Supercomputers Breached Across Europe To Mine Cryptocurrency (zdnet.com) 43
An anonymous reader quotes ZDNet: Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions. Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumored to have also happened at a high-performance computing center located in Spain.
Cado Security, a US-based cyber-security firm, said the attackers appear to have gained access to the supercomputer clusters via compromised SSH credentials... Once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero cryptocurrency.
Cado Security, a US-based cyber-security firm, said the attackers appear to have gained access to the supercomputer clusters via compromised SSH credentials... Once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero cryptocurrency.
I have to admit (Score:3, Interesting)
That's pretty badass. I wonder how much they mined before they were shut down.
Re: (Score:1)
One of the computers affected is at the University of Edinburgh called “Archer”.
The ARCHER facility is based around a Cray XC30 supercomputer, with 4,920 nodes, each node containing two 2.7 GHz, 12-core E5-2697 v2 (Ivy Bridge) series processors with 64GB of memory
At zero load the compute nodes on ARCHER draw approximately 400 kW of power and at full load they draw approximately 1200 kW of power.
Nice!!
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
when they and their electricity is free they can, 10K of graphics card based hardware you can't afford to buy nor run, or free supercomputer, take your pick.
Re: I have to admit (Score:2)
ARCHER is a pure CPU machine
Re: (Score:2)
Doesn't matter all that much, when things like this happen, it becomes ammunition for countries to ban it which starts a death spiral.
Re: (Score:2)
And for most people it wouldn't make any difference if Bitcoin, Monero and other electronic currencies are banned since those are mostly used by criminals or questionable activities anyway.
Re: (Score:2)
Doesn't matter all that much, when things like this happen, it becomes ammunition for countries to ban it which starts a death spiral.
What are you talking about? Are you under the impression that cryptomining malware is new? What makes this university's computer getting hacked any different than any other company?
Re: (Score:3)
Ban what? A unit of measure that has no real value other than consuming vast amounts of electricity and facilitates global criminal activity like that mentioned in the article?
Wake me up when cryptocurrency finally dries up and blows away.
Seriously? (Score:2)
Supercomputers ... ?
<facepalm>
Re: (Score:1)
It's better than Batcomputers.
No suprises here. (Score:5, Insightful)
Scientists administering their computer systems themselves tend to reliably produce this result.
Nobody wants to be bothered by security, so short passwords, everyone loves to login from everywhere, so no mandatory keys or VPN, everyone loves to be able to transfer that odd terabyte of root files, recompile the 30m lines MC simulation or rerun parts of that DFT calculation on the cluster over any network at any time, etc. They like it open.
So they open all sorts of backdoors on purpose, and I'm not even mentioning the trillion badly misconfigured services that are also running - by defaults, ignorance and by "let's get this up by yesterday night" approach.
And then some people sneak in and share the processor time.
Amazingly, there are very few problems - nobody is really interested in what the scientists actually produce and run. There are no user data to steal, the datasets are enormous and meaningless to people outside of the project, and the scientific code is so bad, copious and boring that no hacker is interested in it.
So it is a stable equilibrium, which works well with an occasional cleanup.
Re: (Score:2)
>> So it is a stable equilibrium, which works well with an occasional cleanup.
You have no idea how loudly I laughed at that line
then I thought how good that line would be with Hitchhikers guild to the galaxy.
Re: (Score:1)
Re: (Score:2)
rofl
thank you
Re:No suprises here. (Score:5, Interesting)
I used to BOFH back in the 90s for a few years. I now do science and because of that past experience, I'm occasionally asked for assistance or advice after a breach, so I've seen quite a few coinminer operations on scientific systems of various sizes.
The most endearing one was one a small cluster, where intruders had fought for dominance and one group had won over. They apparently ran their own maintenance - cleaned up the competition, updated and patched shit regularly, set limits on the science computation jobs so that they would run - slow and not block the mining - but not cause alarm, etc. Really good housekeepers, too bad the university won't allocate a budget to hire them, and instead has to rely on things like the cooperation and the outdated knowledge and skills of a random old fart like myself.
Most miners aren't like that - they take over, kill everything, run the machines at max and get caught quickly by the whine of the jet turbines that do the cooling these days.
Maybe I'll read the postmortems on these systems when I have time, always like to try and find something inventive and exciting in the work of those hackers.
Re: (Score:2, Interesting)
Re: (Score:3)
Yep, just like that.
I also wager that there has always been a background level of compromises against HPC systems but they've been ignored. Security is not generally the greatest at some of the most notorious sites, so it's not a difficult challenge, but the industry hasn't had any big problems so they haven't been driving to change.
This is almost certainly going to change all that, and make things more secure in the long run.
