Eight Australian web hosting providers have been compromised in a malware attack that took place in 2018, according to a report from the Australian Cyber Security Centre (ACSC).
Hackers used vulnerabilities within web applications to get access to web servers before installing the malware, which had "password stealing tools" and the Gh0st remote access tool (RAT).
Gh0st is a fully featured RAT that provides functionality such as key logging, web cam and microphone streaming, file upload and download as well as providing full remote control of a host.
Following an analysis of the web logs from compromised hosts, the ACSC found that the hacker used a web browser to manually interact with websites to find vulnerabilities.
Once identified, the vulnerability was manually exploited to create a web shell on the server. The hacker then switched from using a web browser to using a controller to perform future interactions with the web shell.
In one incident, the Gh0st dropper was detected by the anti-virus software in used by the web hosting company affected and was quarantined.
According to the report, the hacker then disconnected from the compromised environment only to return several hours later and deploy a new instance of the dropper which evaded the victim’s anti-virus.
"When executed, the Gh0st dropper creates a Windows executable with a .gif extension in a legitimate Windows directory then registers a new service to execute the dropped file on start-up," stated the report. "Every execution of the dropper results in a binary with a different hash being generated which causes hash-based detection to be ineffective."
The ACSC report also found that two of the compromised hosts contained evidence of the hacker deploying software to add the hosting server itself into a Monero mining pool – a way for miners to pool their resources together and share their hashing power while splitting the reward equally.
As a result, it is believed the hacker received a payment of $28,00 a day.
According to the processing power of the hacker, the ACSC believes it has a Monero miner installed on between 13 and 38 machines.
The hacker is also believed to have modified other sites on hosting providers to boost SEO rankings or to redirect legitimate traffic to sites selling illegitimate products.
The ACSC investigation observed that hosting providers were running older versions of Microsoft operating systems, for example Windows Server 2008, which will become unsupported by Microsoft on 7 October 2018.
"The access was exclusively used to conduct criminal activity on the network and customer websites, using the reputation of these legitimate sites to add validity to their activities," said Alastair MacGibbon, head of the ACSC.
"The ACSC advised the Australian hosting providers to conduct a risk assessment and consider whether there was a reporting requirement under the Notifiable Data Breaches (NDB) Scheme.
"This cyber-criminal activity was detected by the ACSC working with a diverse range of information sources, including industry, government departments, law enforcement and information security bodies (both domestic and international)," MacGibbon added.
The ACSC suggested mitigation strategies to customers and the hosting providers.