Malicious Campaign Exploiting Meson Service Uncovered Ahead of Token Unlock
A recent malicious campaign has been uncovered, targeting the blockchain-based Meson service in anticipation of the crypto token unlock scheduled for March 15. This nefarious activity was detected by the Sysdig Threat Research Team (TRT), who identified an attacker rapidly creating 6000 Meson Network nodes using a compromised cloud account. The incident raised red flags for multiple AWS users linked to exposed services within Sysdig’s infrastructure.
Attack Strategy
The attacker’s approach involved leveraging CVE-2021-3129 in a Laveral application and exploiting misconfigurations in WordPress to gain initial access to the cloud account. Subsequently, automated reconnaissance techniques were employed to identify and capitalize on compromised users’ privileges, resulting in the deployment of numerous EC2 instances across various regions. The climax of the malicious activity was the execution of the meson_cdn binary, incurring substantial costs for the account owner.
According to Sysdig’s advisory, the attack led to estimated daily costs exceeding $2,000 for all the Meson network nodes created, even with micro sizes. Additional expenses for public IP addresses could escalate to $22,000 per month for the 6000 nodes.
Resource Consumption
Interestingly, unlike typical crypto-jacking incidents characterized by high CPU and memory usage, the Meson application displayed relatively low resource consumption. This deviation can be attributed to the unique nature of the Meson Network, a blockchain project focused on establishing an efficient bandwidth marketplace within Web3.
Miners in the Meson network earn tokens based on bandwidth and storage contributions, indicating a shift in attacker priorities towards resource-intensive operations rather than traditional CPU-centric cryptomining.
Security Implications
The emergence of the Meson network in the blockchain sector, particularly post-initial coin offerings (ICO), presents a new opportunity for attackers looking to exploit storage space and high bandwidth for financial gain. Sysdig emphasizes the importance of keeping software up to date and monitoring environments for suspicious activities to prevent falling victim to such attacks.
As the threat landscape evolves, organizations must remain vigilant and proactive in safeguarding their resources against malicious actors seeking to exploit emerging technologies for illicit purposes.