'Crystalray' Attacks Jump 10X, Using Only OSS to Steal Credentials

A newly discovered threat actor is using an arsenal of open source software (OSS) to scale its credential stealing and cryptomining operations exponentially.

"Crystalray" was first spotted back in February, when it was using a penetration testing program called "SSH-Snake" to exploit known vulnerabilities in Atlassian's Confluence platform. In the time since, researchers from Sysdig have observed it combining a suite of other OSS tools to facilitate nearly every step of its attack chain.

Perhaps thanks to all the time saved not having to write its own malware, Crystalray's activity exploded this spring. It has now touched more than 1,800 unique IP addresses worldwide, with hundreds of active infections at any given time. More than half of the attacks have occurred in the US and China.

Crystalray's OSS Attack Chain

The first tool in Crystalray's kit, for performing initial reconnaissance, is called "ASN." This command line tool allows its users to query Shodan for open ports, known vulnerabilities, and many other useful kinds of data about potential targets, such as what software and hardware they might be running. As advertised in its GitHub readme file, ASN does all this and more "without ever sending a single packet to the target."

The attackers then supplement ASN with "zmap," which scans the Web for specific ports running vulnerable services.

With the results from zmap in hand, the threat actor runs the HTTP toolkit "httpx" to check whether the domain they might target is live.

Now that its prey has been squarely identified, Crystalray then uses the vulnerability scanner "nuclei" to check which known vulnerabilities the poor victim might be beset by. So far, that process has probably included one or more Confluence bugs, as well as CVE-2022-44877 in the CentOS Control Web Panel; CVE-2021-3129 in Ignition for Laravel; and CVE-2019-18394 in Ignite Realtime Open Fire — all three of which have earned critical 9.8 out of 10 CVSS scores. nuclei offers the added benefit of allowing its users to scan for potential honeypots.

Crystalray doesn't bother to develop any kind of exploit script to compromise these exposed domains. Instead, it uses public proofs-of-concept exploits (PoCs) to drop its malicious payloads.

OSS Payloads Both Malicious & Legit

The malicious payload might involve Sliver — a cross-platform red team framework it uses for command-and-control — or Platypus — a Go-based tool for managing multiple reverse shells (in Crystalray's case, up to 400 at once).

"Some of these are not legitimate open source tools," notes Michael Clark, director of threat research at Sysdig. Platypus, for example, may be OSS like the others, but "I don't think they pretend to be a legitimate kind of tool. They're offering it for bad purposes. But the project discovery tools like nuclei are all meant for defenders, so there's a bit of a mix."

One such tool that markets itself to defenders — though it is almost certainly of more use to attackers — is SSH-Snake. The program is a worm that enables lateral network movement by gradually accumulating and logging SSH keys it uses to self-replicate. Crystalray also aims for other sorts of credentials by, for example, using all-bash-history and Linux-smart-enumeration to discover sensitive credentials in bash command history files.

In particular, the group looks for credentials associated with cloud platforms and software-as-a-service (SaaS) email platforms, which it sells in black markets. Its other source of income comes from two cryptominers which, based on the attacker's crypto wallet, appear to be earning them a paltry sum — around $200 per month.

The Cost-Benefit of Using OSS Cyberattack Tools

As Clark reflects, "What's odd is we see a lot of attacks — hundreds a year — and most of them use much simpler scripts they wrote themselves, or tools they bought off of the Dark Web. We rarely see this kind of malicious use of legitimate open source security software."

For all of the time and effort it saves, hackers have one very good reason to avoid OSS: "Because defenders can use it too, which is what's great about open source. They can reproduce this exactly to see how it looks in their environment," he notes. "If I'm a defender, I could go install Sliver — play with it, see how it works, see how it works against my defensive tools. With a closed source version, it's much harder to get your hands on."

On the other hand, he adds, "These are advanced tools, sometimes. So even if you have it, detection can be difficult, because people put a lot of effort into making these tools very good. Even if they're used for defensive purposes, they want defenders being able to replicate advanced attacks."