Search This Blog

Showing posts with label Cryptojacking. Show all posts

Sonicwall Cyber Threat Report 2019 Finds Escalation in Ransomware Attacks-As-A-Service


Based on the real world data from more than 1 million international security sensors in more than 200 nations, SonicWall made public the discoveries from its mid-year update of the 2019 through the 'SonicWall Cyber Threat Report'.

With the global malware volume going down by 20%, researchers found a 15% increment in ransomware attacks comprehensively.

This expansion in ransomware-as-a service, open-source malware kits and cryptojacking utilized by cybercriminals comprised of the major highlights of the new data found.

"Organizations continue to struggle to track the evolving patterns of cyber-attacks — the shift to malware cocktails and evolving threat vectors — which makes it extremely difficult for them to defend themselves," said SonicWall President and CEO Bill Conner.

"In the first half of 2019, SonicWall Real-Time Deep Memory Inspection (RTDMI) technology unveiled 74,360 'never-before-seen' malware variants. To be effective, companies must harness innovative technology, such as machine learning, to be proactive against constantly-changing attack strategies,” he added later.

In the first part of 2019, SonicWall also observed a 55% increase in IoT attacks, a number that outpaces the initial two quarters of the previous year, all because organizations and purchasers keep on connecting devices to the web without appropriate safety measures.



Confluence servers hacked to install malware

Cybercriminals are now exploiting a vulnerability in Confluence servers to install cryptojacking malware. According to a report by Trend Micro, the vulnerability has been well documented in the past. However, at the time, it was being used to target victims with DDoS attacks.

Confluence is a widely popular planning and collaboration software developed by the Australian software giant, Atlassian. Trend Micro reported that it had noticed one of the vulnerabilities, CVE-2019-3396, in April, a month after Atlassian published an advisory covering the same. CVE-2019-3396 is a template injection in the Widget Connector that allows cybercriminals to execute code remotely on their victims’ machines.

The vulnerability was first used for a DDoS attack in Romania. However, the cybersecurity and analytics company revealed that hackers are now using it to install a Monero crypto miner that comes with a rootkit. The rootkit serves to hide the malware’s network activity. It also shows false CPU usage on the affected machine, misleading the user and further concealing the mining process. The report further revealed that the rootkit re-installs the malware should the victim manage to remove it.

The attack begins by sending a command to download a shell script hosted on Pastebin, an online content hosting service where users store plain text for a set period of time. The malware then kills off some of the processes running on the host machine before downloading other resources, also from Pastebin.

The vulnerability mainly targets older versions of Confluence, with Atlassian urging its users to download patched versions of Confluence Server and Data Center to protect themselves.

In recent times, cryptojacking has become increasingly popular with cybercriminals. The tactics are also advancing, with the criminals seeking to stay ahead of the security experts. As we reported recently, a new malware that targets Linux servers has been modified to shut down other crypto miners in the host’s system. Known as Shellbot, the malware uses the SSH brute force technique to infect servers that are connected to the internet and that have a weak password.

Malware Campaigns Attacking Asian Targets Using EternalBlue and Mimikatz



Asian targets are falling prey to a cryptojacking campaign which takes advantage of 'Living off the Land' (LotL) obfuscated PowerShell-based scripts and uses EternalBlue exploit to land Monero coinminer and Trojans onto targeted machines.
At the beginning of this year, a similar malware campaign was identified by the research team of Qihoo 360; reportedly, the campaign was targeted at China at the time. Open source tools such as PowerDump and Invoke-SMBClient were employed to carry out password hashing and execute hash attacks.
The campaign resorts to an exploit which uses SMBv1 protocol which was brought into the public domain by the Shadow Brokers a couple of years ago. It has now become one of the standard tools used by the majority of malware developers.
Referenced from Trend Micro’s initial findings, the aforementioned cryptojacking campaign was only targeting Japanese computer devices but eventually the targets multiplied and now they encompassed Taiwan, India, Hong-Kong, and Australia.
Trend Micro’s research also stated that the EternalBlue exploit, developed by NSA is a new addition into the malware; alongside, they drew a co-relation between the exploit and the 2017 ransomware attacks.  
How does the malware compromise computers?
With the aid of "pass the hash" attacks, it inserts various infectious components into the targeted computer by trying multiple weak credentials in an attempt to log in to other devices which are connected to that particular network.
Upon a successful login, it makes changes in the settings concerning firewall and port forwarding of the compromised machine; meanwhile, it configures a task which is scheduled to update the malware on its own.
Once the malware has successfully compromised the targeted computer, it goes on to download a PowerShell dropper script from C&C server and then it gets to the MAC address of the device and terminates the functioning of all the antimalware software present on the system. Immediately after that, it furthers to place a Trojan strain which is configured to gather the information of the machine such as name, OS version, graphics detail, GUID and MAC address.
“We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases targets legacy software that companies may still be using,” said Trend Micro.
Trend Micro advises users and enterprises to, “use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable multi-layered protection the system that can actively block these threats and malicious URLs from the gateway to the endpoint.”



