Aqua Security researchers tracked a cryptomining campaign where over three years, the attackers shifted from hitting the company’s honeypots to launching attacks in the wild. (Photo by Sean Gallup/Getty Images)

Researchers have found that a cryptomining campaign they were tracking with honeypots over the past three years changed course and instead of attacking the honeypots, a search in Shodan found that they launched some 125 attacks in the wild in the third quarter of 2021 alone.

Team Nautilus researchers at Aqua Security said in a blog post that they dubbed the cryptomining campaign "Autom" because of a shell script that was downloaded that initiated the attack. The researchers said over the three-year period, the attackers changed their tactics. For example, in 2019, the attackers didn’t use any special techniques to hide the cryptomining.

However, by 2020, they concealed themselves and disabled various security mechanisms. First, they disabled uncomplicated firewall (UFW), which let them allow or deny access to a service. Next, they disabled non-maskable interrupt (NMI), considered the highest-priority interrupt that signals attention for non-recoverable hardware errors and gets used to monitor system resets.  

Finally, by this year, to hide the cryptomining campaign, the attackers downloaded an obfuscated shell script from a remote server. They then encoded the script in base64 five times to prevent security tools from understanding their intentions. The cryptomining was finally discovered when the researchers decoded the script.

“Over the years the attackers improved their techniques and their campaigns become more sophisticated,” said Nitzan Yaakov, a security data analyst at Aqua Security. “Organizations need to understand that attacks are constantly evolving their attack capabilities. This requires advanced detection capabilities such as detection based on behavior. Dynamic threat analysis tools can help to detect these sophisticated threats.”

Evading detection for as long as possible to maximize their time on target and potential for a return has become a core part of an attacker’s job, said Casey Ellis, founder and CTO at Bugcrowd.

And Ellis said it’s especially true for cryptomining campaigns – attacks where the dwell time directly correlates to the amount of cryptocurrency mined by the target. Ellis said in the case of cryptomining, a security research company might shut down or reset a honeypot after a period of time to avoid resourcing an attacker’s campaign.

“If this happens consistently, a cautious attacker has the opportunity to observe that repeat behavior, gather other attributes of the system which might be shared across other honeypots run by the same organization, and use this fingerprint to avoid them,” Ellis said. “Without knowing the specifics of how Aqua Security deployed its honeypots, it could be as simple as using anti-deception techniques to avoid low-interaction honeypots, or as sophisticated as using behavioral correlation to fingerprint high-interaction honeypots.”