RedTail Cryptojacking: 2024 SSH Honeypot Attack Exposes Evasive Trends
Executive Summary
In 2024, repeated attempts to deploy RedTail cryptojacking malware were observed targeting honeypots through brute-forced SSH credentials and exploitation of vulnerabilities. Attackers gained access by cracking weak SSH passwords, uploaded and executed scripts such as setup.sh and clean.sh, and implemented persistent access by implanting their own SSH keys. They evaded detection by deleting evidence, queried system info to optimize deployment, and communicated outbound over HTTPS to control mining pools, siphoning off computing resources for Monero mining. The attack demonstrated both technical sophistication and evasiveness, resulting in loss of system performance and increased operational costs for victims.
The RedTail campaign stands out for its focus on stealth, persistence, and lateral evasion, signaling a shift from noisy ransomware to more subtle and long-term threats like cryptojacking. With attackers honing in on resource hijacking and leveraging diverse TTPs, organizations face new challenges in detection and response. This incident shows the increasing necessity for robust SSH hardening, proactive monitoring, and defense-in-depth measures against evolving cryptojacking methods.
Why This Matters Now
Cryptojacking attacks like RedTail are rising in prevalence, targeting misconfigured or weakly secured systems to covertly exploit resources. As organizations increasingly move to cloud and hybrid environments, the silent nature of such attacks can degrade performance and inflate costs without immediate detection, emphasizing the urgency for proactive security hardening, monitoring, and compliance.
Attack Path Analysis
Attackers initially compromised cloud hosts via brute-force SSH login, leveraging weak credentials to gain access. After establishing access, they installed their own SSH keys to maintain persistent control. While no explicit lateral movement was observed, attackers could have pivoted to additional internal systems if segmentation was weak. The compromised host communicated with external mining pool servers over encrypted HTTPS to receive mining commands. Though traditional data exfiltration was not the focus, outbound traffic to external servers enabled command receipt and potential system profiling. The ultimate impact was hijacking system resources for cryptocurrency mining, leading to degraded performance and increased operational costs.
Kill Chain Progression
Initial Compromise
Description
Attackers brute-forced SSH credentials on internet-exposed hosts to gain initial access.
Related CVEs
CVE-2024-3400
CVSS 10A critical vulnerability in PAN-OS allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall.
Affected Products:
Palo Alto Networks PAN-OS – < 10.2.3
Exploit Status:
exploited in the wildCVE-2024-4577
CVSS 9.8A critical PHP-CGI argument injection vulnerability allows remote code execution on affected servers.
Affected Products:
PHP PHP – < 8.1.17
Exploit Status:
exploited in the wildCVE-2023-1389
CVSS 8.8A command injection vulnerability in TP-Link routers allows remote attackers to execute arbitrary commands.
Affected Products:
TP-Link Archer AX21 – < 1.1.4
Exploit Status:
exploited in the wildCVE-2018-20062
CVSS 9.8A remote code execution vulnerability in ThinkPHP allows attackers to execute arbitrary PHP code.
Affected Products:
ThinkPHP ThinkPHP – < 5.0.24
Exploit Status:
exploited in the wildCVE-2023-46805
CVSS 9.8An authentication bypass vulnerability in Ivanti Connect Secure allows remote attackers to access restricted resources.
Affected Products:
Ivanti Connect Secure – < 9.1R12
Exploit Status:
exploited in the wildCVE-2024-21887
CVSS 9.8A command injection vulnerability in Ivanti Connect Secure allows remote attackers to execute arbitrary commands.
Affected Products:
Ivanti Connect Secure – < 9.1R12
Exploit Status:
exploited in the wildCVE-2022-22954
CVSS 9.8A remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager allows attackers to execute arbitrary code.
Affected Products:
VMware Workspace ONE Access – < 21.08.0.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts: Local Accounts
Command and Scripting Interpreter: Unix Shell
Account Manipulation: SSH Authorized Keys
Indicator Removal: File Deletion
System Information Discovery
Application Layer Protocol: Web Protocols
Resource Hijacking: Compute Resource Hijacking
Active Scanning: Scanning IP Blocks
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
PCI DSS 4.0 – Audit Log Review and Retention
Control ID: 10.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
CISA ZTMM 2.0 – Robust Authentication and Credential Management
Control ID: Identity Pillar: Authentication and Access Control
NIS2 Directive – Access Control Policies and Asset Management
Control ID: Article 21(2)(d)
DORA – ICT Risk Management Framework
Control ID: Article 9
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to RedTail cryptojacking via SSH brute-force attacks; requires immediate east-west traffic security, zero trust segmentation, and threat detection capabilities.
Financial Services
High-value targets for cryptojacking operations; SSH-accessible systems vulnerable to resource hijacking, demanding encrypted traffic protection and anomaly response systems.
Health Care / Life Sciences
HIPAA compliance violations through unauthorized access and resource hijacking; vulnerable medical devices and systems require kubernetes security and multicloud visibility controls.
Government Administration
Critical infrastructure exposed to persistent cryptojacking threats; honeypot observations reveal need for enhanced egress security and inline intrusion prevention systems.
Sources
- [Guest Diary] Building Better Defenses: RedTail Observations from a Honeypot, (Thu, Oct 9th)https://isc.sans.edu/diary/rss/32312Verified
- RedTail Crypto-Mining Malware Exploiting Palo Alto Networks Firewall Vulnerabilityhttps://thehackernews.com/2024/05/redtail-crypto-mining-malware.htmlVerified
- RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploithttps://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploitVerified
- URGENT THREAT ALERT: Mass Exploitation of Critical PHP Vulnerability (CVE-2024-4577) by RedTail Cryptominer Campaignhttps://blog.digital-domain.us/urgent-threat-alert-mass-exploitation-of-critical-php-vulnerability-cve-2024-4577-by-redtail-cryptominer-campaign/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Layered Zero Trust controls—especially network segmentation, east-west inspection, rigorous egress policing, and real-time anomaly detection—could have prevented RedTail entry, limited attacker movement, and detected cryptojacking behaviors quickly. Isolating workloads and strictly controlling cloud egress would disrupt both initial compromise and C2 communications.
Control: Zero Trust Segmentation
Mitigation: Blocks external SSH attempts to sensitive/cloud management hosts.
Control: Threat Detection & Anomaly Response
Mitigation: Detects and alerts on unauthorized SSH key additions.
Control: East-West Traffic Security
Mitigation: Limits attacker propagation to other workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized external connections to known malicious domains.
Control: Encrypted Traffic (HPE)
Mitigation: Enables inspection and policy controls on encrypted data exfiltration attempts.
Detects abnormal resource spikes and mining processes in real time.
Impact at a Glance
Affected Business Functions
- IT Infrastructure
- Network Security
- Server Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive configuration data and credentials due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular Zero Trust segmentation and restrict SSH access to authorized admin sources only.
- • Apply strong egress policy enforcement with FQDN filtering to prevent systems from connecting to known mining pools and illicit destinations.
- • Implement continuous east-west traffic inspection to detect and block unauthorized internal movement.
- • Enable anomaly-based threat detection to monitor for unauthorized SSH key changes, resource hijacking, and unusual process activity.
- • Regularly audit, patch, and update all exposed cloud and hybrid workloads to eliminate brute-force and known vulnerability attack vectors.
