ヨーロッパのスーパーコンピュータが次々とハッキングされ

こんにちは、丸山満彦です。

ヨーロッパのスーパーコンピュータがいくつかハッキングされたようですね。ドイツ、イギリス、スイス、スペイン？でインシデントが報告されているようですね。

● EGI-Cert

・2020.05.15 Academic data centers abused for crypto currency mining

-----
Incident #EGI20200421

Summary

A malicious group is currently targeting academic data centers for CPU mining purposes. The attacker is hopping from one victim to another using compromised SSH credentials.

The compromised hosts are turned into different roles, including:

• XMR mining hosts (running a hidden XMR binary)
• XMR-proxy hosts ; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
• SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
• Tunnel hosts (SSH tunneling) ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).

Key points:

• Connections to the SOCKS proxy hosts are typically done via TOR or compromised hosts.
• The attackers uses different techniques to hide the malicious activity, including a malicious Linux Kernel Module (https://github.com/m0nad/Diamorphine).
• It is not fully understood how SSH credentials are stolen, although some (but not all) victims have discovered compromised SSH binaries.
• At least in one case, the malicious XMR activity is configured (CRON) to operate only during night times to avoid detection.
• There are victims in China, Europe and North America.

-----

● bw|HPC (De)

・2020.05.11 IT security incident

-----
Dear users,
due to an IT security incident the state-wide HPC systems

• bwUniCluster 2.0,
• ForHLR II,
• bwForCluster JUSTUS,
• bwForCluster BinAC, and
• Hawk

are currently not available. Our experts are already working on an assessment of the problem.
We will inform you as soon as a reliable schedule for the resuming of operation is available.
-----

● University of Edinburgh - Archer (UK)

・Status

2020.03.18 (JST)

-----

Service Statusa

Login Nodes: Unavailableaa
Last Updated: 18:15, Sunday 17 May 2020

Compute Nodes: Unavailable
Last Updated: 18:15, Sunday 17 May 2020

Low Priority: Disabled
Last Updated: 14:30, Monday 11 May 2020

This page contains details of the status and usage of the ARCHER system.

• Known Issues
• Planned Maintenance Sessions
• Live Usage/Queue Data
• Live Usage/Queue Data by Job Length/Size
• Disk Status
• Network Traffic

Known Issues

No known issues

-----

● The Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences (De)

・HPC systems closed for access due to a security issue

-----
Dear users of the HPC systems at LRZ,

due to a security issue we have temporarily closed access from the outside world to all HPC systems.

Update (May 14, 2020):

Wir können einen Sicherheitsvorfall bestätigen, von dem unsere Hochleistungsrechner betroffen sind. Sicherheitshalber haben wir deshalb die betroffenen Maschinen von der Außenwelt abgeschottet. Die Benutzer und die zuständigen Behörden sind informiert. Wir halten Sie über weitere Details auf dem Laufenden, bitten jedoch um Verständnis, dass wir keine Aussagen machen, so lange wir die Lage noch untersuchen. Wir sind zudem in engem Austausch mit unseren Partnern beim Gauss Supercomputing Centre und der Gauss-Allianz, sowie unseren europäischen Partnern bei PRACE.

-----

 

■ 報道等

● ZDnet
・2020.05.16 Supercomputers hacked across Europe to mine cryptocurrency by Catalin Cimpanu 
Confirmed infections have been reported in the UK, Germany, and Switzerland. Another suspected infection was reported in Spain.

● Security Affairs
・2020.05.17 Experts reported the hack of several supercomputers across Europe by Pierluigi Paganini
Organizations managing supercomputers across Europe reported their systems have been compromised to deploy cryptocurrency miners.

● cado security
・2020.05.16 RECENT ATTACKS AGAINST SUPERCOMPUTERS by  CHRIS AND JAMES
This morning I saw news that a Supercomputer based at the University of Edinburgh called “Archer”, currently performing analysis for Coronavirus research, had been taken offline due to a cyber-attack.
Below I’ve provided some additional details on a spate of recent, likely linked, attacks.

● atdotde
・2020.05.16 High Performance Hackers