Crypto-jacking: A New Vector of the Cyber-Cons after Ransomware!




Apparently, according to the records of 2018, after getting bored with ransomware attacks, crypto-jacking has become the new tool of cyber-cons for harvesting crypto-currency.



Crypto-jacking by nature is more insidious and stealthy and hence in the past year has emerged as a better way of harvesting crypto-currency.

Initially, the best choice for doing the same was ransomware, but having surpassed it, Crypto-jacking is now cyber-cons’ favorite option.

2018, unlike any other year in the cyber-crime history saw a lot of cyber-attacks, wherein the crypto-jacking attacks constituted to be amongst the most.

The report of IBM strictly mentioned that the crypto-currency attacks hiked by quite a large number.

Whereas, ransomware attacks plummeted by 45% including both mobile and desktop platforms.

The major reason behind this shift of inclination towards crypto-jacking happens to be the less-disruptive and furtive disposition.

After a ransomware is introduced to the victim, the attack weapon goes waste after just one attack, leaving no chances for a recurrence.

Meanwhile, in the case of crypto-jacking, a recurrence is almost ensured, making it possible for more profits from a single weapon.

Somehow, crypto-jacking appears to be the more malicious of the two, which if ignored could lead to serious ramifications.

Reportedly, crypto-jacking could soon transform from currency mining to fabrication its own botnets to function spyware attacks.

Leaving the users with the only advice and option; to use the latest versions of anti-viruses and keep the systems updated.

In-Browser Cryptomining Service, 'Coinhive' to Shut Down on March 8, 2019



Coinhive, an in-browser Monero cryptocurrency miner which was designed to provide web developers a JavaScript will be terminating its operations soon.  

Officials at Coinhive put the news forth in a blog post on February 26 where they cited various reasons for their decision of shutting down all their operations. The post suggested that following a 50 percent drop in hash rate, Cryptocurrency service, Coinhive decided to discontinue its operations on March 8, 2019.  

Referencing from the blog post, "The drop in hash rate (over 50%) after the last Monero hard fork hit us hard," the company said. "So did the 'crash' of the crypto currency market with the value of XMR depreciating over 85% within a year."

"This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive," said the officials.

The project which no longer is economically viable was launched in September 2017 as an alternative to traditional banner ads.

Before Coinhive’s in-browser Monero mining stops working on March 8, the registered users will be made dashboards accessible until April 30 so that they can withdraw funds from their respective accounts.

The digital currency mining service, despite the consistent efforts of the team never become one of the major websites in the league. Moreover, it was subjected to heavy criticism for skyrocketing the CPU usage inside browsers. 

Afterward, it went on becoming immensely popular among cybercriminals for cryptojacking and recently a report from Kaspersky Labs suggested that cryptojacking left behind ransomware and became the biggest cybersecurity threat. 

Referencing from the announcement made by the company,

“Some of you might have anticipated this; some of you will be surprised. The decision has been made. We will discontinue our service on March 8, 2019. It has been a blast working on this project over the past 18 months, but to be completely honest, it isn’t economically viable anymore.”

“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the “crash” of the cryptocurrency market with the value of XMR depreciating over 85% within a year. This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive.”



Exposed Docker Apis Used By Attackers In Creation Of New Containers That Perform Cryptojacking


Earlier this year it was revealed that attackers are now utilizing insecure Docker And Kubernetes systems in order to redistribute containers that have been used to mine coins. These containers are packages that include an application and all of the dependencies that are needed to run it. The packages are then redistributed as containers to Docker or Kubernetes structures accordingly.

Even Trend Micro lately detected an attacker scanning explicitly for insecure and exposed Docker Engine APIs and its utilization to deploy containers that download and execute a coin miner.
Docker containers are redistributed on a rostrum referred to as the Docker Engine, wherein they may run within the background together with different containers deployed to the system. 

If Docker Engine isn't accurately safeguarded, attackers can remotely make use of the Docker Engine API to redistribute the containers in their very own advent and start them at the insecure system.
Container Creation

When the container is deployed and stimulated, it releases an auto.sh script that further downloads a Monero miner and configures it to launch instinctively. The script even downloads the port scanning software, in an effort to test for the various vulnerable Docker Engine instances on port 2375 and 2376 and additionally try to spread to them.

