Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
Resource hijacking may take a number of different forms. For example, adversaries may:
In some cases, adversaries may leverage multiple types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking 2023)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-06.07 | Development and operational process alignment | Mitigates | T1496 | Resource Hijacking |
Comments
This diagnostic statement protects against Resource Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2022-29464 | WSO2 Multiple Products Unrestrictive Upload of File Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.
References
|
CVE-2024-23692 | Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.
References
|
CVE-2020-8515 | Multiple DrayTek Vigor Routers Web Management Page Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.
References
|
CVE-2023-49897 | FXC AE1021, AE1021PE OS Command Injection Vulnerability | primary_impact | T1496 | Resource Hijacking |
Comments
CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
References
|
CVE-2023-47565 | QNAP VioStor NVR OS Command Injection Vulnerability | primary_impact | T1496 | Resource Hijacking |
Comments
CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
References
|
CVE-2023-1389 | TP-Link Archer AX-21 Command Injection Vulnerability | primary_impact | T1496 | Resource Hijacking |
Comments
CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.
References
|
CVE-2022-29303 | SolarView Compact Command Injection Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2022-29303 is a command injection vulnerability within a PHP component in the product's web server.
Reports indicate that the vulnerability have been exploited by operators of Mirai botnet malware.
References
|
CVE-2021-44228 | Apache Log4j2 Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
References
|
CVE-2021-35394 | Realtek Jungle SDK Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node.
The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.
References
|
CVE-2021-22205 | GitLab Community and Enterprise Editions Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.
References
|
CVE-2018-7600 | Drupal Core Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8. According to reports, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site and crypto-jacking campaigns.
References
|
CVE-2018-11776 | Apache Struts Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace. Volexity also reports active scanning and attempts to exploit CVE-2018-11776 in order to deploy cryptocurrency miners.
References
|
CVE-2017-9822 | DotNetNuke (DNN) Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications
References
|
CVE-2023-38035 | Ivanti Sentry Authentication Bypass Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system.
This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.
References
|
CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability | primary_impact | T1496 | Resource Hijacking |
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
|
CVE-2023-32315 | Ignite Realtime Openfire Path Traversal Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2023-32315 is a path traversal bug in Openfire's administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell.
References
|
CVE-2025-4632 | Samsung MagicINFO 9 Server Path Traversal Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
By exploiting a path traversal vulnerability in Samsung MagicINFO 9 Server, an unauthenticated attacker can write arbitrary files with system privileges. This can be used to deploy malware or to hijack resources for activity such as cryptocurrency mining.
References
|
CVE-2023-22527 | Atlassian Confluence Data Center and Server Template Injection Vulnerability | primary_impact | T1496 | Resource Hijacking |
Comments
CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes.
References
|
CVE-2021-26084 | Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1496 | Resource Hijacking |
Comments
The following Microsoft Sentinel Hunting queries can identify potential resource hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources".
The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1496 | Resource Hijacking |
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
security_command_center | Security Command Center | technique_scores | T1496 | Resource Hijacking |
Comments
SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1496 | Resource Hijacking |
Comments
The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.
CryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay
References
|
aws_cloudwatch | AWS CloudWatch | technique_scores | T1496 | Resource Hijacking |
Comments
AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metrics (not an exhaustive list) could be used to detect if the usage of a resource has increased such as when an adversary hijacks a resource to perform intensive tasks.
Linux/Mac OS ------------- cpu_time_active cpu_time_guest cpu_usage_active cpu_usage_guest disk_free disk_total disk_used ethtool_bw_in_allowance_exceeded ethtool_bw_out_allowance_exceeded ethtool_conntrack_allowance_exceeded mem_active mem_available_percent mem_free net_bytes_recv net_bytes_sent net_packets_sent net_packets_recv netstat_tcp_established netstat_tcp_listen processes_running processes_total swap_free swap_used
Containers ---------- CpuUtilized MemoryUtilized NetworkRxBytes NetworkTxBytes node_cpu_usage_total node_cpu_utilization node_filesystem_utilization node_memory_utilization
This mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized increase in resource utilization.
References
|
aws_config | AWS Config | technique_scores | T1496 | Resource Hijacking |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure alarms exist for spikes in resource utilization, which help to identify malicious use of resources within a cloud environment: "cloudwatch-alarm-action-check", "cloudwatch-alarm-resource-check", "cloudwatch-alarm-settings-check", "desired-instance-tenancy", "desired-instance-type", "dynamodb-autoscaling-enabled", "dynamodb-throughput-limit-check", "ec2-instance-detailed-monitoring-enabled", and "rds-enhanced-monitoring-enabled".
Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only detect resource hijacking that results in a change in utilization that is significant enough to trigger alarms, resulting in an overall score of Partial.
References
|
aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1496 | Resource Hijacking |
Comments
The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices' resources to perform resource-intensive operations like mining cryptocurrency or performing denial of service attacks on other environments: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include traffic related to resource hijacking activities. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols which may include traffic related to resource hijacking activities.
Coverage factor is partial, since these metrics are limited to IoT device hijacking, resulting in an overall score of Partial.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1496 | Resource Hijacking |
Comments
This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region".
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1496.003 | SMS Pumping | 8 |
T1496.002 | Bandwidth Hijacking | 6 |
T1496.004 | Cloud Service Hijacking | 7 |
T1496.001 | Compute Hijacking | 9 |