- Cryptocurrency -

Last update 09.10.2017 13:51:50

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5 

Thousands of compromised Magento websites delivering Malware
5.4.2018 securityaffairs Cryptocurrency 

Hackers compromised hundreds of Magento e-commerce websites to steal credit card numbers and install crypto-mining malware.
According to the security firm Flashpoint, hackers launched brute-force attacks against Magento installs, they used a dictionary composed of common and known default Magento credentials.

“Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.” reads the analysis published by Flashpoint.

“The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials.”

The security firms revealed that at hackers already compromised at least 1,000 Magento admin panels, most of the victims are in the US and Europe and operate in the education and healthcare industries.

The threat actors behind this campaign are also targeting other popular e-commerce-processing CMS such as Powerfront CMS and OpenCarts.

According to the experts, it quite easy to find discussions on crime forums about how to compromise CMS platforms

The lack of proper security measures makes it easy for crooks to compromise websites, sometimes just using a simple script.

“Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.” continues the post.

When hackers successfully compromised a Magento installation, they can inject malicious code into the core file to perform a wide range of malicious activities, such as stealing payment card data from the website.

The attackers can also use the compromised Magento installs to mine cryptocurrency by using a malware such as the Rarog cryptocurrency miner.

The compromised sites return an exploit masquerades as a phony Adobe Flash Player update, once the victims will launch it a malicious JavaScript is executed, its function is to download malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

“Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner.” continues the analysis.

“The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.”

Magento Infographic-813x1024

Flashpoint, with the support of law enforcement, is notifying victims of the security breaches.

Magento admins are recommended to review CMS account logins and adopt mitigation measured against brute-force attacks, for example by limiting the number of attempts or enforcing two-factor authentication.

Google Bans Crypto-Mining Chrome Extensions
3.4.2018 securityweek Cryptocurrency

Google on Monday announced that Chrome extensions designed to mine for crypto-currencies are no longer accepted in the Chrome Web Store.

While still focused on allowing the Chrome extensions ecosystem to evolve, Google also wants to keep users as safe as possible. Thus, a rise in the number of malicious Chrome extensions that mine for virtual coins without informing the users has sparked the Internet giant to ban all such extensions.

The scripts designed for mining purposes often require significant CPU power to perform their activity, and could result in severely diminished system performance or in increased power consumption. Called in-browser cryptojacking, such mining behavior is employed by many websites as well, often with heavy impact on user experience.

“Over the past few months, there has been a rise in malicious extensions that appear to provide useful functionality on the surface, while embedding hidden cryptocurrency mining scripts that run in the background without the user’s consent,” James Wagner, Extensions Platform Product Manager, says.

Starting Monday, Google no longer accepts extensions that mine crypto-currency in the Chrome Web Store. Furthermore, the company plans on removing all such extensions from the store in late June.

Extensions with blockchain-related purposes that do not attempt to mine for virtual coins will continue to be distributed through the Web Store.

Previously, Google allowed developers to submit for publication extensions designed for crypto-currency mining as long as the application was built for mining only and users were explicitly informed on this behavior.

However, the vast majority (90%) of the extensions containing mining scripts that were submitted for upload to the Chrome Web Store failed to comply with the company’s policies and ended up rejected or removed from the store.

“The extensions platform provides powerful capabilities that have enabled our developer community to build a vibrant catalog of extensions that help users get the most out of Chrome. Unfortunately, these same capabilities have attracted malicious software developers who attempt to abuse the platform at the expense of users,” Wagner points out.

Google to banish cryptocurrency mining extensions from official Chrome Web Store
3.4.2018 securityaffairs Cryptocurrency

Google will ban cryptocurrency mining extensions from the official Chrome Web Store after finding many of them abusing users’ resources without consent.
The number of malicious extensions is rapidly increased over the past few months, especially those related to mining activities.

The company has introduced a new Web Store policy that bans any Chrome extension submitted to the Web Store that mines cryptocurrency.

“Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informedabout the mining behavior.” reads a blog post published by Google.

“Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.”

“Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency,”

Until now, Google only allowed those cryptocurrency mining extensions that explicitly informed users about their mining activities.

The Mountain View firm announced it will block all mining extensions that are not in compliance and secretly mine cryptocurrency using devices’ resources.

cryptocurrency mining extensions

Google pointed out that the ban on cryptocurrency mining extensions will not affect blockchain-related extensions such as Bitcoin price checkers and cryptocurrency wallet managers.

“Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June. Extensions with blockchain-related purposes other than mining will continue to be permitted in the Web Store.” continues the blog post.

Google ban is another step to protect its users from hidden risks, it follows the recent announcement to ban advertisements related to cryptocurrency.

“This policy is another step forward in ensuring that Chrome users can enjoy the benefits of extensions without exposing themselves to hidden risks.” concluded Google.

Google is not the unique media firm that imposed a ban on cryptocurrency-related abuses, Twitter recently announced the ban for cryptocurrency-related ads on its platform, in January, Facebook banned all ads promoting cryptocurrency-related initiatives, including Bitcoin and ICOs.

njRAT Gets Ransomware, Crypto-Currency Stealing Capabilities
3.4.2018 securityweek Cryptocurrency

An updated version of the njRAT remote access Trojan (RAT) is capable of encrypting files and stealing virtual currencies from crypto-wallets, Zscaler warns.

Also known as Bladabindi, njRAT has been around since at least 2013 and is one of the most prevalent malware families. Built in .NET Framework, the malware provides attackers with remote control over the infected systems, utilizes dynamic DNS for command-and-control (C&C), and uses a custom TCP protocol over a configurable port for communication.

Dubbed njRAT Lime Edition, the new malware variant includes support for ransomware infection, Bitcoin grabber, and distributed denial of service (DDoS), while also being able to log keystrokes, spread via USB drives, steal passwords, and lock the screen.

The malware gets a list of running processes on the victim’s machine and uses it to track crypto wallets. Because these store digital currency and may also be connected to the users’ bank accounts, debit cards, or credit cards, it’s no surprise they are of interest to cybercriminals.

Once it has infected a system, the malware also checks for virtual machines and sandbox environments, Zscaler's researchers say. It also gathers large amounts of system information: system name, user name, Windows version and architecture, presence of a webcam, active window, CPU, video card, memory, volume information, installed antivirus, and infection time.

Additionally, the threat monitors the system for specific security-related processes and attempts to kill them to avoid detection.

The new njRAT iteration can also launch ARME and Slowloris DDoS attacks, the security researchers say. The Slowloris tool allows a single machine to take down a server with minimal bandwidth while attempting to keep many connections to the target web server open. ARME attacks also attempt to exhaust the server memory.

