Exposed Jupyter Notebooks Under Threat of "Qubitstrike" Cryptojacking Campaign

Category: Threat Actor Activity | Industry: Global | Source: Cado Security

A new cryptojacking campaign named "Qubitstrike" which has set its sights on exposed Jupyter Notebooks is reported by security researcher Matt Muir from Cado Security. Analysis of the campaign in a Cado-owned honeypot identified an abundance of malware incorporating scripts to steal credentials, Linux rootkits, and the XMRig coinminer. The attackers abused the Codeberg platform, using the code repository to stage their script. Qubitstrike targets hardcoded credential files for popular cloud services, like AWS and Google Cloud, exfiltrating them using the Telegram Bot API.

The attack begins with the initial compromise, often manual in nature, with the threat actor likely discovering vulnerabilities using tools like Shodan. Commands executed on the host transpired within a timeframe of 195 seconds, raising suspicions of manual intervention. They then proceed to perform system reconnaissance, inspecting the machine's specifications and any available files, especially credential data. The attacker used base64 encoded commands to download and execute the main script, named "mi.sh." This script was found to play a central role in the attack, involving renaming data transfer binaries, deploying the XMRig miner, establishing persistence via cron jobs, establishing SSH keys, facilitating lateral movement with SSH, and installing a rootkit named "Diamorphine." Furthermore, it exfiltrates credentials and propagates the malware to related hosts through SSH, all while employing techniques to avoid detection.

The Qubitstrike attackers exhibited the ability to employ Discord for command and control (C2) operations. They utilized a Python script, 'kdfs.py,' which included an embedded Discord token and employed multiple encoding techniques for communication concealment. Cado Security uncovered this script in the attackers' Codeberg repository. Interestingly, the Python script was never deployed in Cado's honeypot environment. The mi.sh script appeared to operate successfully in achieving the attacker's objective without the Python script, leaving its use in the attacker's infection chain unknown. Nonetheless, the capabilities demonstrated by the Qubitstrike campaign serve as a reminder for organizations to secure their cloud infrastructure against the increasing threats in cloud environments.