Full Report
Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts. The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer
Analysis Summary
# Incident Report: Mass Exploitation of ISP Networks via Brute-Force Attacks
## Executive Summary
A widespread cyber campaign targeted Internet Service Providers (ISPs) in China and the Western US, leveraging brute-force attacks against weak credentials to deploy information stealers and XMRig cryptocurrency miners. The threat actors moved minimally but successfully executed preparatory steps, deployed malware for credential theft and crypto monitoring, and exfiltrated data via Telegram. The incident was discovered through technical analysis by the Splunk Threat Research Team.
## Incident Details
- Discovery Date: Prior to March 4, 2025 (Reported findings published "last week")
- Incident Date: Ongoing campaign, starting date undefined.
- Affected Organization: Over 4,000 IP addresses belonging to ISPs in China and the West Coast of the United States.
- Sector: Internet Service Providers (ISPs) / Telecommunications
- Geography: China and the West Coast of the United States (Attack origins associated with Eastern Europe)
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed
- Vector: Brute-Force Attacks exploiting weak credentials.
- Details: Attacks originated from IP addresses associated with Eastern Europe and utilized Masscan.exe to probe for open ports before attempting credential attacks against targeted ISP CIDRs.
### Lateral Movement
- Details: Threat actors moved and pivoted primarily using tools dependent on scripting languages (Python and PowerShell). They avoided highly intrusive operations unless interacting with pre-compromised accounts.
### Data Exfiltration/Impact
- Details: Information stealers captured screenshots and acted as clipboard hijackers, actively searching for cryptocurrency wallet addresses (BTC, ETH, BEP2, LTC, TRX). Gathered data was exfiltrated to a C2 server via a Telegram bot. The primary impact was the deployment of cryptominers (XMRig) abusing victim CPU resources.
### Detection & Response
- Detection: Findings reported by the Splunk Threat Research Team in a technical report.
- Response Actions: The report detailed the observed actions, suggesting an ongoing forensic investigation/analysis phase by the victim organizations or researchers. Specific response actions taken by the victims are not detailed in the provided source.
## Attack Methodology
- Initial Access: Brute-force attacks against exposed ISP infrastructure using weak credentials.
- Persistence: Use of various binaries dropped via PowerShell to maintain access; specifically through the deployment of an executable (`Auto.exe`) designed for establishing follow-on operations.
- Privilege Escalation: Not explicitly detailed, but implied by the ability to disable security products and services.
- Defense Evasion: Performed "minimal intrusive operations" and used scripting languages (PowerShell, Python) known for low-profile execution.
- Credential Access: Implied by the deployment of info-stealer malware designed to harvest data.
- Discovery: Use of `Masscan.exe` to scan large IP ranges for open ports, followed by brute-forcing. Network scanning was conducted post-initial access via injected PowerShell commands.
- Lateral Movement: Pivoting via scripting language tools.
- Collection: Theft via information stealer malware (screenshots, clipboard scraping for wallet data).
- Exfiltration: Data sent to a Command and Control (C2) server using API calls to a Telegram bot.
- Impact: Cryptomining (XMRig deployment) and data theft (credentials/wallet info).
## Impact Assessment
- Financial: Unspecified costs related to resource utilization (cryptomining) and remediation efforts.
- Data Breach: Sensitive configuration data or user credentials are at risk due to the use of info-stealers. Cryptocurrency wallet details were actively targeted.
- Operational: Potential degradation of ISP infrastructure performance due to XMRig processing load.
- Reputational: Negative impact on the affected ISPs due to compromise of network infrastructure.
## Indicators of Compromise
- Network indicators: C2 communications leveraging Telegram API/bots.
- File indicators: `Auto.exe`, `Masscan.exe`.
- Behavioral indicators: Termination of cryptominer detection services, execution of network scanning/brute-forcing modules via PowerShell, and execution of crypto-clipping malware functions.
## Response Actions
- Containment measures: Not explicitly detailed, though likely involved blocking C2 traffic (Telegram) and isolating affected network segments.
- Eradication steps: Removal of dropped executables (`Auto.exe`, `Masscan.exe`, PowerShell scripts) and malware payloads.
- Recovery actions: Rotation of potentially compromised credentials used in the brute-force attacks and restoring terminated security services.
## Lessons Learned
- Key takeaways: Weak credential hygiene on public-facing ISP infrastructure remains a potent and scalable initial access vector. Threat actors rapidly pivot to resource hijacking (cryptomining) once access is established.
- What could have been done better: Implementing multi-factor authentication (MFA) on all network management interfaces and utilizing stronger credential policies across ISP infrastructure. Immediate termination of security products is a strong precursor to significant impact.
## Recommendations
- Prevention measures for similar incidents: Deploy multi-factor authentication (MFA) universally, especially for remote access to network devices. Implement robust monitoring for PowerShell execution anomalies and changes to security service states. Harden external-facing services against brute-force attacks using rate-limiting and account lockout policies.