More than 1,500 have already had their credentials compromised and systems targeted with cryptocurrency mining payloads by the CRYSTALRAY threat operation, signifying a tenfold increase in attack scaling since its emergence in February, according to BleepingComputer.
Attacks by CRYSTALRAY involved the utilization of several open-source software tools, including the Sliver post-exploitation toolkit to distribute modified proof-of-concept exploits targeted at systems impacted by the Control Web Panel arbitrary command execution bug, tracked as CVE-2022-44877, Ignition arbitrary code execution issue, tracked as CVE-2021-3129, and Ignite Realtime Openfire server-side request forgery flaw, tracked as CVE-2019-18394, as well as vulnerable Atlassian Confluence instances, an analysis from Sysdig revealed. Infiltrated systems would then have several reverse shell sessions managed by the Platypus web-based manager, with additional compromise facilitated by the SSH-Snake worm, which uses fetched SSH keys to repeatedly breach new hosts and perform self-propagation while exfiltrating keys to attackers' command-and-control server. Aside from stealing configuration file and environment variable credentials, CRYSTALRAY has also been monetizing cryptomining activity in breached systems, researchers said.