Mirai NoaBot: Protect Servers From Crypto Mining Threats
In recent cybersecurity developments, a novel Mirai-based botnet known as Mirai NoaBot has emerged, posing a significant threat to Linux servers since the start of 2023. Akamai’s telemetry data, derived from honeypots, reveals a steady growth in NoaBot infections, with a peak in size recorded just last month.
This blog post delves into the intricacies of FTC warning on NoaBot malware, shedding light on its origin, modus operandi, and the measures organizations can take to protect their systems
Unveiling Mirai NoaBot’s Tactics
Akamai researchers uncovered that NoaBot relies on SSH credentials dictionary attacks for lateral movement. With over 800 unique IP addresses displaying signs of infection worldwide, 10% of these instances are traced back to China. NoaBot exploits SSH server vulnerabilities often overlooked by organizations – plain old SSH credentials. The FTC alert on crypto server attacks emphasizes the growing threat landscape in the digital space.
Evolution from Mirai to NoaBot
Mirai, initially a DDoS botnet in 2016, set the stage for subsequent Linux self-propagating botnets, with some focusing on DDoS attacks, others on crypto-mining, and a few on both. NoaBot, a derivative of Mirai, stands out for its modifications, primarily replacing the Telnet scanner with an SSH scanner.
This shift makes sense, as Linux servers, unlike embedded devices, are more likely to have SSH enabled. Therefore, protecting against Mirai NoaBot is paramount for ensuring the security of Linux servers in the face of evolving cyber threats.
NoaBot’s Unique Features
The creators of NoaBot implemented significant alterations to the Mirai source code, ensuring a distinctive identity. They replaced the compiler from GCC to uClib, rendering its binary code significantly different from Mirai. Notably, NoaBot’s SSH scanner leaves a clear signature – upon an accepted SSH connection, the botnet client sends the unconventional message “hi,” which can be used to create a firewall signature.
Persistence Mechanisms and Backdoor Functionality
NoaBot introduces a persistence mechanism named “noa,” ensuring its continued presence even if password-based authentication is disabled. This mechanism involves adding an attacker-controlled key to the SSH-authorized keys. Moreover, the cryptocurrency mining malware bot acts as a backdoor, downloading additional binaries and creating a crontab entry to ensure it starts after a system reboot.
Crypto Mining Server Attacks
NoaBot incorporates XMRig, a widely used open-source cryptocurrency mining program. The threat actors behind NoaBot have, however, made advanced modifications to XMRig, concealing and encrypting its configuration, particularly the IP address of the mining pool. Notably, the researchers speculate that the threat actors run a private pool, eliminating the need to specify a wallet and thereby maintaining control over the collected cryptocurrency.
P2PInfect Connection
The Akamai researchers have identified a potential connection between NoaBot’s creators and a custom version of P2PInfect, a self-replicating worm written in Rust. P2PInfect targets Redis servers, exploiting a Lua vulnerability.
While it remains unclear why the threat actors shifted from Mirai to P2PInfect, the researchers suggest that the use of custom code may indicate a desire for increased difficulty in reverse engineering.
Mirai NoaBot Protection Protocols
Cybersecurity for SSH servers is a critical aspect of safeguarding sensitive data and maintaining network integrity. Akamai’s team has proactively shared a list of indicators of compromise on their GitHub repository, along with YARA detection signatures tailored to identify NoaBot binaries.
In addition to utilizing these resources, organizations are strongly advised to adopt standard SSH hardening practices. This includes restricting SSH access to trusted IP addresses and implementing key-based authentication, which are effective measures against dictionary attacks.
Conclusion
As the cybersecurity landscape continues to evolve, Mirai NoaBot cyber threats highlight the importance of proactive defense measures. By understanding the tactics employed by such botnets and adopting best practices, organizations can fortify their systems against unauthorized access, data breaches, and potential disruption. Vigilance, continuous monitoring, and adherence to security protocols are paramount in safeguarding against the ever-adapting IoT devices security risks.
Organizations must stay informed about emerging malicious activities in cryptocurrency mining and leverage the available resources for detection and prevention. In addition, they must also consider automated patching solutions to minimize downtime and ensure robust security protocols.
The sources for this piece include articles in The Hacker News and CSO.