In a report released yesterday by TrapX Security, researchers warn manufacturers dependent on IoT devices are targets in a new global campaign leveraging the Lemon Duck variant.
Criminals behind the wave of attacks are singling out IoT gear in hopes of enlisting them into a “slave army” of crypto-mining devices focused on generating Monero coins via the XMRig mining tool. Researchers warn that the processor-intensive mining efforts are taking their toll on gear and triggering equipment malfunctions along with exposing devices to safety issues, disruption of supply chains and data loss.
The campaign is similar to a Lemon Duck campaign that was found in October, however in this campaign the malware is being used to intentionally target and cause harm to large manufacturers.
The 26-page report by TrapX Research Labs cites a number of 2019 attacks against three large global manufacturers. The common thread is the use of Lemon Duck malware and the presence of Windows 7 in embedded or associated systems. Windows 7, which TrapX estimates is still used by 200 million devices, is no longer receiving security updates by Microsoft as of 14th January, 2020.
In each of the case studies outlined by researchers, weaknesses in Windows 7 were used by adversaries as the point of entry. Exploited were unpatched vulnerabilities tied to Microsoft’s implementation of the Server Message Block (SMB) protocol in the operating system by the EternalBlue exploits. In addition, researchers said attackers launched SQL injection attacks against vulnerabilities in the MySQL database application.
“The malware sample intercepted and analysed by TrapX is part of the Lemon Duck sample family running on a double-click action or through persistence mechanisms,” wrote researchers. “First, the malware scanned the network for potential targets, including those with SMB ([port] 445) or MSSQL ([port] 1433) services open. Once finding a potential target, the malware ran multiple threads with multiple functionalities.”
One of those functions include brute force password attacks to crack open services to further download and spread malware via SMB or MSSQL. Another included the “running of invoke-mimikatz via import-module to obtain NTLM hashes and gain access for the further download and spread of malware via SMB.”
Also see: Top Tips to Increase Your Online Privacy
Researchers said the Lemon Duck malware persisted on infected systems via scheduled tasks, which included PowerShell Scripts that invoked additional Lemon Duck PowerShell scripts, which then installed the Monero miners (XMRig).
It’s for good reason that attackers have focused on Windows 7 machines. Researchers said that attacks leveled against Windows 10 machines have consistently been thwarted by basic system defences.
“The malware would be quarantined on a Windows 10 system with Windows Defender Virus & Threat protection activated, even if the malware successfully copied itself to the system,” researchers said. “In contrast, the malware stayed and ran on an infected Windows 7 system even with Windows Defender activated.”
Mitigation spelled out by TrapX involves enforcing a strong password policy across all networks and subsystems, keeping systems patched and exercising hyper vigilance when it comes to managing network shares and disabling anonymous logins. Researchers also highly recommend ending reliance on Windows 7.