Re: (Score:2)
FTFY
Re: (Score:3)
Yes, I am also guilty of that particular sin, and in a perfect world I would not bother either.
But the real world is not as nice and simple as a spherical cow in a vacuum, and unfortunately you have to take that into account when you set up your system, and budget for some basic housekeeping too.
Re:No suprises here. (Score:4, Interesting)
Scientists administering their computer systems themselves tend to reliably produce this result.
Back in 2009 my friend needed to do a ton of calculations for his PhD in molecular biology. Unfortunately, he didn't have resources to do that. Instead he scanned the Internet for open Hadoop servers and found quite a few of them, so he was able to run his workloads quite comfortably there.
Of course, this was long before the cryptoshit scourge.
Re: (Score:3)
So users getting compromised and having their accounts used for crypto mining would be a fairly typical thing resulting in an account being disabled.
This involved a privilege escalation attack through them running downlevel kernels, so the attackers assumed root priviliges and messed with things. This is why they have shut down (and in fact I have heard generally deleting everything and reinstalling across all the servers).
Re:No suprises here. (Score:4, Interesting)
Scientists administering their computer systems themselves tend to reliably produce this result.
Nobody wants to be bothered by security, so short passwords, everyone loves to login from everywhere, so no mandatory keys or VPN
Sorry, but this a cheap shot, and almost completely wrong. Supercomputer facilities are managed by professionals; they may have a science background but they are generally pretty competent admins. Systems admin is their core business if anything there is less pressure to 'do it fast' rather than 'do it right' than in the commercial world. You get a reputation for having lousy admins, and the next grant is going to go somewhere else. Their security responses teams were all over it almost immediately, and had the systems locked down and access revoked. 90% of commercial organizations would have been slower off the mark.
You are right in that people like to log on from all over the place. That goes with being a national/international facilitity with users all over the place. Worse, your users aren't emplyees but customers, and they need to be able to compile and run their own code. Securing these things is just a hard problem; maybe they were slow in patching whatever privilege escalation vulnerability was used, maybe not. You'll find very few that allow password access but that doesn't help when dumbfuck users lose their passwordless private keys. [slashdot.org] Maybe they'll move to hardware access tokens in future.
Re: No suprises here. (Score:2)
The breech is from idiot users using SSH keys without paraphrases. Most HPC users have accounts on multiple systems. A local privilege escalation was then used to gain root. There is as I understand no crypto currency mining on ARCHER. There was some indication on the early systems in Poland, but it makes no sense and is almost certainly a smoke screen. Oh and the Independent article is also wrong, the upgrade was delayed because AMD didn't/couldn't supply the CPU's, which is something of an embarrassment.
Computer Security is a myth in the 21st Century (Score:1)
Re: (Score:2)
Why stop? (Score:2)
Monero (Score:3)
It seems whenever there's a story about some illicit mining operation, whether it's done through an ad banner or like this story, it's always Monero. Does any halfway reputable service even accept Monero?
Re: (Score:2)
Don't quote me but I got the impression it was a coin with genuine anonyimity - so you can clean your stolen bitcoins, by converting into monero and then back out at some poiont
NOTE: I *really* don't follow coins that closely, could be wrong.
Re: (Score:3)
Tons of exchanges do. You go on and do some trading to launder your pilferings. Convert to bitcoin and then cash out to your bank account.
Re: (Score:2)
compromised SSH credentials? (Score:2)
Re:compromised SSH credentials? (Score:4, Insightful)
I do not know details about what was done or how it was done, but off hand I would guess:
There are a lot of users with access to many of those systems with ssh keys on their desktops/laptops with just endless attack vectors to get an individuals private data. I don't even think passphrase protected would have worked because odds are that they would have an ssh agent running during an attack and be able to use that to ssh in. If no agent running, I wouldn't be surprised if they got a keylogger going to get the key password.
From there, a lot of these systems are lax about security updates, so there is a high chance of a privilege escalation being possible through lack of update at *one* of the sites is high. I wager this is the impetus to change that norm.
With that last you can gather tons of user private keys (users tend to have an unprotected private key and tend to also trust that private key in authorized keys) and then you have more latitude to request compute time as a lot of users.
Re: compromised SSH credentials? (Score:3)
All it takes is one user to have their computer hacked who has an unsecured private SSH key. You now have access to a HPC system. If you can manage a local privilege escalation it is trivial to scan the system for more unsecured private SSH keys. You can use the known_hosts file and bash history of the user to identify the hosts on which those keys can be usefully tried. As many HPC users have accounts on multiple different HPC systems you can island hope once you have an in.
Note there are many guides out t
Re: (Score:2)