Scan all networks seen from the host, with a scan rate of 50,000 packets per second, for open port 2375 and 2376; the result is saved in local.txt (anonymized/defanged):
masscan “$@” -p2375,2376 –rate=50000 -oG local.txt;
Conduct lateral movement by infecting or abusing more hosts found in previous reconnaissance:
sudo sed -i ‘s/^Host: \([0-9.]*\).*Ports: \([0-9]*\).*$/\1:\2/g’ local.txt;
sudo sh test3.sh local.txt;


With this method, a whole lot of Docker Engine containers can be gathered that mine coins for the attacker.

Although Docker Engine API abuse isn't new, but it continues to be a hassle due to the fact that the administrators don't legitimately secure their systems. To keep attackers from abusing the insecure Docker Engine implementations, Trend Micro proposes that the administrators  make use of the following security measures:


  • Harden the security posture. The Centre for Internet Security (CIS) has a reference that can help system administrators and security teams establish a benchmark to secure their Docker engine.     
  • Ensure that container images are authenticated, signed, and from a trusted registry (i.e., Docker Trusted Registry). Employing automated image scanning tools helps improve development cycles.  
  • Enforce the principle of least privilege. For instance, restrict access to the daemon and encrypt the communication protocols it uses to connect to the network. Docker has guidelines on how to protect the daemon socket.
  •   Properly configure how much resources containers are allowed to use (control groups and namespaces).
  • Enable Docker’s built-in security features to help defend against threats. Docker has several guidelines on how to securely configure Docker-based applications


A Mysterious Malware That Holds The Power To Critically Damage One’s Phone

It wouldn't be wrong to state that Hack forums isn't the most "world class"  or elite gathering of cybercriminals as many of  its members as of now appear to be relative novices, and furthermore it's probable that some post about hacking methods they've never really endeavoured. In spite of the fact that experts do state that with the current buyer showcase in cryptocurrencies, even the refined hacking groups are increasingly getting into undercover or in other words clandestine mining, and once in a while running such operations close by more customary and traditional  cybercrime like data theft and dissent of service attacks.

In the same way as many other people, the hackers on the message board Hack Forums are presently exchanging tips on the most proficient method to make profit with cryptocurrencies. Be that as it may, they're not simply hoping to purchase low and offer high they are only swapping approaches to surreptitiously tackle other people's phones and PCs to further generate digital coins for themselves.

A month ago, F5 networks, a Seattle security firm reported a "sophisticated multi-stage attack" hijacking networks of computers to mine cryptocurrencies.

The assailants have been known to utilize the vulnerabilities in common server softwares, combined with Windows exploits leaked from the National security Agency, to effortlessly infiltrate the victim's systems and migrate through their networking systems.

Despite the fact that it's difficult to know how much these current crypto jacking attacks have earned altogether, yet the addresses connected to the malware variations seemed to have gotten a sum of $68,500 in the cryptographic money (cryptocurrency) monero.

In any case, in the previous year, monero-mining malware has been spotted on an extensive variety of sites, mining the currency as people streamed videos from Showtime and Ultimate Fighting Championship or only browsed the web on compromised Wi-Fi systems at Starbucks cafes. Albeit, some program expansions have been found mining the currency while the users do other things, and monero-mining malware has as of late been spotted proliferating through links on Facebook Messenger also.

Hi @Starbucks@StarbucksAr did you know that your in-store wifi provider in Buenos Aires forces a 10 second delay when you first connect to the wifi so it can mine bitcoin using a customer’s laptop? Feels a little off-brand... 

— Noah Dinkin (@imnoah) December 2, 2017

If you remember the IoT botnets, Mirai in the past, we’ve actually seen one variant this year which was mining monero coins on routers and hard disk recorders as well,” says Candid Wueest, principal threat researcher at Symantec and contributing author on a report the security company released on cryptojacking last month.

Creators of some monero-mining software argue that in-program (browser) mining can have a true blue use, letting people intentionally exchange computer power for access to articles, videos, or premium application features, when sites are looking past publicizing or advertising as an income and revenue stream. "I don't agree with anybody's computer being mishandled or abused without their insight," says Spagni, the monero core developer.

"However the technology that is being manhandled presents a completely new approach for monetizing a service on the web." He contends this could empower a "free" version of Netflix or provide another subsidizing stream for journalism.

Coinhive one of the most well-known web miners, even offers a mining-based captcha alternative, aimed at making it less attainable for spammers to play out specific activities on a website, and a version of the software called AuthedMine which requires the users to unequivocally opt in before mining begins. Makers of other mining tools put forth comparable expressions about user consent, maybe with changing degrees of sincerity.

Nevertheless a tool called Monero Quiet Excavator, available for $14, mines in the background on Windows PCs. It doesn't launch a visible window that users can recognize or detect as fast as possible, keeps the gadgets from going into sleep mode, and can "bypass firewalls," as indicated by its website. In any case, its developer states that it is intended just for "legitimate users". Those could incorporate individuals who possess various PCs and need to utilize them to mine monero "transparently for the end user or client of the PC"