Upon receiving commands from the C&C, the malware can delete Chrome cookies and saved logins, turn off monitor, use TextToSpeech to announce text received from C&C, restore normal mouse button functionality, enable task manager, change wallpaper, log keystrokes from the foreground window, share, download files via torrent software, and start Slowloris attacks.

It can also drop and show a ransom note, restart the computer, disable command prompt, delete event logs, stop Bitcoin monitor thread, start the botkiller thread, send system information (CPU/GPU/RAM), check installed Bitcoin wallets and send the information to C&C, and load a plugin and configure it with the C&C server.

njRAT also includes worm-like spreading capabilities. It can monitor the system for connected USB drives and can copy itself to them, while also creating a shortcut to itself using the folder icon.

The malware’s ransomware functionality encrypts users’ files and adds the .lime extension to them. The malware uses the AES-256 symmetric algorithm for encryption, meaning that the same key can be used for decryption as well.

“When Lime is first launched, it will call a RandomString() function, which will attempt to generate an AES key. It generates a 50-byte array from the input string using a random index, and uses the random() function to fetch one character and stores it to the output string,” Zscaler explains.

The function to decrypt the files encrypted by the Lime ransomware is included in the malware itself, the security researchers have discovered.

HiddenMiner Android Cryptocurrency miner can brick your device
3.4.2018 securityaffairs Cryptocurrency

Researchers at Trend Micro recently discovered a new strain of Android miner dubbed ANDROIDOS HIDDENMINER that can brick infected devices
Crooks are looking with increasing interest cryptocurrency mining malware developed for mobile devices.

Researchers at Trend Micro recently discovered a new strain of Android malware dubbed ANDROIDOS HIDDENMINER that abuse device CPU to mine Monero cryptocurrency.

HiddenMiner also implements evasion techniques, it is able to bypass automated analysis by checking if it’s running in a virtualized environment by abusing an Android emulator detector found on Github.

“We uncovered a new Android malware that can surreptitiously use the infected device’s computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER.” reads the analysis published by Trend Micro.

“This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLockerAndroid ransomware).”

The experts were able to find the Monero mining pools and wallets connected to the HiddenMiner malware, they learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This information suggests that the operators are currently active.

hiddenminer wallet activities

HiddenMiner abuse the device’s CPU power to mine Monero, unfortunately, the computational effort is so important that the CPU can overheat causing the device to lock, fail, and be permanently damaged.

“There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted.” continues the analysis.

“Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”

This behavior was already observed in the past, the Loapi Monero-mining malware caused a device’s battery to bloat.

HiddenMiner, like Loapi, uses to lock the device screen after revoking device administration permissions.

The ANDROIDOS HIDDENMINER is currently being delivered through a fake Google Play update app, experts found it on third-party app marketplaces.

The miner is mainly affecting users in India and China, but experts fear it could rapidly target other countries.

Malware developers are abusing Device Administration Permission, experts pointed out that users can’t uninstall an active system admin package until device administrator privileges are removed first.

Victims of the HiddenMiner’s cannot remove the miner from device administrator as it employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. Experts explained that it exploits a vulnerability found in Android operating systems except for Nougat and later versions.

“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave.” concluded Trend Micro. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”

Crypto Mining Rampant in Higher Education
30.3.2018 securityweek Cryptocurrency

Figures from an analysis of 4.5 million monitored devices across 246 companies show that for every 10,000 devices and workloads, 165 contain active threats. The majority are given a low (113) or medium (18) threat priority; but 34 are ranked high or critical, requiring immediate attention.

Deeper analysis of these figures in Vectra's 2018 Attacker Behavior Industry Report (PDF) shows the different stages of the attackers' kill chain found within different vertical industry sectors. Overall, 37% of detections denote C&C activity, 31% denote reconnaissance activity, 24% denote lateral movement, and 6% actual exfiltration attempts. The reducing numbers seem to indicate analysts' success at mitigating the detections as they progress. The remaining 3% of detections indicate botnet activity.

Applied to the different vertical industries, the analysis shows the fewest threat detections are found in the technology sector (a total of 62 per 10,000 devices) the healthcare sector, (87 per 10,000), and in government (139 per 10,000). Standing out, however, is higher education -- with 542 detections per 10,000 devices. Most of these, 395, are considered low priority threats, and are related to crypto mining.

"The number of low alerts in higher education is over three-times the normal rate, which is indicative of attacker behaviors that are opportunistic," explains the report. "Inversely, the technology industry has a low volume of devices prioritized as high or critical, which indicates cyberattackers do not often progress deep into the attack lifecycle."

Other sectors that stop attacks in their early stages include government and healthcare -- indicating the presence of stronger policies, mature response capabilities and better control of the attack surface; possibly because of greater regulation and oversight in these sectors. The very high number of low priority threats in higher education is largely down to a spike in crypto mining.

Higher education is unlike any other industry sector. Its users are not employees and are traditionally averse to outside control -- they will not automatically accept the security controls that can be applied to direct employees, and security teams can rarely impose them. At the same time, the student environment is an attractive target, especially for crypto mining.

"Higher education has a large number of students who are not protected by universities with open networks," explains Vectra. These same students also engage in their own crypto mining because they get free electricity, which is the highest direct cost of crypto mining (crypto mining uses computer resources to convert electricity into money). Geographically, most of this mining activity is done in Asia (76%), with 20% in North America, and just 4% in Europe. Sixty percent of all crypto mining detections uncovered by Vectra occurred in higher education.

The breakdown between mining by malware and mining by choice is not clear. It's a mixture of both, Chris Morales, Vectra's head of security analytics told SecurityWeek. "It's more likely college students crypto mining from their dorm rooms with a dose of outside actors," he added. "For example, some students could be watching pirated movies from an untrusted website that is crypto mining throughout the entire watching session. It would go unnoticed. This movie watching example really happens and was described to me by a security director at a large university as a problem they have to handle.

"Students are more likely to perform crypto mining personally as they don't pay for power, the primary cost of crypto mining," continued Morales. "Universities also have high bandwidth capacity networks with a large volume of easy targets, especially as students are more likely to use untrusted sites (like illegal movies, music, and software) hosting crypto mining malware."

Higher education can only respond to students they discover engaged in crypto mining with a notice the activity is occurring. They can provide assistance in cleaning machines or in the case of the student being responsible, they can issue a cease and desist. Corporate enterprises can enforce strict security controls to prevent such behaviors; but universities do not have the same luxury with students. "They can at best," explains Morales, "advise students on how to protect themselves and the university by installing operating system patches and creating awareness of phishing emails, suspicious websites and web ads."

