been impacted.