- Cyber Syrup
- Posts
- Mass Exploitation Campaign Targets ISPs in China and U.S. West Coast
Mass Exploitation Campaign Targets ISPs in China and U.S. West Coast
Cybersecurity researchers have uncovered a large-scale exploitation campaign targeting internet service providers (ISPs) in China and the West Coast of the United States
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Looking for unbiased, fact-based news? Join 1440 today.
Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.
Mass Exploitation Campaign Targets ISPs in China and U.S. West Coast
Cybersecurity researchers have uncovered a large-scale exploitation campaign targeting internet service providers (ISPs) in China and the West Coast of the United States. The campaign is deploying information-stealing malware and cryptocurrency miners on compromised systems.
The findings, published by the Splunk Threat Research Team, reveal that attackers are not only stealing sensitive data but also leveraging compromised hosts for financial gain by mining cryptocurrencies. The activity also involves dropping binaries that facilitate data exfiltration and establish persistence within infected systems.
Minimal Intrusion, Maximum Impact
The unidentified threat actors behind this campaign appear to be using a stealthy approach to minimize detection. According to Splunk, they are limiting intrusive operations, with the exception of artifacts created by previously compromised accounts.
"This actor also moves and pivots primarily by using tools that depend on scripting languages (e.g., Python and PowerShell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for command-and-control (C2) operations," Splunk's technical report states.
This strategy allows the attackers to bypass security controls that might otherwise flag unauthorized binaries or executables. By embedding command execution within scripting frameworks, they blend into routine administrative activity.
Attack Methodology: Brute Force and Credential Exploitation
One of the key attack vectors observed in this campaign is the exploitation of weak credentials through brute-force attacks. The threat actors are using a vast network of IP addresses, primarily originating from Eastern Europe, to conduct large-scale credential stuffing attacks against ISP networks.
Splunk researchers identified over 4,000 ISP IP addresses that were specifically targeted in this operation.
Once initial access is gained, the attackers execute PowerShell scripts to deploy various payloads that support network scanning, information theft, and cryptocurrency mining using the victim's computational resources.
Payload Deployment and Execution
Before executing their payloads, the attackers take deliberate steps to disable security mechanisms and terminate processes associated with cryptominer detection. This ensures that their malware runs uninterrupted on the compromised system.
The main components of the attack include:
Stealer Malware: The malware captures screenshots and monitors clipboard activity to extract cryptocurrency wallet addresses. It can detect and replace copied wallet addresses for Bitcoin (BTC), Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX).
Exfiltration to Telegram: The collected information is transmitted to an attacker-controlled Telegram bot, which serves as the primary C2 channel.
Persistence Mechanisms: The attackers deploy additional binaries to ensure continued access to the infected machines.
Key Tools Used in the Attack
The attackers employ several key tools to facilitate network reconnaissance, lateral movement, and credential brute-forcing:
Auto.exe
Downloads a password list (
pass.txt) and a list of IP addresses (ip.txt) from the command-and-control server.Used for brute-force attacks against exposed network services.
Masscan.exe
A high-speed network scanner that allows the attackers to scan large IP address ranges for open ports and vulnerabilities.
These tools help the attackers identify and compromise vulnerable systems, expanding their foothold within ISP infrastructures.
Targeting ISP Networks
The Splunk report highlights that the attackers are specifically targeting Classless Inter-Domain Routing (CIDR) blocks of ISPs located on the West Coast of the United States and in China.
By leveraging mass scanning tools like Masscan, they systematically probe large numbers of IP addresses, searching for exposed ports and weakly protected authentication mechanisms. Once vulnerabilities are identified, credential brute-forcing techniques are used to gain unauthorized access.
Conclusion: A Growing Threat to ISP Infrastructure
This campaign underscores the growing threat posed to ISPs by financially motivated threat actors. By targeting large-scale infrastructure providers, attackers can gain access to valuable data while simultaneously hijacking computing resources for cryptojacking.
To mitigate the risks posed by this campaign, organizations—especially ISPs—should take the following steps:
Enforce strong password policies and multi-factor authentication (MFA) to prevent brute-force attacks.
Monitor PowerShell and Python script execution to detect suspicious activity.
Deploy network segmentation to limit the lateral movement of attackers within ISP environments.
Regularly audit logs for anomalous login attempts and mass scanning activity.
As cybercriminals continue to refine their tactics, organizations must remain vigilant in strengthening their security posture to detect and respond to emerging threats.