Vectra's Cognito platform -- the source for the analysis -- uses continuous AI-enhanced anomaly detection to uncover threat behavior from network logs. It applies a scoring system to flagged behavior to reduce the high number of detected events to a low number of actual threats. For example, in this study (and on average), 26,432 events were flagged in every 10,000 devices. These were distilled down through 1,403 detections to 818 devices (per 10,000) with detections.

San Jose, Calif-based Vectra Networks raised $36 million in a Series D funding in February 2018, bring the total raised to $123 million. The funds are earmarked for further development of the Cognito 'attack in progress' threat hunting platform, and to fund a new research-and-development (R&D) center in Dublin, Ireland.

A new massive cryptomining campaign target Linux servers exploiting old flaw
25.3.2018 securityaffairs   Cryptocurrency

Trend Micro uncovered a new crypto mining campaign targeting Linux servers that exploit the CVE-2013-2618 flaw in Cacti’s Network Weathermap plug-in, which system administrators use to visualize network activity.
Security firm Trend Micro uncovered new crypto mining campaign, a cybercriminal gang has made nearly $75,000 by installing a Monero miner on vulnerable Linux servers.

The hackers are exploiting a five-year-old vulnerability in the Cacti “Network Weathermap” plugin and according to Trend Micro this campaign is linked to a previous cryptocurrency-mining campaign that used the JenkinsMiner malware.

In this last campaign that is targeting Linux servers, hackers exploited the CVE-2013-2618 vulnerability in Cacti plugin which is an open-source network monitoring and graphing tool.

“This campaign’s operators were exploiting CVE-2013-2618, a dated vulnerability in Cacti’s Network Weathermap plug-in, which system administrators use to visualize network activity.” reads the analysis pulished by Trend Micro.

“As to why they’re exploiting an old security flaw: Network Weathermap only has two publicly reportedvulnerabilities so far, both from June 2014. It’s possible these attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool.”

The flaw could be exploited by attackers to execute arbitrary code on vulnerable systems, in this case, hackers downloaded and installed a customized version of XMRig, a legitimate Monero mining software (dada.x86_64 as of 01/28/2018, earlier named as xig or nkrb). XMRig supports both 32-bit and 64-bit Windows and Linux operating systems.

To gain persistence, hackers modified the local cron jobs to trigger a “watchd0g” Bash script every three minutes, the script checked if the Monero miner was still active and restarted it in case it was down.

“Code is written in /etc/rc.local, which means that each time a system is restarted, watchd0g.sh is executed. The modification of /etc/crontab results in watchd0g.sh being run every three minutes. It then modifies the Linux kernel parameter vm.nr_hugepages to the recommended value for mining Monero (XMR). It also ensures that the watchd0g.sh process runs or re-downloads and executes the file if it terminates.” continues the analysis.

The researchers analyzed five malware samples that led them to two unique login usernames, matching the Monero wallets where the mining pool payments are sent.

According to Trend Micro, hackers made approximately 320 XMR (roughly $75,000), most of the Linux servers were located in Japan (12%), China (10%), Taiwan (10%), and the US (9%).

weathermap cryptominer Linux servers

Trend Micro recommends keeping internal to the environment data from Cacti and also keeping systems updated with the latest patches.

“While this allows systems or network administrators to conveniently monitor their environments (with just a browser bookmark, for instance), it also does the same for threat actors.” concluded Trend Micro.

Coverity Scan Hacked, Abused for Cryptocurrency Mining
21.3.2018 securityweek Cryptocurrency

Coverity Scan, a free service used by tens of thousands of developers to find and fix bugs in their open source projects, was suspended in February after hackers breached some of its servers and abused them for cryptocurrency mining.

Synopsys, which acquired Coverity in 2014, started notifying Coverity Scan users about the breach on Friday. The company said malicious actors gained access to Coverity Scan systems sometime in February.

“We suspect that the access was to utilize our computing power for cryptocurrency mining,” Synopsys told users. “We have not found evidence that database files or artifacts uploaded by the open source community users of the Coverity Scan service were accessed. We retained a well-known computer forensics company to assist us in our investigation.”

Synopsys says the service is now back online and it believes the point of access leveraged by the attackers has been closed. In order to regain access to Coverity Scan, users will need to reset their passwords.

“Please note that the servers in question were not connected to any other Synopsys computer networks. This should have no impact on customers of our commercial products, and this event did not put any Synopsys corporate data or intellectual property at risk,” users were told.

Cybercriminals have become increasingly interested in making a profit by hacking PCs and servers and abusing them to mine cryptocurrencies. Cryptocurrency mining malware can target a wide range of devices, including industrial systems.

One recent high-profile victim was the carmaker Tesla, whose Kubernetes pods were compromised and used for cryptocurrency mining. According to RedLock, which discovered the breach, hackers gained access to Tesla’s Kubernetes console due to the lack of password protection.

Hacked Japan Crypto Exchange Refunds Customers

13.3.2018 securityweek Cryptocurrency  

Japan-based virtual currency exchange Coincheck said Tuesday it had refunded more than $440 million to customers following the hack of its systems, which was one of the largest thefts of its kind.

The company said it used its own funds to reimburse about 46.6 billion yen ($440 million) to all 260,000 customers who lost their holdings of NEM, a leading cryptocurrency.

"Procedures have been completed with the accounts of all 260,000 customers," company spokesman Yosuke Imai told AFP.

Thieves syphoned away 523 million units of the cryptocurrency from Coincheck -- then valued at $547 million -- during the January 26 hack, which exceeded the $480 million in bitcoin stolen in 2014 from another Japanese exchange, MtGox.

The 2014 hack prompted Japan to issue new regulations, requiring exchanges to obtain a government licence, but Coincheck was allowed to continue operating while the Financial Services Agency was reviewing its application.

Authorities raided Coincheck's office last month and have slapped the company with sanctions.

Coincheck chief operating officer Yusuke Otsuka said last week that the company's system was breached after several staff members opened emails containing malware.

The firm had failed to upgrade its systems to keep up with the rapid expansion of the cryptocurrency market, he said.

In February, seven plaintiffs -- two companies and five individuals -- filed a lawsuit against Coincheck seeking the reimbursement of 19.53 million yen in lost virtual currency and further compensation for interest lost due to the hack.

As many as 10,000 businesses in Japan are thought to accept bitcoin, and bitFlyer -- the country's main bitcoin exchange -- saw its user base grow beyond one million in November.

Cryptocurrency mining operations target Windows Server, Redis and Apache Solr servers online
12.3.2018 securityaffairs Cryptocurrency

Researchers from the ISC SANS group and the Anti-DDoS company Imperva discovered two distinct campaigns targeting Windows Server, Redis and Apache Solr servers online.
Last week new mining campaigns targeted unpatched Windows Server, Apache Solr, and Redis servers, attackers attempted to install the cryptocurrency miner Coinminer.

