A previously observed threat actor using an open-source network mapping tool has significantly expanded their operations, now infecting over 1,500 victims.
Sysdig, which is monitoring this cluster under the name CRYSTALRAY, reported a tenfold increase in activity. The actor is involved in mass scanning, exploiting multiple vulnerabilities, and installing backdoors using various open-source security tools.
The main goals of these attacks are to harvest and sell credentials, deploy cryptocurrency miners, and maintain persistence in victim environments. Most infections are found in the U.S., China, Singapore, Russia, France, Japan, and India.
Among the open-source programs used by the threat actor is SSH-Snake, released in January 2024. This tool enables automatic network traversal using SSH private keys discovered on systems.
Sysdig documented the abuse of SSH-Snake by CRYSTALRAY earlier in February, noting its use for lateral movement after exploiting known security flaws in public-facing Apache ActiveMQ and Atlassian Confluence instances.
Joshua Rogers, the developer behind SSH-Snake, told The Hacker News that the tool automates what would otherwise be manual steps and urged companies to identify and fix existing attack paths.
Other tools employed by the attackers include asn, zmap, httpx, and nuclei to check domain activity and scan for vulnerabilities in services like Apache ActiveMQ, Apache RocketMQ, Atlassian Confluence, Laravel, Metabase, Openfire, Oracle WebLogic Server, and Solr.
CRYSTALRAY also uses its initial access to conduct extensive credential discovery, going beyond server-to-server SSH movements. They maintain persistent access through the legitimate command-and-control (C2) framework Sliver and a reverse shell manager called Platypus.
To monetize infected assets, cryptocurrency miner payloads are deployed, utilizing victim resources for financial gain while eliminating competing miners on the machines.
“CRYSTALRAY can discover and extract credentials from vulnerable systems, selling them on black markets for thousands of dollars,” said Sysdig researcher Miguel Hernández. “The credentials sold cover various services, including Cloud Service Providers and SaaS email providers.”
