A new hacker group known as Crystalray, discovered by researchers from Sysdig, has been targeting victims since February of this year. The group has already compromised over 1,500 victims by stealing accounting data and installing crypto-miners on their systems.
Crystalray utilizes the SSH-SNAKE worm to steal SSH key aids from hacked servers and spread through compromised networks. They conduct mass scanning using services like Shodan to identify vulnerabilities and plant backdoors in systems. The group employs various tools such as ZMAP, ASN, HTTPX, Nuclei, PlatyPus, and SSH-SNAKE in their attacks.
The primary objective of Crystalray is to steal and sell accounting data, install crypto-mining software, and maintain access to the victims’ systems. They leverage modified exploits and tools like Sliver in their operations.
Crystalray actively exploits vulnerabilities such as CVE-2022-44877 in Control Web Panel (CWP), CVE-2021-3129 in Laravel, and CVE-2019-18394 in Ignite Realtime Openfire. Sysdig reports that Atlassian Confluence products may also be at risk based on observed hacking attempts on 1,800 IP addresses.
The group uses PlatyPus web manager to handle multiple reverse shell sessions on hacked systems. Additionally, SSH-SNAKE remains a critical tool for distributing malware throughout compromised networks.
After gaining access through SSH, the SSH-SNAKE worm duplicates itself on new hosts and sends stolen keys and attack data back to the hackers’ C2-server for further exploitation. Crystalray has been selling stolen accounts on the darknet and Telegram, earning approximately $200 per month from crypto-mining activities.
Due to a recent configuration change in April, the group’s current income is unknown. To combat the growing threat posed by Crystalray, it is essential to minimize the attack surface by promptly applying security updates to address disclosed vulnerabilities.