FlagThis - #cryptomining

A new cyber threat has emerged, with the threat actor known as Mimo exploiting a recently disclosed remote code execution vulnerability, CVE-2025-32432, in the Craft Content Management System (CMS). The attackers are leveraging this vulnerability to deploy a suite of malicious payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware on compromised websites. This allows them to not only abuse system resources for illicit cryptocurrency mining, but also monetize the victim's internet bandwidth for other malicious activities.

The exploitation of CVE-2025-32432 unfolds in two phases. The attacker activates a web shell by injecting PHP code via a specially crafted GET request. This action triggers a redirection, prompting the application to record the return URL within a server-side PHP session file. Once the web shell is enabled, commands can be executed remotely. The web shell is used to download and execute a shell script, which checks for indicators of prior infection and uninstalls any existing cryptocurrency miners before delivering next-stage payloads and launching the Mimo Loader.

The Mimo Loader modifies "/etc/ld.so.preload" to hide the malware process. Its ultimate goal is to deploy the IPRoyal proxyware and the XMRig miner on the compromised host. Sekoia researchers Jeremy Scion and Pierre Le Bourhis noted the unusual naming choice of the Python library "urllib2" being aliased as "fbi," suggesting it may be a tongue-in-cheek nod to the American federal agency, serving as a distinctive coding choice and a potential indicator for detection. The activity has been linked to the Mimo intrusion set, which has been active since at least March 2022 and has previously exploited vulnerabilities in Apache Log4j, Atlassian Confluence, PaperCut, and Apache ActiveMQ.


References :

• blog.sekoia.io: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.
• bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites
• The Hacker News: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware
• securityonline.info: Mimo Returns: CVE-2025-32432 Exploited in Cryptomining and Proxyware Campaigns
• ciso2ciso.com: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware – Source:thehackernews.com
• bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites The operators appear to be based in the Middle East
• Virus Bulletin: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.

Classification:

• HashTags: #CraftCMS #Cryptominer #Proxyware
• Company: Craft CMS
• Target: Websites
• Attacker: Mimo
• Product: Craft CMS
• Feature: 0-day
• Malware: CVE-2025-32432
• Type: 0Day
• Severity: Critical

Microsoft Threat Intelligence is reporting a significant rise in cyberattacks targeting unsecured Kubernetes clusters. These attacks are primarily aimed at illicit cryptocurrency mining, with threat actors exploiting vulnerabilities such as unsecured workload identities and inactive accounts to gain unauthorized access to containerized environments. Data from Microsoft indicates that a concerning 51% of workload identities remained inactive in the past year, creating numerous potential entry points for attackers. The increasing adoption of containers-as-a-service among organizations has expanded the attack surface, making it more attractive for cybercriminals seeking to profit from stolen computing resources.

The dynamic nature of Kubernetes environments poses significant challenges for security teams. The rapid deployment and scaling of containers make it difficult to detect runtime anomalies and trace the origins of security breaches. Attackers often exploit misconfigured resources, outdated container images, inadequate network segmentation, and overly permissive access controls to infiltrate these environments. Observed attack vectors include compromising cloud credentials, deploying malicious container images, exploiting the Kubernetes API, conducting node-level and pod escape attacks, and injecting unauthorized network traffic. A recent example involved the use of the AzureChecker.exe tool to launch password spray attacks against cloud tenants, leading to the creation of cryptomining containers within compromised resource groups.

To combat these evolving threats, Microsoft has been working with MITRE to update the Kubernetes threat matrix and the ATT&CK for Containers matrix. This provides a structured framework for organizations to systematically assess and mitigate attack surfaces in containerized environments. Security best practices highlighted include implementing immutable container policies, enforcing strong authentication, employing rigorous vulnerability management, using admission controllers, establishing image assurance policies, and continuously monitoring API activity. Furthermore, a Docker malware campaign has been discovered exploiting Teneo Web3 nodes by faking heartbeat signals to earn crypto, showcasing the diverse methods attackers are using to generate revenue from compromised container environments.


References :

• www.microsoft.com: Understanding the threat landscape for Kubernetes and containerized assets
• Cyber Security News: Cyberpress: Unsecured Kubernetes Clusters Targeted by Threat Actors for Crypto Mining
• The Hacker News: Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals
• Microsoft Security Blog: Understanding the threat landscape for Kubernetes and containerized assets

Classification:

• HashTags: #Kubernetes #CryptoMining #CloudSecurity
• Company: Multiple
• Target: Kubernetes Clusters
• Product: Kubernetes
• Feature: Cryptojacking
• Malware: XMRig
• Type: Malware
• Severity: Medium