A malicious campaign has been observed exploiting the blockchain-based Meson service for illicit gains ahead of the crypto token unlock planned for March 15.
The campaign, discovered by the Sysdig Threat Research Team (TRT), saw an attacker swiftly create 6000 Meson Network nodes using a compromised cloud account, setting off alarms for multiple AWS users associated with exposed services within Sysdig’s infrastructure.
The attacker’s modus operandi involved exploiting CVE-2021-3129 in a Laveral application and misconfigurations in WordPress to gain initial access to the cloud account.
Subsequently, they utilized automated reconnaissance techniques to identify and exploit compromised users’ privileges, spawning many EC2 instances across multiple regions. The malicious activity culminated in the execution of the meson_cdn binary, resulting in significant costs for the account owner.
“As a result of the attack, we estimate a cost of more than $2,000 per day for all the Meson network nodes created, even just using micro sizes. This isn’t counting the potential costs for public IP addresses, which could run as much as $22,000 a month for 6,000 nodes,” Sysdig wrote in an advisory published on Monday.
Interestingly, unlike traditional crypto-jacking incidents characterized by high CPU and memory usage, the Meson application exhibited relatively low resource consumption. The deviation is due to the inner workings of the Meson Network, a blockchain project striving to establish an efficient bandwidth marketplace on Web3.
Read more on Web3 cybersecurity: Cyber-Attacks Drain $1.84bn from Web3 in 2023
In the context of Meson, miners are rewarded with Meson tokens based on bandwidth and storage contributions to the network, highlighting the shift in attacker priorities towards resource-intensive operations rather than CPU-centric cryptomining.
“For Meson, the attacker is more interested in storage space and high bandwidth instead of high-performance CPUs. This can be achieved with a large number of small instances but with a good amount of storage,” reads the advisory.
According to Sysdig, the rise of the Meson network in the blockchain domain, particularly post-initial coin offerings (ICO), signals a new frontier for attackers seeking to exploit storage space and high bandwidth for financial gains.
“In order to prevent your resources from getting wrapped up in one of these attacks and having to shell out thousands of dollars for resource consumption, it is critical to keep your software up to date and monitor your environments for suspicious activity,” concludes the technical write-up.