Two campaigns were spotted by researchers from the ISC SANS group and the Anti-DDoS company Imperva.

The campaign observed by Imperva has been targeting Redis and Windows Server installs, the company tracked the operation as RedisWannaMine.

Crooks are conducting an Internet mass-scanning for systems running outdated Redis versions, the attackers attempt to trigger the CVE-2017-9805 vulnerability.

“This week we saw a new generation of cryptojacking attacks aimed at bothdatabase servers and application servers. We dubbed one of these attacks RedisWannaMine.” reads the blog post published by Imperva.

“RedisWannaMine is more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets.”

RedisWannaMine executes a script to download a publicly available tool, dubbed masscan, that is stored on Github repository, then compiles and installs it.

The experts observed that once attackers gain access to a host, they will drop the ReddisWannaMine malware as a first stage payload, then it installs a second-stages cryptocurrency miner.

Cryptocurrency mining

RedisWannaMine is a complex threat due to the sophisticated evasion techniques and capabilities it implements. The malicious code combines advanced exploits with worm-like behavior, it uses the EternalBlue NSA exploit to spread.

But the ReddisWannaMine campaign also displays the classic behavioral pattern of a self-propagating worm.

The cybercrime gang behind ReddisWannaMine targets Redis servers and also Windows Servers with that expose SMB ports.

The second mining campaign is targeting Apache Solr by exploiting the CVE-2017-12629, it was spotted by researchers at ISC SANS.

“the number of victims is getting higher. From Feb, 28 to Mar, 8 this campaign infected 1777 victims, of which 1416 are SOLR servers. See below the worldwide SOLR victims distribution.” reads the analysis published by ISC SANS.

Cryptocurrency mining

Both campaigns are just the tip of the iceberg, the number of mining campaigns and attacks against the cryptocurrency industry is on the rise, and for sure this is the trend we will see in the next months.

ISPs Caught Injecting Cryptocurrency Miners and Spyware In Some Countries
10.3.2018 thehackernews Cryptocurrency

Governments in Turkey and Syria have been caught hijacking local internet users' connections to secretly inject surveillance malware, while the same mass interception technology has been found secretly injecting browser-based cryptocurrency mining scripts into users' web traffic in Egypt.
Governments, or agencies linked to it, and ISPs in the three countries are using Deep Packet Inspection technology from Sandvine (which merged with Procera Networks last year), to intercept and alter Internet users' web traffic.
Deep packet inspection technology allows ISPs to prioritize, degrade, block, inject, and log various types of Internet traffic, in other words, they can analyze each packet in order to see what you are doing online.

According to a new report by Citizen Lab, Turkey's Telecom network was using Sandvine PacketLogic devices to redirect hundreds of targeted users (journalists, lawyers, and human rights defenders) to malicious versions of legitimate programs bundled with FinFisher and StrongPity spyware, when they tried to download them from official sources.

"This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default," the report reads.
A similar campaign has been spotted in Syria, where Internet users were silently redirected to malicious versions of the various popular application, including Avast Antivirus, CCleaner, Opera, and 7-Zip applications bundled with government spyware.
In Turkey, Sandvine PacketLogic devices were being used to block websites like Wikipedia, the sites of the Dutch Broadcast Foundation (NOS) and Kurdistan Workers' Party (PKK).
ISPs Injected Cryptocurrency Mining Scripts Into Users' Web Browsers

However, in Egypt, Sandvine PacketLogic devices were being used by a Telecom operator for making money by:
Secretly injecting a cryptocurrency mining script into every HTTP web page users visited in order to mine the Monero cryptocurrency,
Redirecting Egyptian users to web pages with affiliate ads.
In Egypt, these devices were also being used to block access to human rights, political, and news outlets like Al Jazeera, HuffPost Arabic, Reporters Without Borders, and Mada Masr, as well as NGOs like Human Rights Watch.

Citizen Lab researchers reported Sandvine of their findings, but the company called their report "false, misleading, and wrong," and also demanded them to return the second-hand PacketLogic device they used to confirm attribution of their fingerprint.
Citizen Lab started this investigation in September last year after ESET researchers published a report revealing that the downloads of several popular apps were reportedly compromised at the ISP level in two (unnamed) countries to distribute the FinFisher spyware.

New Cryptocurrency Mining Malware Infected Over 500,000 PCs in Just Few Hours
10.3.2018 thehackernews Cryptocurrency

Two days ago, Microsoft encountered a rapidly spreading cryptocurrency-mining malware that infected almost 500,000 computers within just 12 hours and successfully blocked it to a large extent.
Dubbed Dofoil, aka Smoke Loader, the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mines Electroneum coins, yet another cryptocurrency, for attackers using victims' CPUs.
On March 6, Windows Defender suddenly detected more than 80,000 instances of several variants of Dofoil that raised the alarm at Microsoft Windows Defender research department, and within the next 12 hours, over 400,000 instances were recorded.

The research team found that all these instances, rapidly spreading across Russia, Turkey, and Ukraine, were carrying a digital coin-mining payload, which masqueraded as a legitimate Windows binary to evade detection.
However, Microsoft has not mentioned how these instances were delivered to such a massive audience at the first place in this short period.
Dofoil uses a customized mining application that can mine different cryptocurrencies, but in this campaign, the malware was programmed to mine Electroneum coins only.

According to the researchers, Dofoil trojan uses an old code injection technique called 'process hollowing' that that involves spawning a new instance of a legitimate process with a malicious one so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.
"The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe."
To stay persistence on an infected system for a long time to mine Electroneum coins using stolen computer resources, Dofoil trojan modifies the Windows registry.
"The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe," the researchers say. "It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key."
Dofoil also connects to a remote command and control (C&C) server hosted on decentralized Namecoin network infrastructure and listens for new commands, including the installation of additional malware.
Microsoft says behavior monitoring and Artificial intelligence based machine learning techniques used by Windows Defender Antivirus have played an important role to detect and block this massive malware campaign.

Mining is the new black
7.3.2018 Kaspersky Cryptocurrency

Last year we published a story revealing the rise of miners across the globe. At the time we had discovered botnets earning millions of USD. We knew this was just the beginning of the story, which turned out to develop rapidly.

Together with the rest of the world, we have been watching the hike in cryptocurrency, for example, the price of Bitcoin and Altcoins continuously beat records throughout 2017.

