Search This Blog

Showing posts with label Romania. Show all posts

Romanian Cryptojacking Gang Target Linux-based Machines to Install Cryptominer Malware


Romanian threat actors are employing a new brute-forcer “Diicot brute” to crack the passwords on Linux-based machines and install cryptominer malware. 

According to Bitdefender researchers, the cryptojacking gang employs a unique SSH brute-forcer dubbed Diicot to crack weak passwords on Linux machines and install code of a miner XMRig, a legitimate open-source miner that’s been adapted for cryptojacking by numerous hackers. 

The researchers said they connected the cryptojacking gang to at least two DDoS botnets: a variant of the Linux-based DDoS DemonBot botnet called “Chernobyl” and a Perl IRC bot. The main motive of this campaign is to deploy Monero mining malware, also their toolset can be used to steal sensitive information from users and perform other nefarious actions. 

Cryptojacking is a slow and tedious way to generate illicit income, that’s why the actor is using botnet to infect as many devices as possible. “Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead,” according to the report published by Bitdefender researchers.

Threat actors are targeting people with weak and default passwords that are easily broken through brute force. “People are the simple reason why brute-forcing SSH credentials still work,” researchers wrote.

“Hackers going after weak SSH credentials is not uncommon. The tricky part is not necessarily brute-forcing passwords but rather doing it in such a manner that attackers can’t go undetected,” Bitdefender says. Another feature of the Diicot Brute force attack implied the capability of the tool to filter honeypots, as per threat actors’ declarations.

The attackers started the campaign in January and have not yet moved to the worm phase, according to Bitdefender. The cybersecurity analysts tracked the Romanian cryptojacking Gang back in May. Then, they discovered the cryptojacking campaign based on the “.93joshua” loader. Surprisingly enough, it was easy to trace the malware to “http://45[.]32[.]112[.]68/.sherifu/.93joshua” in an open directory.

“It turns out that the server hosted other files. Although the group hid many of the files, their inclusion in other scripts revealed their presence. They found that the associated domain,, has hosted malware at least since February,” analysts noted

Romania's Website Suffer Major Security Breach


The website, Romania's biggest advertisement platform for real estate ads, was infringed last December by a security breach that allowed unauthenticated access to more than 201,087 files in the company's data archive (including copies of identity cards), as reported by the IT security experts- Website Planet, informs the specialized site The operator reported last month that it had remediated the flaw but did not report it to the Data Protection Authority. 

Although it remains unclear if consumer knowledge has fallen into harsh hands, as there is no password protection or authentication on the bucket of the company. The leaked data has been saved in 35,738.PDF and 165,316.JPG files, including full names, telephone numbers, home addresses, emails, CNP (social security), and personal signatures. This included personal identity information (PII) as well. Notably, anyone can just insert a correct URL to reach the bucket. 

This violation disclosed over 200,000 documents, but the exact number of persons impacted by the violation remains unclear. Additional customer information compromised includes real estate contracts between customers and the company, property records including architectural plans, detailed descriptions and location, land extractions and ANCPI document, user profile photos, scanned copies of national identity cards containing the identification of codes, demanded property price, detailed explanation of properties including Real estate agreements. officials stated, "In January 2021, we detected a potential vulnerability in our internal data storage systems. Our company promptly launched an investigation. The vulnerability was quickly remedied. Internal investigations on the causes and potential consequences continue. We ensure in this way that for data security is a priority and work continuously to protect the confidentiality and integrity of our platforms, meeting all current standards and in cooperation with. " 

Given the nature of the leaked information, the possible effects on consumers may be serious. Initially, malicious actors may use the information to learn about the residential address of the person, the estimated sales, and the financial status. Explicit financial data or information was not leaked, but unauthorized users could use property values as a proxy indicator for net wealth. Identity stealing is the primary concern of this material, but even other crimes such as robbery are more likely to arise from the leak. users may have done little to avoid leakage of their results. The organization is held responsible for the server leak. Users will nevertheless minimize the danger they pose from weak cybersecurity from third-party firms, such as customer credit reviews offering identity recuperation support if they have leaked personal data to destroy the credit records of others or commit other crimes under a presumed name.