Full Report
On 2024-01-18, a campaign was reported, involving Mimo operator, gaining initial access via 1-day vulnerability, targeting VMware Horizon, Confluence Server, WSO2, Apache ActiveMQ, PaperCut to achieve Resource hijacking, RansomOp. The following tools were observed: Mimo, NHAS reverse_ssh, XMRig, Mimus, Peer2Profit.
Analysis Summary
# Incident Report: Mimo Cryptomining Campaign Targeting Public-Facing Servers
## Executive Summary
A widespread cyberattack campaign, attributed to the "Mimo operator," was reported on January 18, 2024, leveraging a 1-day vulnerability to gain initial access to various corporate applications. The primary impact was **Resource Hijacking** for cryptocurrency mining and the use of **RansomOp** tactics. The campaign successfully compromised systems running VMware Horizon, Confluence Server, WSO2, Apache ActiveMQ, and PaperCut, deploying cryptominers and backdoors.
## Incident Details
- **Discovery Date:** 2024-01-18 (Date campaign was reported)
- **Incident Date:** Campaign active around or prior to 2024-01-18
- **Affected Organization:** Multiple, targeting organizations using vulnerable software.
- **Sector:** Unspecified (Broad targeting based on software)
- **Geography:** Unspecified
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Prior to 2024-01-18)
- **Vector:** Exploitation of a **1-day vulnerability** affecting specific software products.
- **Details:** Attackers targeted known vulnerabilities in VMware Horizon, Confluence Server, WSO2, Apache ActiveMQ, and PaperCut to gain an initial foothold.
### Lateral Movement
- **Details:** The deployment of tools like **NHAS reverse\_ssh** suggests methods for establishing persistent command and control and potentially facilitating lateral movement within the compromised environment.
### Data Exfiltration/Impact
- **Details:** The primary impact shifted to **Resource Hijacking** (cryptocurrency mining using XMRig) and the deployment of **RansomOp** activity, implying potential data encryption or extortion attempts alongside the resource theft. Tools like Peer2Profit were also observed, suggesting further unauthorized data/resource monetization.
### Detection & Response
- **Details:** The progression of the threat was identified through threat intelligence reporting and monitoring of attacker activities related to the Mimo operator. (Specific organizational response actions are not detailed in the context provided, thus this section is inferred based on the public reporting of the campaign.)
## Attack Methodology
| MITRE ATT&CK Phase | Method/Tool Used |
| :--- | :--- |
| **Initial Access** | Exploitation of a **1-day vulnerability** targeting VMware Horizon, Confluence, WSO2, ActiveMQ, PaperCut. |
| **Persistence** | Use of tools like **Mimus** and potentially other backdoors to maintain access post-exploitation. |
| **Privilege Escalation** | Not explicitly detailed, but necessary to achieve Resource Hijacking. |
| **Defense Evasion** | Use of custom tools/scripts implicitly designed to evade detection during setup. |
| **Credential Access** | Not detailed. |
| **Discovery** | Not detailed. |
| **Lateral Movement** | Use of **NHAS reverse\_ssh** to maintain accessible tunnels. |
| **Collection** | Not detailed, though Peer2Profit suggests unauthorized use of resources. |
| **Exfiltration** | Not detailed. |
| **Impact** | **Resource Hijacking** (Cryptomining using **XMRig**) and **RansomOp**. |
## Impact Assessment
- **Financial:** Significant due to resource consumption (CPU/GPU cycles for mining) and potential costs associated with RansomOp remediation.
- **Data Breach:** Potential unauthorized access to systems hosting Confluence/WSO2/PaperCut data, though specific data types are not documented.
- **Operational:** Disruption caused by system resource saturation due to cryptomining activities and potential operational downtime due to RansomOp events.
- **Reputational:** Unspecified, dependent on the targeted organizations.
## Indicators of Compromise
*Note: Indicators are provided as tools observed in the campaign, not specific file hashes or network addresses.*
- **Network Indicators (Defanged):** Connection patterns associated with **NHAS reverse\_ssh** tunnels.
- **File Indicators:** Payloads associated with **XMRig**, **Mimo**, and **Mimus**.
- **Behavioral Indicators:** Unexpected high CPU utilization indicative of cryptomining; unusual SSH reverse tunnels established.
## Response Actions
*(Since this is a summary of a reported campaign, detailed response actions by a victim organization cannot be provided. The following are general steps required for such incidents based on the observed impact):*
- **Containment:** Immediate isolation of affected servers (VMware Horizon, WSO2, etc.); disabling external access to vulnerable services.
- **Eradication:** Removal of all observed tools: Mimo, NHAS, XMRig, Mimus, Peer2Profit. Applying patches for the exploited 1-day vulnerability across all systems.
- **Recovery:** Restoring service availability only after confirming complete eradication and ensuring system integrity, especially concerning RansomOp remnants.
## Lessons Learned
- **Patching Cadence:** The success relies on exploiting **1-day vulnerabilities**, emphasizing the critical need for immediate patching upon disclosure, especially for internet-facing services.
- **Asset Visibility:** A clear inventory of vulnerable technologies (VMware Horizon, Confluence, PaperCut) is essential for prioritizing response.
- **Resource Monitoring:** Enhanced monitoring for abnormal system resource consumption (CPU/GPU) is vital for early detection of cryptojacking activity.
## Recommendations
- **Vulnerability Management:** Implement aggressive policies to patch zero-day and 1-day vulnerabilities within 24-48 hours of disclosure.
- **Security Hardening:** Review configurations for all high-value services (WSO2, Confluence) to ensure least privilege and restrict execution capability for external users.
- **Endpoint Detection:** Deploy behavioral monitoring capable of detecting the deployment and execution of common mining software (XMRig) and unauthorized tunneling tools (reverse\_ssh).