Bitcoin and Altcoins prices growth in 2017

While some spend time talking about what’s good or bad for the market and the global economy, we’ve seen that such a spike in prices was definitely a call for threat actors, meaning there are good opportunities for cybercriminals to earn money.

As a result, many cybercriminal groups have switched to malicious miner distribution, and the number of users that have encountered cryptocurrency miners has increased dramatically. We have found, that by the end of 2017, 2.7 million users had been attacked by malicious miners – this is almost 1.5 times higher than in 2016 (1.87 mln).

Number of Kaspersky Lab users attacked by malicious miners in 2017

They become so active and popular that even ransomware – which has frightened the world for the last couple of years, seems to step aside for this threat.

Here are some reasons why:

Firstly, miners and ransomware both have a clear monetization model. In the case of ransomware, attackers infect PCs, decrypt files and earn money by receiving a ransom for users’ data. The miners model is similar in its simplicity: attackers infect victims, make coins using CPU or GPU power, and earn real money through legal exchanges and transactions.

Miners’ monetization scheme

Secondly, unlike ransomware, it is very hard for users to understand if they’ve been infected by miners or not. In general, users use their computer for Internet surfing. This activity is not high loaded for CPU. The other 70-80% of CPU power is used by mining programs, and some of them have special functions to reduce mining capacities or cancel the process at all, if another resource-demanding program (for example, a videogame) is executed.

Most importantly, it is now very easy to make your own miner. Those interested can get everything that they need:

Ready to use partner programs
Open mining pools
A lot of miner builders
We have found that the most popular miner pool used by threat actors is Nanopool.

Statistics for used legitimate pools

If actors use open pools, it’s possible to find out how much money threat actors could earn.

Example of wallet information

Also, according to our data, 80% of illegal miners contain the open source code of legal miners, or it is just a legal miner that has been packed.

Ways of spreading
Usually, threat actors collaborate with potentially unwanted application (PUA) partner programs to spread miners. However, some small criminal groups try to spread malware by using different social engineering tricks, such as fake lotteries, etc. Potential victims need to download a generator of random numbers from a file-sharing service and run this on a PC to participate. It’s a simple trick, but a very productive one.

Another popular method is web-mining through a special script being executed in browser. For example, in 2017 our security solutions stopped the launch of web miners on more than 70 million occasions. The most popular script used by cybercriminals is Coinhive, and usual cases of its use in the wild are websites with a lot of traffic. The longer the user session on those sites, the more money the site’s owner earned from mining. Major incidents involving Coinhive are hacked web pages, such as the Pirate Bay case, YouTube ads or UFC fight pass mining. However, other examples of its legal use are also known.

There are other groups, which do not need to spread miners to many people. Instead, their targets are powerful servers in big companies. Thus, for instance, Wannamine was spreading in internal networks using an EternalBlue exploit, and earned nine thousand Monero this way (approx. two million dollars). However, the first miner that used the EternalBlue exploit was Adylkuzz. In our previous research we described another miner family – Winder – that has used an extra service to restore a miner when it was being deleted by an AV product. That botnet earned a half million dollars.

Sophisticated techniques
This year we are observing the next trend – threat actors behind miners have begun to use malware techniques from targeted attacks. Our latest discovery is the “hollow” miner that uses a process-hollowing technique.

In this case the infection vector is a PUA module. A victim may have just wanted to download a legitimate application, but instead they downloaded a PUA with a miner installer inside. This miner installer drops the legitimate Windows utility msiexec with a random name, which downloads and executes a malicious module from the remote server. In the next step it installs a malicious scheduler task which drops the miner’s body. This body executes the legitimate system process and uses a process-hollowing technique (legitimate process code is changed to malicious). Also, a special flag, system critical flag, is set to this new process. If a victim tries to kill this process, the Windows system will reboot. So, it is a challenge for security solutions to deal with such malicious behavior and detect the threat properly.

Infection chain

Process hollowing example

Using such sophisticated technique, botnets earned over seven million dollars during the second half of 2017.

Also this year, we found one threat group that has been targeting big organizations with the main purpose to utilize their computer resources for mining. After getting into a corporate network they get access to the domain controller, and as a result they use domain policies to launch malicious code. In this particular case, actors executed malicious PowerShell script on each endpoint and server inside the corporate network.

Malicious powershell script

This script has the following logic:

After launching, it checks if this endpoint belongs to specific accounts, i.e. senior levels or information security officers. If it is true, then the script won’t execute the miner.
This script also checks current date and time information. It will execute the malicious miner in non-working time.
So what’s next?
Should we expect a further evolution in this class of malware? For sure. Moreover, we will see a spread in malware that uses new blockchain technologies. One of the recent and very promising technologies is the blockchain-based proof-of-space (PoSpace) concept.

Unlike proof-of-work (PoW) used in general mining botnets, a PoSpace algorithm needs a hard disk space. Therefore, a new type of miners based on this algorithm will be aiming first of all at big data servers.

On the one hand, monetization in this case is like that in usual malware miners with a PoW algorithm. On the other, this technology can provide cybercriminals with another profit. The blockchain on the PoS algorithm is a very big decentralized anonymous data center that can be used to spread malware or illegal content. As a result, it can bring more damage. Data will be encrypted and no one will know where it is physically stored.

Mining scheme based on proof-of-concept algorithm

To protect your network against such threats we advise you:

Conduct a security audit on a regular basis
Use security solutions on endpoints and servers
Kaspersky Lab products detect such threats with various verdicts.


600 Powerful Bitcoin-Mining Computers Worth $2 Million Stolen In Iceland
7.3.2018 thehackernews Cryptocurrency

Around 600 powerful devices specifically designed for mining bitcoin and other cryptocurrencies have been stolen from Icelandic data centers in what has been dubbed the "Big Bitcoin Heist."
To make a profit, so far criminals have hacked cryptocurrency exchanges, spread mining malware, and ransomware—and even kidnapped cryptocurrency investors for ransom and tried to rob a bitcoin exchange, but now the greed has reached another level.
The powerful computers are estimated to be worth around $2 million, Associated Press reports, and are used to generate cryptocurrency that at the time of this writing are worth $11,500 each.
The theft, which took place between late December and early January, is one of the biggest series of robberies Iceland has ever experienced, according to law enforcement.
"This is grand theft on a scale unseen before," said Police Commissioner Olafur Helgi Kjartansson of the southwestern Reykjanes peninsula.
There were four different burglaries (three in December and one in January) in total that took place at various locations, two of which went down on the southwestern Reykjanes peninsula.
The thefts, which also included burglary of 600 graphics cards, 100 processors, 100 power supplies, 100 motherboards and 100 sets of computer memory, were captured on CCTV cameras by Advania, the server company reportedly hit by two of the three thefts.
Although the stolen computers have not yet been found, police arrested 11 suspects as part of the investigation of the incident, one of whom worked as a security guard.
On Friday, the Reykjanes District Court expressed restraint, releasing nine people on bail and leaving only two people under arrest.
Iceland is home to the data centers of a number of the cryptocurrency mining companies because the mining process is extremely energy-intensive, and renewable energy is cheap there. Almost 100 percent of the power generated in the country comes from renewable sources.
The police are currently tracking high energy consumption areas across Iceland in hopes the thieves will turn the stolen servers on, which could potentially lead them back to the stolen servers' location.
The authorities are also contacting internet service providers (ISPs), electricians and storage units, asking them to report any sudden spike in power usage or other signs the stolen servers had been reconnected.
The police have currently held off from telling the public about the incident for a while, in order not to compromise their investigation.

