A financially motivated operation known as LABRAT has been discovered by researchers from Sysdig. This operation targets vulnerable GitLab servers and exploits a critical flaw, CVE-2021-22205   , to gain remote code execution . Despite being patched in April 2021 , hackers are still actively using exploits for this flaw . LABRAT involves a cryptojacking and proxyjacking campaign  , utilizing undetected tools, cross-platform malware   , and kernel-based rootkits to hide their presence . The attackers also abuse a legitimate service called TryCloudflare to obfuscate their command-and-control network . This campaign utilizes compiled binaries written in Go and .NET to evade detection . Infected systems provide backdoor access, which can lead to further attacks , data theft , and ransomware .
The attack begins with the exploitation of CVE-2021-22205 , followed by the retrieval of a dropper shell script from a C2 server . The attackers rent compromised hosts as part of a proxy network , allowing them to monetize unused bandwidth . They redirect connections to a password-protected web server hosting a malicious shell script . In a second variant of the attack , a Solr server is used to download an exploit for the PwnKit from the same GitLab repository .
The payloads retrieved by the dropper script include a remote access utility called Global Socket , as well as binaries for conducting cryptojacking and proxyjacking through services like IPRoyal and ProxyLite . Additionally, a kernel-based rootkit is used to conceal the mining process . Although GitLab has patched the vulnerability , hackers are still actively exploiting unpatched servers . Affected users should follow security incident and disaster recovery processes to deprovision the compromised instance and restore from a good backup .
It is crucial to note that the longer the compromise goes undetected, the more money the attacker can make and the greater the cost to the victim . The attackers have executed a sophisticated and stealthy operation, making defense and detection more challenging . To mitigate the impact of this attack, affected users should promptly address the vulnerability, follow security incident and disaster recovery processes , and restore from a reliable backup. Additionally, ongoing vigilance and proactive security measures are necessary to prevent future attacks and protect against evolving threats.