Supercomputers across Europe fell victim to a widespread and seemingly coordinated cybersecurity attack last week, getting hit with the illicit installation of malware focused on mining Monero (XMR).
German supercomputers most affected
Supercomputers in Germany, Spain, and Switzerland, confirmed infections via individual reports last week. All instances had a few details in common — such as similar network indicators and file names and a malware programmed to specifically mine Monero, the world’s 14th largest cryptocurrency by market cap.
However, Chris Doman of Cado Security noted to tech publication ZDNet that no definite evidence of the attacks being related to one actor/group exists, apart from the similarities mentioned above.
The University of Edinburgh, which runs the ARCHER supercomputer, was first to report an intrusion. They detected exploitation on their login nodes, as published here, and swiftly shut down the computer to prevent further attacks. All Secure Shell (SSH) passwords were reset as an additional security measure.
Germany’s bwHPC announced five supercomputing clusters were shutdown after similar “security incidences,” all present in technology-centric universities in the country, such as the University of Stuttgart and Tuebingen. Later, the Leibniz Computing Center and Dresden’s Technical University also confirmed disconnecting their computer clusters after a security “breach.”
The Swiss National Supercomputing Center was the last to confirm a breach, stating “external access” to their infrastructure following a “cybersecurity incident.”
Mining attack presumably not active
Notably, none of the University announcements revealed details on the exact nature of the intrusions, and have not confirmed the installation of mining malware.
But based on the malware samples, Europe’s Computer Security Incident Response Team (CSIRT) published its findings and noted “XMR mining hosts” were deployed during certain attack instances.
The team further referred to proxy-hosts, noting:
The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
In one instance, an XMR mining bot was configured to operate only at night hours, presumably to prevent detection.
Cado Security’s individual analysis found out attackers seemed to exploit a “CVE-2019-15666″ vulnerability to attain root access, post-which an application to mine Monero was likely installed.
The firm, based on its research, stated attackers might have used compromised SSH credentials to gain access to supercomputers, with the hacked logins belonging to universities in Poland and China.
I took a look at the recent attacks against Supercomputers and found some more details on attacks against Supercomputers in the UK, US, Germany and elsewhere -> https://t.co/EXdxB2jPI1 pic.twitter.com/3gOaLKCfyQ
— chris doman (@chrisdoman) May 16, 2020
At press time, no group has publically come ahead taking responsibility for the attack. No additional vulnerabilities were reported by any victims as on May 18, indicating the attack may not be active currently.
Meanwhile, Monero appears to be an easy target for illicit miners. Historically, the cryptocurrency has been at the center of many mining malware attacks, as CryptoSlate has reported extensively upon in reports here and here.
Like what you see? Subscribe for daily updates.