"ComboJack" Malware Steals Multiple Virtual Currencies
6.3.2018 securityweek Cryptocurrency

A newly discovered piece of malware is capable of stealing a variety of crypto-coins from its victims by replacing legitimate wallet addresses with that of the attacker.

Dubbed ComboJack, the malware performs its nefarious activity by monitoring the user clipboard and replacing targeted addresses there. This is the same technique that was recently observed being used by the Evrial Trojan and the CryptoShuffler malware, but the new threat targets multiple virtual currencies.

ComboJack, Palo Alto Networks has discovered, is targeting multiple crypto-currencies at the moment, including Bitcoin, Litecoin, Monero, and Ethereum.

The malware is being distributed through spam emails targeting users in Japan and America, carrying a malicious PDF that contains an embedded document. This is a RTF file attempting to exploit CVE-2017-8579, a vulnerability addressed in September 2017 after it was abused to spread the FinFisher spyware.

The RTF document references to an embedded remote object, an HTA file that contains encoded PowerShell commands. Once fetched from the remote server, the file executes the PowerShell to download and execute the final payload.

The downloaded file is an initial stage self-extracting executable (SFX) that extracts the second stage, a password protected SFX that has the password supplied by the first stage. Only after the second stage is executed, the ComboJack is extracted.

First, the malware copies itself to the ProgramData folder, and then leverages the attrib.exe built-in Windows tool to set the hidden and system attributes to itself. Next, the malware sets a registry key to achieve persistence.

Once the steps have been completed, ComboJack starts checking the contents of the clipboard every half second to determine if wallet information for different digital currencies has been copied there. When that happens, the malware replaces the information with hardcoded data in an attempt to divert funds to a presumably attacker-owned wallet.

“This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors,” Palo Alto points out.

The malware can detect addresses of crypto-currencies such as Ethereum, Monero (erroneously, the replacement address is shorter), Bitcoin, Litecoin, Qiwi, WebMoney (Rubles), WebMoney (USD), Yandex Money, and a currently unknown virtual coin.

The fact that ComboJack is targeting WebMoney (USD, EUR, and RUB) and Yandex Money, which are popular digital payment systems, also sets the malware apart from other Trojans capable of stealing crypto-currencies by replacing wallet addresses that have been copied to the clipboard.

“By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust. As the prices of cryptocurrencies continue to rise it is likely we will see more and more malware targeting cryptocurrencies, as it presents the fastest way to the highest profit,” Palo Alto concludes.

ComboJack Malware alters Windows clipboards to steal cryptocurrencies and payments
6.3.2018 securityweek Cryptocurrency

Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.
Crooks continue to focus their interest in cryptocurrencies, security researchers at Palo Alto Networks have spotted a strain of malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address to the Windows clipboard. The malicious code then replaces the address in the clipboard with the author’s one.

“Unit 42 researchers have discovered a new currency stealer which targets cryptocurrencies and online wallets. “CryptoJack” functions by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet.” reads the analysis published by PaloAlto. “This technique relies on victims not checking the destination wallet prior to finalizing a transaction.”

Unlike other similar threats, ComboJack supports multiple cryptocurrencies, including Bitcoin, Litecoin, Monero, and Ethereum and it is also able to target other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).

In 2017, CryptoShuffler was the first malware to implement this technique to targets online Bitcoin wallets, in February 2018 researchers at ElevenPaths discovered a crypto coin malware stealer called Evrial which takes control of the clipboard to get “easy money”.

Experts from PaloAlto Networks, along with Proofpoint experts, were investigating a malspam campaign targeting Japanese and American users.

The spam messages attempt to trick victims into opening the PDF attachment by claiming a passport was lost and that the attached PDF contained a scanned copy of the document.

ComboJack malware

Attackers implemented an attack chain already observed for the distribution of the Dridex banking trojan and Locky ransomware in 2017.

When the user opens the PDF document, the file opens an RTF file that contains an embedded HTA object that attempts to exploit the CVE-2017-8579 DirectX flaw.

“This embedded remote object is an HTA file which was located at hXXps://a.doko[.]moe/tnejln which contains encoded PowerShell commands.” continues the analysis.

The SFX file downloads and runs a password-protected SFX that then finally delivers ComboJack.

Finally, the payload sets a registry key to ensure persistence.


ComboJack checks the Windows clipboard every half-a-second for new content that matches a known pattern for a cryptocurrency or payment system address, then it replaces the address with one from an internal list.

The malicious code exploits the fact that walled addresses are difficult to remind and most users opt to copy an exact string in order to prevent potential errors.

Users are advised to carefully check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations.

“By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust.” concludes PaloAlto Networks.

“As the prices of cryptocurrencies continue to rise it is likely we will see more and more malware targeting cryptocurrencies, as it presents the fastest way to the highest profit.”

Further details, including IOCs are available in the analysis.

Bitcoin-linked heist: thieves stolen 600 powerful computers in Iceland
4.3.2018 securityaffairs Cryptocurrency

Thieves steal 600 powerful computers in a huge heist in Iceland with the intent to use them for mining Bitcoin.
Cyber criminal organization continue to show a great interest in cryptocurrencies, the number of crimes against cryptocurrency industry is on the rise.

News of the day is that crooks have stolen 600 powerful computers from data centers in Iceland to use in Bitcoin mining. At the time, the computers, that are worth almost $2 million, have not yet been found.

“Some 600 computers used to “mine” bitcoin and other virtual currencies have been stolen from data centers in Iceland in what police say is the biggest series of thefts ever in the North Atlantic island nation.” reads the post published by The Associated Press.

The thieves have stolen 600 graphics cards, 100 processors, 100 power supplies, 100 motherboards and 100 sets of computer memory to use in the proficuous activity.

The Icelandic media dubbed the crime the “Big Bitcoin Heist,” the authorities have arrested 11 people, including a security guard.

