A series of Cryptocurrency mining malware discoveries swept through Europe last week. The incidents were significant as they appeared to target supercomputers dotted around the continent. According to a ZDNet report published this weekend there are indications that the Monero (XMR) mining malware was planted across Europe by the same threat actor.
This time last week the University of Edinburgh's Archer supercomputer was shut down for sys admins to investigate it and reset SSH passwords. On the same day five bwHPC supercomputers in Germany closed due to similar incidents. Wednesday saw a similar supercomputer hacking story unravel in Barcelona. On Thursday similar incidents were noted in Bavaria, Dresden, and Julich, Germany. Saturday brought more investigations, shut downs and cleanup operations in Munich, Germany and Zurich, Switzerland.
European investigative and research body, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), released malware samples and network compromise indicators for some of the incidents noted above. These have since been reviewed by other security researchers and it seems to be the case that the attackers gained access to the supercomputers via compromised SSH credentials. Credentials belonged to universities in Canada, China, and Poland, it was observed.
Cado Security, told ZDNet the attacker(s) appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.
We don't know how much MXR the hackers might have gained from their crypto-mining malware but many of the organisations where the supercomputers are situated were prioritising research on the Covid-19 outbreak, says the ZDNet report. These are the first reported incidents of third party hackers installing cryptocurrency miners on a supercomputer, previously reported incidents have always been of an internal nature - usually an employee trying to earn a five-finger bonus.
Researchers are investigating similar supercomputer compromises in the US.
HEXUS recently wrote about the upcoming UK's Archer 2 supercomputer, featuring 12,000 AMD Epyc Rome CPUs.