A financially motivated operation known as LABRAT has been discovered by researchers from Sysdig. This operation targets vulnerable GitLab servers and exploits a critical flaw, CVE-2021-22205 [1] [2] [4], to gain remote code execution [4]. Despite being patched in April 2021 [2], hackers are still actively using exploits for this flaw [4]. LABRAT involves a cryptojacking and proxyjacking campaign [1] [3], utilizing undetected tools, cross-platform malware [1] [2] [4], and kernel-based rootkits to hide their presence [1]. The attackers also abuse a legitimate service called TryCloudflare to obfuscate their command-and-control network [1]. This campaign utilizes compiled binaries written in Go and .NET to evade detection [1]. Infected systems provide backdoor access, which can lead to further attacks [1], data theft [1], and ransomware [1].


The attack begins with the exploitation of CVE-2021-22205 [1], followed by the retrieval of a dropper shell script from a C2 server [1]. The attackers rent compromised hosts as part of a proxy network [3], allowing them to monetize unused bandwidth [3]. They redirect connections to a password-protected web server hosting a malicious shell script [3]. In a second variant of the attack [3], a Solr server is used to download an exploit for the PwnKit from the same GitLab repository [3].

The payloads retrieved by the dropper script include a remote access utility called Global Socket [3], as well as binaries for conducting cryptojacking and proxyjacking through services like IPRoyal and ProxyLite [3]. Additionally, a kernel-based rootkit is used to conceal the mining process [1]. Although GitLab has patched the vulnerability [1], hackers are still actively exploiting unpatched servers [2]. Affected users should follow security incident and disaster recovery processes to deprovision the compromised instance and restore from a good backup [1].


It is crucial to note that the longer the compromise goes undetected, the more money the attacker can make and the greater the cost to the victim [3]. The attackers have executed a sophisticated and stealthy operation, making defense and detection more challenging [4]. To mitigate the impact of this attack, affected users should promptly address the vulnerability, follow security incident and disaster recovery processes [1], and restore from a reliable backup. Additionally, ongoing vigilance and proactive security measures are necessary to prevent future attacks and protect against evolving threats.


[1] https://thehackernews.com/2023/08/new-labrat-campaign-exploits-gitlab.html
[2] https://www.jsplaces.com/cso-online/17/08/2023/proxyjacking-campaign-labrat-targets-vulnerable-gitlab-deployments/
[3] https://cyber.vumetric.com/security-news/2023/08/17/new-labrat-campaign-exploits-gitlab-flaw-for-cryptojacking-and-proxyjacking-activities/
[4] https://www.443news.com/2023/08/proxyjacking-campaign-labrat-targets-vulnerable-gitlab-deployments/