Researchers uncovered a malicious campaign targeting the Meson Network, a decentralized content delivery network (CDN) that leverages blockchain for bandwidth marketplace operations. This campaign aimed to exploit the crypto token unlock event around March 15th, attempting to create 6,000 Meson Network nodes through a compromised cloud account, leading to significant costs for the account owner.
The Meson Network aims to facilitate a bandwidth marketplace within Web3, leveraging blockchain to offer an alternative to traditional cloud storage solutions. Meson Network operates on proof of bandwidth, so unlike typical cryptojacking attacks that consume CPU resources, this campaign targets victims' bandwidth and storage (due to minimum storage requirements for network nodes), rewarding attackers with Meson Network Tokens (MSN) based on the mining score formula. According to the researchers, the campaign was discovered through a targeted honeypot, and as of March 12, 2024, there is no public evidence of this attack impacting real-life victims.
The attacker gained initial access by exploiting CVE-2021-3129 affecting a Laravel application combined with exploiting a WordPress misconfiguration, then rapidly escalated privileges to create numerous EC2 instances on AWS. These instances were used to run the Meson CDN service, with the operation quickly scaling to almost 6,000 instances across various regions.
The attack involved downloading and executing the Meson CDN binary on compromised cloud infrastructure. Such massive deployment could lead to a significant financial toll on the potential victim, with daily operational costs exceeding $2,000 and potential additional charges for public IP addresses possibly reaching $22,000 monthly, according to the researchers.