In several large computing clusters located in supercomputing centers in Great Britain, Germany, Switzerland and Spain, traces of infrastructure hacks and installation of malware for hidden mining of the Monero (XMR) cryptocurrency. A detailed analysis of the incidents is not yet available, but according to preliminary data, the systems were compromised as a result of the theft of credentials from the systems of researchers who have access to run tasks in clusters (recently, many clusters provide access to third-party researchers studying the SARS-CoV-2 coronavirus and conducting process modeling associated with COVID-19 infection). After gaining access to the cluster in one of the cases, the attackers exploited the vulnerability in the Linux kernel to gain root access and install a rootkit.
two incidents in which attackers used credentials captured from users from Krakow University (Poland), Shanghai Transport University (China), and the China Science Network. Credentials were captured from participants in international research programs and used to connect to clusters via SSH. How exactly the credentials were captured is not yet clear, but spoofed SSH executables have been identified on some systems (not all) of the victims of the password leak.
As a result, the attackers access to the UK-based (University of Edinburgh) cluster , which occupies 334th place in the Top500 largest supercomputers. Following similar penetrations were in clusters bwUniCluster 2.0 (Karlsruhe Institute of Technology, Germany), ForHLR II (Karlsruhe Institute of Technology, Germany), bwForCluster JUSTUS (Ulm University, Germany), bwForCluster BinAC (University of TΓΌbingen, Germany) and Hawk (University of Stuttgart, Germany).
Information about cluster security incidents was later confirmed in (CSCS), ( in top500), (Germany) and (, ΠΈ places in the Top500). In addition, from employees information about the compromise of the infrastructure of the Center for High-Performance Computing in Barcelona (Spain) has not yet been officially confirmed.
changes
that two malicious executable files were downloaded to the compromised servers, for which the suid root flag was set: "/etc/fonts/.fonts" and "/etc/fonts/.low". The first is a bootloader for running shell commands with root privileges, and the second is a log cleaner to remove traces of malicious activity. Various techniques have been used to hide malicious components, including installing a rootkit , loaded as a module for the Linux kernel. In one case, the mining process was launched only at night, so as not to attract attention.
Once hacked, the host could be used to perform various tasks, such as mining the Monero (XMR) cryptocurrency, launching a proxy (to communicate with other hosts performing mining and the server coordinating mining), launching a microSOCKS-based SOCKS proxy (to accept external connections over SSH) and SSH forwarding (the primary point of entry using a compromised account on which an address translator was configured to forward to the internal network). When connecting to compromised hosts, the attackers used hosts with SOCKS proxies and typically connected via Tor or other compromised systems.
Source: opennet.ru