The discovery of cryptomining operations has forced supercomputing clusters across the world offline in an incident that exposes the poor security of some of the world’s most powerful research machines.
The incident appears to have involved cybercriminals distributing malware by taking advantage of compromised SSH credentials (SSH is a network protocol that gives users secure remote access to systems).
The UK’s ARCHER was among those forced out of service as security teams scrambled to flush malware out of its system. (ARCHER, an aging Cray XC30 machine, is used for research purposes by a wide range of universities).
ARCHER’s team noted: “All of the existing ARCHER passwords and SSH keys will be rewritten and will no longer be valid on ARCHER.
“There will be a new requirement to connect to ARCHER using a SSH key and a password.” Crucially they noted that: “The ARCHER incident is part of a much broader issue involving many other sites in the UK and internationally.”
Indeed it does appear to be part of a much broader attack on supercomputing infrastructure across the world: In Germany bwHPC, a supercomputing research coordination organisation, reported that five of its clusters were also forced offline by the need to deal with a “security incident”.
Cryptomining
Cryptomining attacks involve a hacker hi-jacking computational power to process cryptocurrency transactions and earn coins in compensations for the heavy calculations and energy used in the process.
The computational requirements to mine cryptocurrencies like Bitcoin is significant: as the Bank for International Settlements noted last year, the total energy consumption needed to mine Bitcoins globally was the equivalent of a mid-sized economy such as Switzerland.
European Grid Infrastructure (EGI), a EU group that helps to coordinate projects and research endeavours on supercomputers across the EU, noted in a security updated that the attackers are jumping from ‘one victim to another’ as they exploit compromised SSH credentials.
Compromised SSH credentials from universities in Canada, China, and Poland are thought to be one of the main points of access in the incidents reported by firms across the EU. EGI identified four distinct ways in which the attackers were exploiting the compromised supercomputer infrastructure.
- XMR mining hosts (running a hidden XMR binary) XMR-proxy hosts; The attacker uses these hosts from the XMR mining hosts, to connect to other.
- XMR-proxy hosts and eventually to the actual mining server.
- SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
- Tunnel hosts (SSH tunneling); The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).
Jake Moore, Cybersecurity Specialist at ESET told Computer Business Review that: “What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto mining malware.
“All the SSH login credentials will now need resetting, which may take a while, but this is vital to stop further attacks.
“Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.”