A judge at the Reykjanes District Court on Friday ordered two people to remain in custody.

“This is a grand theft on a scale unseen before,” Police Commissioner Olafur Helgi Kjartansson said. “Everything points to this being a highly organized crime.”

The thefts occurred between late December and early January, the members of the gang were identified thank the surveillance cameras used by the server company Advania.

Advania suffered two of the four thefts, the company had been offering its customers access to bitcoin-mining rigs, for this reason, crooks targeted the firm.

The police are searching any evidence to track the thieves, authorities are also tracking energy consumption across Iceland in case they turn on their computers. A spike in the energy consumption could reveal their location if the thieves don’t take measure to avoid being tracked.

“Police tracking the stolen computers are monitoring electric consumption across the country in hopes the thieves will show their hand, according to an industry source who spoke on condition of anonymity because he is not allowed to speak to the media.” concluded the Associated Press.

“Unusually high energy usage might reveal the whereabouts of the illegal bitcoin mine.”

Iceland is a good place where find cheap, renewable energy for crypto mining activities.

Ad Network Performs In-Browser Cryptojacking
28.7.2018 securityweek CoinMine

An ad network provider is performing in-browser Coinhive cryptojacking on websites that use its service, 360 Netlab security researchers warn.

The practice has been ongoing since December 2017, several months after the ad network provider, a company called PopAds Publisher, started using domain generation algorithm (DGA) technology to bypass ad blockers, claiming it would allow customers to “monetize traffic that wasn’t monetized before.”

In mid-2017, the provider started to generate seemingly random domains that would ensure ads can reach end users. By the end of the year, however, these domains, which 360 Netlab refers to as DGA.popad, started participating in cryptojacking activities, all without end-users’ acknowledgement.

Given that many people use ad blockers to prevent sites from displaying ads to them, ad networks often attempt to bypass blockers, and this provider decided to use DGA domains to host its advertisements. With these domains changing daily, it becomes difficult to block the ads, the researchers point out.

What’s more, the ad network provider recently started using the DGA.popad domains to perform cryptojacking. These domains, the researchers discovered, have a strong connection with Coinhive family domains in DNS traffic and serve the coinhive.min.js web miner.

Some of the DGA.popad domains have a high ranking, with one of them found in the top 2000 sites on Alexa and several others in the top 3000 list.

Once a user accesses such a site, their computer’s CPU starts being used to the full. According to 360 Netlab, the favicon.ico on the DGA.popad sites was found to run as a web miner. Most of the sites that would redirect users to DGA.popad domains are providing adult content and downloading services.

Because the impacted sites contain advertisements from this ad network, the cryptojacking activities are performed regardless of whether the user has an ad blocker installed or not.

Normally, users would be sent to a standard domain (serve.popads.net) hosted by the provider. If an ad blocker is used, the standard domain is blocked, and the visitor is sent to one of the DGA.popad domains. Regardless of the delivery mechanism, both the ad and the cryptojacking script are served.

“We are not able to make a detailed assessment. This is because only part of all the traffic passing DGA.popad and serve.popads.net will be inserted a web miner, but we are not sure which part will be selected, for now,” the researchers note.

Oracle WebLogic Server Flaw Exploited to Deliver Crypto-Miners
16.2.2018 securityweek
Vulnerebility  Exploit  CoinMine

Threat actors are exploiting a recently patched vulnerability in Oracle WebLogic Server to infect systems with crypto-currency mining malware, FireEye reports.

Identified as CVE-2017-10271, the vulnerability resides in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions and older, and was addressed by Oracle it its October 2017 Critical Patch Update (CPU).

After proof-of-concept code exploiting the bug was made public in December, activity associated with the exploitation of this vulnerability increased in volume, FireEye's researchers say. Successful exploitation of the flaw on unpatched systems allows attackers to remotely execute arbitrary code.

“We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity,” FireEye reported.

The crypto-currency market boomed recently, and cybercriminals have not been shy in their attempts to take advantage of the market. However, actors involved in crypto-currency mining operations don’t normally target specific organizations, but rather launch attacks that are opportunistic in nature.

Attackers abusing CVE-2017-10271 to infect targeted systems with crypto-miners used various tactics to achieve their purpose, the researchers discovered. Some of the incidents, for example, used PowerShell to drop the miner directly onto the victim’s system and leveraged ShellExecute() for execution.

In other attacks, PowerShell scripts were used to deliver the miner, instead of downloading the executable directly. In addition to downloading the miner, the script would also attempt to achieve persistence through scheduled tasks.

The script would delete the tasks created by other crypto-miners and would kill processes associated with those programs, in addition to being able to connect to mining pools with wallet key. It would also limit CPU usage to avoid suspicion.

Tactics employed in other attacks also involved the use of tools such as Mimikatz and EternalBlue for lateral movement across Windows environments.

The malware would first determine whether the system is 32-bit or 64-bit, to fetch a specific PowerShell script from the command and control (C&C) server. Next, it checks all network adapters and attempts to connect to every system in the network using extracted credentials, to run a PowerShell to drop and run the malware on the targeted system.

The malware uses WMI (Windows Management Instrumentation) for persistence and can perform a Pass-the-Hash attack using NTLM information derived from Mimikatz, to download and execute the malware on remote machines. It sends the stolen credentials to a remote server using an HTTP GET request.

If it fails moving laterally, the malware uses the PingCastle MS17-010 scanner to determine whether the target is vulnerable to EternalBlue.

In scenarios targeting Linux machines, the vulnerability would be exploited to deliver shell scripts that include functionality similar to that of PowerShell scripts. They would attempt to kill already running crypto-miners and then download and execute the malware, in addition to creating a cron job to maintain persistence.

“Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks,” FireEye says.

Although they might be seen as less risky when compared to ransomware operations, crypto-currency mining malware does pose a variety of risks. Systems infected with crypto-miners might experience slowed performance, but such operations could also be hiding additional malware.

Litecoin, Dash to Dethrone Bitcoin on Dark Web: Report
13.2.2018 securityweek CoinMine
Litecoin and Dash are expected to replace Bitcoin as the most used payment method on underground portals and cybercriminal marketplaces, Recorded Future suggests in a new report.

For the past couple of years, cybercriminals from all geographies and of all languages have been dissatisfied with the performance and cost of Bitcoin transactions, and forum discussions suggest alternate payment methods would soon surge.

At the moment, Bitcoin remains the most popular crypto-currency on the Dark Web, followed by Litecoin, an analysis (PDF) of 150 of the most prominent message boards, marketplaces, and illicit services on the Dark Web has revealed. Dash is also a top preference among members of the Dark Web, the same as Monero, Recorded Future's researchers discovered.

