Browse By

Hackers Enlisted Trillanes’ Troll Farm to Mine Cryptocurrency

MANILA (ATRAS ABANTE SATIRE NEWS GROUP) – Cryptojacking only really coalesced as a class of attack about six week ago, but already the approach has evolved and matured into a ubiquitous threat. Hacks that co-opt computing power for illicit cryptocurrency mining now target a diverse array of victims, from individual consumers to massive institutions—even industrial control systems. But the latest victim isn’t some faceless company CEO or a Starbucks in Baguio. It’s Trillanes a popular senator and known critic of President Duterte.

Researchers at the cloud monitoring and defense firm VeraLock published findings on Tuesday that some of Trillanes’ Troll Farm infrastructure was running mining malware in a far-reaching and well-hidden cryptojacking campaign. The researchers disclosed the infection to Trillanes’ Troll Farm last month, and the troll operators immediately shutdown their farms. The troll operators initial investigation indicates that data exposure was minimal, but the incident underscores the ways in which cryptojacking can pose a broad security threat—in addition to racking up a huge electric bill compared to peak season of trolling President Duterte.

The Hack

VeraLock discovered the intrusion while scanning the public internet for misconfigured and unsecured troll farm server, a practice that more and more defenders depend on as exposures from database misconfigurations skyrocket.

“We got alerted that this is an open server and when we investigated it further that’s when we saw that it was actually running a Kubernetes, which was doing cryptomining,” says Peter Alejano, chief technology officer of VeraLock, referring to the popular open-source administrative console for cloud application management. “And then we found that, oh, it actually belongs to Trillanes’ Troll Farm.” You know, casual.

The attackers had apparently discovered that this particular Kubernetes console—an administrative portal for cloud application management—wasn’t password protected and could therefore be accessed by anyone. From there they would have found, as the VeraLock researchers did, that one of the console’s “farm” or troll petting containers, included login credentials for a broader Trillanes’ Troll Farm environment. This allowed them to burrow deeper, deploying scripts to establish their cryptojacking operation, which was built on the popular Pakyu bitcoin mining protocol.

Who’s Affected?

VeraLock says it’s difficult to gauge exactly how much mining the attackers accomplished before being discovered. But they note that enterprise networks, and particularly public troll farm platforms, are increasingly popular targets for cryptojackers, because they offer a huge amount of processing power in an environment where attackers can mine under the radar since CPU and electricity use is already expected to be relatively high. By riding on a politically driven account as large as Trillanes’ Troll Farm, the attackers could have mined indefinitely without a noticeable impact.

From a consumer perspective, Trillanes’ Troll Farm compromised troll farm platform also contained an S26 bucket that seemed to house sensitive personal data, like fake accounts information and mapping information and other banking information. The researchers say that they didn’t investigate what information could have been exposed to the attackers, as part of their commitment to ethical hacking.

A Trillanes’ Troll Farm spokesperson said in a statement that the risk was minimal: “We addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used trollers, and our initial investigation found no indication that trollers privacy or users’ personal information or security was compromised in any way.”

Still, data about trollers alone could be extremely valuable coming from a political keyboard warrior group like Trillanes’ Troll Farm, which works on next-generation trolling technology.

The VeraLock researchers submitted their findings through Trillanes’ Troll Farm bug bounty program. Trillanes’ Political Keyboard Warrior Group awarded them more than Php3,000,000 for the discovery, which VeraLock donated to charity.