Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Supercomputing The Almighty Buck

Supercomputers Breached Across Europe To Mine Cryptocurrency (zdnet.com) 43

An anonymous reader quotes ZDNet: Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions. Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumored to have also happened at a high-performance computing center located in Spain.

Cado Security, a US-based cyber-security firm, said the attackers appear to have gained access to the supercomputer clusters via compromised SSH credentials... Once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero cryptocurrency.

This discussion has been archived. No new comments can be posted.

Supercomputers Breached Across Europe To Mine Cryptocurrency

Comments Filter:
  • I have to admit (Score:3, Interesting)

    by t4eXanadu ( 143668 ) on Saturday May 16, 2020 @10:53PM (#60069052)

    That's pretty badass. I wonder how much they mined before they were shut down.

    • by Anonymous Coward

      One of the computers affected is at the University of Edinburgh called “Archer”.

      The ARCHER facility is based around a Cray XC30 supercomputer, with 4,920 nodes, each node containing two 2.7 GHz, 12-core E5-2697 v2 (Ivy Bridge) series processors with 64GB of memory

      At zero load the compute nodes on ARCHER draw approximately 400 kW of power and at full load they draw approximately 1200 kW of power.

      Nice!!

      • ... and the The Independent wrote an article on the breach. The title started with "Danger Zone!". Not kidding.
      • by Pax681 ( 1002592 )

        ARCHER is on a range of research projects, such as modelling weather patterns and biomedical data, simulating the Earth’s climate and designing new materials. But its role in supporting a number of different COVID-19 research projects might have proven a particular draw to hackers. “I am not sure if anyone can say for sure whether this is a targeted attack to either exfiltrate data relating to Covid-19 research or it was an attack to slow the progress of research into Covid-19 by state actors

    • by Anonymous Coward
      probably not a lot unless these supercomputer were stacked out with graphics cards, even supercomputers suck for mining. But hey it is free and will still be a lot better than someones home machine.
    • Doesn't matter all that much, when things like this happen, it becomes ammunition for countries to ban it which starts a death spiral.

      • by Z00L00K ( 682162 )

        And for most people it wouldn't make any difference if Bitcoin, Monero and other electronic currencies are banned since those are mostly used by criminals or questionable activities anyway.

      • Doesn't matter all that much, when things like this happen, it becomes ammunition for countries to ban it which starts a death spiral.

        What are you talking about? Are you under the impression that cryptomining malware is new? What makes this university's computer getting hacked any different than any other company?

      • Ban what? A unit of measure that has no real value other than consuming vast amounts of electricity and facilitates global criminal activity like that mentioned in the article?

        Wake me up when cryptocurrency finally dries up and blows away.

  • Supercomputers ... ?

    <facepalm>

  • No suprises here. (Score:5, Insightful)

    by Mr. Dollar Ton ( 5495648 ) on Saturday May 16, 2020 @11:14PM (#60069120)

    Scientists administering their computer systems themselves tend to reliably produce this result.

    Nobody wants to be bothered by security, so short passwords, everyone loves to login from everywhere, so no mandatory keys or VPN, everyone loves to be able to transfer that odd terabyte of root files, recompile the 30m lines MC simulation or rerun parts of that DFT calculation on the cluster over any network at any time, etc. They like it open.

    So they open all sorts of backdoors on purpose, and I'm not even mentioning the trillion badly misconfigured services that are also running - by defaults, ignorance and by "let's get this up by yesterday night" approach.

    And then some people sneak in and share the processor time.

    Amazingly, there are very few problems - nobody is really interested in what the scientists actually produce and run. There are no user data to steal, the datasets are enormous and meaningless to people outside of the project, and the scientific code is so bad, copious and boring that no hacker is interested in it.

    So it is a stable equilibrium, which works well with an occasional cleanup.

    • >> So it is a stable equilibrium, which works well with an occasional cleanup.

      You have no idea how loudly I laughed at that line

      then I thought how good that line would be with Hitchhikers guild to the galaxy.

      • by _u01 ( 6868640 )
        Galactic Loom?
      • Re:No suprises here. (Score:5, Interesting)

        by Mr. Dollar Ton ( 5495648 ) on Sunday May 17, 2020 @12:23AM (#60069244)

        I used to BOFH back in the 90s for a few years. I now do science and because of that past experience, I'm occasionally asked for assistance or advice after a breach, so I've seen quite a few coinminer operations on scientific systems of various sizes.

        The most endearing one was one a small cluster, where intruders had fought for dominance and one group had won over. They apparently ran their own maintenance - cleaned up the competition, updated and patched shit regularly, set limits on the science computation jobs so that they would run - slow and not block the mining - but not cause alarm, etc. Really good housekeepers, too bad the university won't allocate a budget to hire them, and instead has to rely on things like the cooperation and the outdated knowledge and skills of a random old fart like myself.

        Most miners aren't like that - they take over, kill everything, run the machines at max and get caught quickly by the whine of the jet turbines that do the cooling these days.

        Maybe I'll read the postmortems on these systems when I have time, always like to try and find something inventive and exciting in the work of those hackers.

        • Re: (Score:2, Interesting)

          You've just explained why pathogens that are too lethal do not survive long in the wild.
          • by Junta ( 36770 )

            Yep, just like that.

