GitLab servers are under attack with a now-patched critical vulnerabilityEarlier this week we investigated an incident that occurred on a new Intezer Protect user’s GitLab server. After the user installed the Intezer Protect sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit shellcode named gitlab.elf, which occurred a few days prior to the installation of the sensor. Several hours later another alert was triggered, this time upon the execution of an XMRig Miner. The malware was also executed several days before Intezer Protect was installed. We notified the user and began our own investigation with the goal of understanding how the attacker got into the system and what the scope of the incident was. Consistent with our findings, news broke later that day that attackers were exploiting a GitLab unauthenticated remote code execution (RCE) vulnerability. In this post we describe the investigation process conducted by Intezer’s research and engineering teams using the Intezer Protect runtime security sensor installed on the victim’s host.
• To make sure you have not been compromised use Intezer Protect for free on up to 10 hosts protect.intezer.com
The IncidentThe individual was a new Intezer Protect user who had just installed the Intezer Protect sensor on a CentOS host. Immediately after the install, an initial scan was performed and Intezer Protect identified a running shellcode inside a container on the user’s host. The alert presented important information about the execution of the process including the process tree, execution path, details about the user’s host, and the files containing malware. Using this information, we were able to get more details about the malicious process:
- The process was executed inside a container based on a gitlab/gitlab-ce:12.10.10-ce.0 Docker image
- The path and filename of the malicious process is /var/opt/gitlab/gitlab-workhorse/gitlab.elf
- EUID of the process is 998
- The process connected to 172.96.190[.]95:904
- The alert also links to Intezer Analyze, which identifies the shellcode as a metasploit.
- The scripts install an XMRig Miner and implement persistence by creating a systemd service while adding the malware to a .profile file in the user’s home folder.
- Another wallet ID is used in this script: 44wrH5Y3VXn577ZJHAJwZG8pLMNQXURsGKnNfbwUNmv3fJdHcedednZSna9hbFU5ojBkF83beV5CJYnqh9jnZNNdTJ4oXor
- The script removes previously installed cryptominers.
- The script tries to remove the malware that is executed in this attack but it doesn’t seem to work.
- The installation command, Install XMRig miner, is copied from the pool’s setup documentation page, shown in the image below.
- The wallet ID used by the attacker is 45P62r6YsHWagiRZ6K5tGeKPy2tFFwfYvdfatsKHCC7wATRrsKqqSFySocLVtrKFzYj1RzYu2mSD9HXBofYusbfdAiSCkvM
Looking Inside the WalletsWe were able to view the status of the wallets in the pool’s dashboard. Each wallet was using hundreds of workers at the time of this post. The images below show details of the wallets including their hash rates and activity of the cryptominers.
Threat Detection and ResponseAttackers are constantly searching for internet-facing instances and applications that are vulnerable, misconfigured, or have weak credentials. Users should always install the latest security updates, patch their systems, avoid exposing applications to the internet when they can, and enforce multi-factor authentication. While it’s important to implement all the right security policies and to keep systems up to date, zero-days are bound to happen. Runtime protection solutions like Intezer Protect come in handy for detecting when the attacker has already compromised the environment and launched malware.
• Intezer Protect provides runtime code visibility, threat detection, and response capabilities for cloud and data centers, without the performance overhead of installing an Antivirus or EDR. Try it for free on up to 10 hosts to stop suspicious commands, cryptominers, ransomware and other destructive attacks.This post was a joint effort between Intezer’s research and engineering teams. Special thanks to Adir Shemesh.