Search This Blog

Showing posts with label cryptocurrency mining. Show all posts

Blue Mockingbird , a cryptocurrancy mining campaign exploits web applications


Analysts at Red Canary, a cybersecurity firm have discovered a Monero cryptocurrency-mining campaign that exploits a deserialization vulnerability, CVE-2019-18935 in public-facing web applications built on ASP.NET web framework.


They named it "Blue Mockingbird", it uses the decentralized vulnerability found in Progress Telerik UI front-end offering for ASP.NET AJAX for remote code execution. AJAX (Asynchronous JavaScript and XML) is a tool used for adding the script to a webpage to be processed and executed by the browser.

This particular vulnerability CVE-2019-18935 is found in the RadAsyncUpload function, as stated by National Vulnerability Database. It is exploited by knowing the encryption key (by means of another attack or method).

The analyst traced backed the campaign to December and till April. The cybercriminals are using the unpatched versions of Telerik UI for ASP.NET, where the vulnerability has not been fixed and injecting the XMRig Monero-mining payload through the vulnerability and spreading it through the network.

XMRig is open-source and can be accumulated into custom tooling, as per the investigation by the analyst. Red Canary has discovered three unmistakable execution ways: Execution with rundll32.exe expressly calling the DLL trade fackaaxv; execution utilizing regsvr32.exe utilizing the/s command line choice, and execution with the payload arranged as a Windows Service DLL.

"Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,” state researchers at Red Canary, in a writeup. “So far, we’ve identified two wallet addresses used by Blue Mockingbird that are inactive circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.”

To set up persistence, Blue Mockingbird hackers should initially first gain login and hoist their privileges, which they do utilize different strategies; for example, utilizing a JuicyPotato exploit to raise benefits from an IIS Application Pool Personality virtual account to the NT Authority\SYSTEM account. In another case, the Mimikatz apparatus (the authority marked version) was utilized to get login credentials.

After getting these logins and privileges, the Blue Mockingbird used multiple techniques like COR_PROFILER COM to execute DLL.

“To use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,” the writeup briefed.

In preventing threats like these that exploit vulnerabilities, patches for web servers, web applications, and dependencies of the applications are the best firewall.

Hackers using government websites of Russian Federation for mining


Cybercriminals used to generate cryptocurrencies not only computers of ordinary Internet users but also the resources of large companies, as well as the websites of government agencies of the Russian Federation. This was announced at a press conference on Monday by Nikolai Murashov, the Deputy Director of the National Coordination Center for Computer Incidents (NCCCI).

"Cases of cryptocurrency mining with the help of infected information resources of state organizations have been identified. In this case, attackers infect web pages, and mining is carried out at the moment they are viewed pages in the browser,” said Murashov.

He noted that the cost of most virtual coins is very high, so there are a lot of people who want to earn money easily. "Up to 80% of the free power of a computer can be used to generate virtual coins, and the legal user may not even know about it," said the Deputy head of the NCCCI. He noted that the seizure of servers of large companies for mining purposes threatens to significantly reduce their productivity and significant damage to the business.

Murashov at a press conference also said that in 2019, about 12 thousand "foreign information resources were blocked, which were used by attackers to damage our country."  In addition, according to him, in the Russian Federation at the request of foreign partners in the current year, the activities of more than 6 thousand malicious resources were stopped.

According to Murashov, users should pay attention to the security of their computers to counter such attacks. The fact of infection with malicious software should serve as a signal that the computer is poorly protected and can become a victim of any attackers.

Murashov noted that two Russian citizens were prosecuted for mining cryptocurrencies through infected computers of organizations.

"In Russia recently there were two cases of criminal prosecution of persons who used seized computers for mining cryptocurrencies," said he.

One of them is a resident of Kurgan, who used almost an entire bot network in various regions of the country. In the second case, a criminal case was initiated on the fact of using the site of company Rostovvodokanal for mining.

Skidmap, Linux Malware Mining Cryptocurrency in Disguise



A new strain of Linux malware has been discovered by security researchers, which is configured to carry out a multitude of malicious activities besides just illegally mining cryptocurrency; by using a "secret master password" it provides hackers the universal access to the system.

Skidmap, Linux malware demonstrates the increased convolutions in Cryptocurrency mining malware and prevalence of the corresponding threats.

In order to carry out its cryptocurrency mining in disguise, Skidmap forges CPU-related statistics and network traffic, according to TrendMicro's recent blog on the subject.

Highlighting the advanced methods used by Skidmap, researchers at TrendMicro said, "Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware."

“Cryptocurrency-mining threats don’t just affect a server or workstation’s performance — they could also translate to higher expenses and even disrupt businesses especially if they are used to run mission-critical operations,” reads the blog.

How the infection takes place?

It starts in 'crontab', which is a standard Linux process responsible for periodically scheduling timed tasks in Unix-like systems. After that, Skidmap installs various malicious binaries and then the security settings of the affected machine are being minimized to start the cryptocurrency mining smoothly.

As the cryptocurrency miners generate digital money for the hackers, they are being monitored by some additional binaries put into the system for the same.

To stay guarded against the aforementioned Cryptocurrency mining malware, admins are advised to update and patch their servers and machines ,and be alert to unverified repositories.

Electricity Wastage Leading to a Ban on Cryptocurrency Mining in China



In the wake of cryptocurrency mining being listed as one of the hazardous and wasteful activities by China’s central state planner, the National Development and Reform Commission, Chinese government has decided to ban cryptocurrency mining in the country. China, after remaining the hub of bitcoin mining has now plans drafted to terminate the activity.

The list generated by China’s central state planner included more than 450 activities  which failed to abide by the regulations  and are categorized unsafe for either they lead to a wastage of resources or pollutes the environment.  

Drawing inferences from an anonymous Chinese bitcoin trader, Reuters noted, “Bitcoin mining wastes a lot of electricity,”

Bitcoin, one of the most popular cryptocurrency hit a record high by the end of 2017 and touched $5,000 for the first time ever since November.  This week, it was down by 1.4 percent along with Ripple’s XRP and Ethereum, which fell down by the same margin.

Lately, cryptocurrency has been under inspection in China and eventually, it led to the banning of initial coin offerings and shutting down of local trading exchanges. With electricity being a crucial factor determining the ban, countries with inexpensive electricity have now emerged as the key hosts of cryptocurrency mining.