            I also wager that there has always been a background level of compromises against HPC systems but they've been ignored. Security is not generally the greatest at some of the most notorious sites, so it's not a difficult challenge, but the industry hasn't had any big problems so they haven't been driving to change.

            This is almost certainly going to change all that, and make things more secure in the long run.

    • Nobody wants to be bothered by security, so short passwords, everyone loves to login from everywhere, so no mandatory keys or VPN, everyone loves to be able to use their computer for its intended purpose

          FTFY

      • Yes, I am also guilty of that particular sin, and in a perfect world I would not bother either.

        But the real world is not as nice and simple as a spherical cow in a vacuum, and unfortunately you have to take that into account when you set up your system, and budget for some basic housekeeping too.

    • Re:No suprises here. (Score:4, Interesting)

      by Cyberax ( 705495 ) on Sunday May 17, 2020 @01:11AM (#60069314)

      Scientists administering their computer systems themselves tend to reliably produce this result.

      Back in 2009 my friend needed to do a ton of calculations for his PhD in molecular biology. Unfortunately, he didn't have resources to do that. Instead he scanned the Internet for open Hadoop servers and found quite a few of them, so he was able to run his workloads quite comfortably there.

      Of course, this was long before the cryptoshit scourge.

    • by Junta ( 36770 )

      So users getting compromised and having their accounts used for crypto mining would be a fairly typical thing resulting in an account being disabled.

      This involved a privilege escalation attack through them running downlevel kernels, so the attackers assumed root priviliges and messed with things. This is why they have shut down (and in fact I have heard generally deleting everything and reinstalling across all the servers).

    • Re:No suprises here. (Score:4, Interesting)

      by Shimbo ( 100005 ) on Sunday May 17, 2020 @09:57AM (#60070188)

      Scientists administering their computer systems themselves tend to reliably produce this result.

      Nobody wants to be bothered by security, so short passwords, everyone loves to login from everywhere, so no mandatory keys or VPN

      Sorry, but this a cheap shot, and almost completely wrong. Supercomputer facilities are managed by professionals; they may have a science background but they are generally pretty competent admins. Systems admin is their core business if anything there is less pressure to 'do it fast' rather than 'do it right' than in the commercial world. You get a reputation for having lousy admins, and the next grant is going to go somewhere else. Their security responses teams were all over it almost immediately, and had the systems locked down and access revoked. 90% of commercial organizations would have been slower off the mark.

      You are right in that people like to log on from all over the place. That goes with being a national/international facilitity with users all over the place. Worse, your users aren't emplyees but customers, and they need to be able to compile and run their own code. Securing these things is just a hard problem; maybe they were slow in patching whatever privilege escalation vulnerability was used, maybe not. You'll find very few that allow password access but that doesn't help when dumbfuck users lose their passwordless private keys. [slashdot.org] Maybe they'll move to hardware access tokens in future.

    • The breech is from idiot users using SSH keys without paraphrases. Most HPC users have accounts on multiple systems. A local privilege escalation was then used to gain root. There is as I understand no crypto currency mining on ARCHER. There was some indication on the early systems in Poland, but it makes no sense and is almost certainly a smoke screen. Oh and the Independent article is also wrong, the upgrade was delayed because AMD didn't/couldn't supply the CPU's, which is something of an embarrassment.

  • I have been pwned so many times over the last twenty years.
  • I suppose if there's no punishment why stop?
  • by Calydor ( 739835 ) on Sunday May 17, 2020 @04:10AM (#60069612)

    It seems whenever there's a story about some illicit mining operation, whether it's done through an ad banner or like this story, it's always Monero. Does any halfway reputable service even accept Monero?

    • Don't quote me but I got the impression it was a coin with genuine anonyimity - so you can clean your stolen bitcoins, by converting into monero and then back out at some poiont

      NOTE: I *really* don't follow coins that closely, could be wrong.

    • Tons of exchanges do. You go on and do some trading to launder your pilferings. Convert to bitcoin and then cash out to your bank account.

    • Comment removed based on user account deletion
  • TFA says "some f’ing idiot users have been using private keys without passcodes", how did the hackers get the keys in the first place?
    • by Junta ( 36770 ) on Sunday May 17, 2020 @07:43AM (#60069858)

      I do not know details about what was done or how it was done, but off hand I would guess:

      There are a lot of users with access to many of those systems with ssh keys on their desktops/laptops with just endless attack vectors to get an individuals private data. I don't even think passphrase protected would have worked because odds are that they would have an ssh agent running during an attack and be able to use that to ssh in. If no agent running, I wouldn't be surprised if they got a keylogger going to get the key password.

      From there, a lot of these systems are lax about security updates, so there is a high chance of a privilege escalation being possible through lack of update at *one* of the sites is high. I wager this is the impetus to change that norm.

      With that last you can gather tons of user private keys (users tend to have an unprotected private key and tend to also trust that private key in authorized keys) and then you have more latitude to request compute time as a lot of users.

    • All it takes is one user to have their computer hacked who has an unsecured private SSH key. You now have access to a HPC system. If you can manage a local privilege escalation it is trivial to scan the system for more unsecured private SSH keys. You can use the known_hosts file and bash history of the user to identify the hosts on which those keys can be usefully tried. As many HPC users have accounts on multiple different HPC systems you can island hope once you have an in.

      Note there are many guides out t

      • Most people implement SSH keys so they don't have to enter a password each time they log in from their computer. No passphrase in that case does not surprise me.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...