The diminished popularity of Bitcoin appears to be derived from the larger payment fees that have been registered since mid-2017. The crypto-coin itself has increased in value, but this also fueled a spike in fees for small transactions.

“The underground economy is dependent on smaller transactions in its day-to-day operations, with the cost of the average product or service beginning between $50 and $300. With the addition of exuberant transaction fees, the price of such products and services suddenly inflates tremendously,” Recorded Future notes.

In addition to these high fees, which could sometimes amount to 30% of the transaction value, cybercriminals would also have to face delays in the completion of transactions, derived from an adopted rule of requiring three confirmations before treating transactions as complete.

“The prospect of having to wait up to 24 hours to confirm their transactions, in addition to exuberant payment fees, has rendered Bitcoin payments unusable for a large group of bad guys,” the researchers point out.

Based on underground discussions and fueled by overwhelming support and references to it, Dash appeared to emerge as the next major Dark Web currency, but the crypto-coin didn’t live to the expectations. However, it did prove highly popular on many dark portals, as many migrated to it in detriment of Bitcoin.

Despite its constant appearance in cyber-attacks – in incidents targeting web servers, end user computers (via malware or in-browser scripts), IoT devices, and ICS systems with mining software – over the past year, Monero didn’t manage to claim the top position either.

Monero did take the top position in a poll among “several hundreds of members of a popular criminal forum” on the crypto-coin expected to be adopted next, Recorded Future’s report reveals.

“Our subsequent research showed that the vendors alone represent the primary deciding factor regarding which payments will be implemented and which will not,” the security firm says.

Following the analysis of 150 of the most prominent Dark Web portals, the researchers discovered that Bitcoin remains the standard, as all vendors accept it as a payment. The second most popular crypto-coin is Litecoin, being accepted by 30% of all vendors who implemented alternative payment methods.

Dash landed on the third position, being accepted by 20% of these vendors, followed by Bitcoin Cash at 13%. Ethereum and Monero round up the list, at 9% and 6%, respectively.

Reasons Litecoin is the second most popular crypto-currency after Bitcoin include the fact that it is also the second oldest, being introduced in 2011. Intended as a superior version of Bitcoin, its core technology is nearly identical to Bitcoin’s, but it allows for faster transactions and significantly lower commission fees.

However, it doesn’t offer any additional security to its owner, the researchers point out. Just as with Bitcoin, Litecoin transactions are entirely transparent.

The security firm discovered that Litecoin is second most preferred on 35% of Eastern European underground portals, followed by Dash at 24%, and Bitcoin Cash at 15%. On English speaking Dark Web portals, however, Monero is the second most popular, at 15%, followed by Litecoin at 11%.

“While Russians favored the accessibility and convenience of Litecoin, with a more diverse and established supporting infrastructure, English-speaking members seem to be more security-oriented, choosing Monero for its built-in safety features,” Recorded Future notes.

The security researchers expect the cryptocurrency diversification trend to only intensify and suggest that Bitcoin might lose its dominant position among payment methods on the Dark Web in the next six to 12 months. However, it is expected to remain one of the main payment instruments.

“On the other hand, Litecoin and Dash will take their place next to Bitcoin as the everyday payment currencies of the dark web. At the same time, as these currencies become more readily available to a general population, malicious tools such as ransomware will also continue to evolve to take advantage of the mainstream trend,” the researchers conclude.

Thousands of Government Websites Hacked to Mine Cryptocurrencies
13.2.2018 thehackernews CoinMine

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies.
Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors' computers to mine cryptocurrency for attackers.
The cryptocurrency mining script injection found on over 4,000 websites, including those belonging to UK's National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner's Office (ICO), Queensland legislation, as well as the US government's court system.
Users who visited the hacked websites immediately had their computers' processing power hijacked, also known as cryptojacking, to mine cryptocurrency without their knowledge, potentially generating profits for the unknown hacker or group of hackers.
It turns out that hackers managed to hijack a popular third-party accessibility plugin called "Browsealoud," used by all these affected websites, and injected their cryptocurrency-mining script into its code.
Browsealoud is a popular third-party browser plugin that helps blind and partially-sighted users access the web by converting site text to audio.
The script that was inserted into the compromised Browsealoud software belongs to CoinHive—a browser-based Monero mining service that offers website administrators to earn revenue by utilizing CPU resources of visitors.
The mining software was found in more than 4,200 websites, including The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), UK NHS services, Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.
The full list of affected websites can be found here.
After UK-based infosec consultant Scott Helme raised the alarm about this hack when one of his friends mentioned getting anti-virus alerts on a UK Government website, BrowseAloud’s operator Texthelp took down its site to resolve the issue.
Here’s what Texthelp's chief technology officer Martin McKay said in a blog post:
"In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours."
"Texthelp has in place continuously automated security tests for Browsealoud - these tests detected the modified file, and as a result, the product was taken offline."
This action eventually removed Browsealoud from all websites immediately, addressing the security issue without its customers having to take any action.
The company also assured that "no customer data has been accessed or lost," and that its customers will receive a further update as soon as the security investigation gets completed.

Cryptocurrency Miners Not Uncommon on Industrial Systems
13.2.2018 securityweek  CoinMine
Cryptocurrency miners can pose a serious threat to industrial systems and it’s not uncommon for this type of malware to make its way into operational technology (OT) environments.

Industrial cybersecurity firm Radiflow reported last week that it had identified a piece of malware designed to mine Monero on a human-machine interface (HMI) system at a wastewater facility in Europe. The company warned that the resource consumption associated with this type of malware can severely disrupt plant monitoring tools and the affected organization’s response times.

Cryptocurrency mining malware has become increasingly widespread and it has recently been found even on numerous government websites in the United States, the United Kingdom and Australia.

This type of malware is also fairly common on industrial systems, according to several cybersecurity firms contacted by SecurityWeek.

A study conducted last year by Dragos showed that roughly 3,000 unique industrial sites had been hit by traditional, non-targeted malware. The company discovered approximately 6,000 malware infections, including instances of cryptojacking, said Robert M. Lee, CEO and founder of Dragos.

Kaspersky Lab ICS-CERT told SecurityWeek that roughly 3.3 percent of the industrial control systems (ICS) monitored by the company between February 2017 and February 2018 were targeted with cryptocurrency miners, with an increasing trend observed since September 2017.

Cryptocurrency miners on industrial systems - Credits: Kaspersky Lab ICS-CERT

“Industrial infrastructure is an appealing target for mining attacks due to high power, meaning criminals can earn more in less time. As usually the case with miners, users might notice slowdown of programs and systems performance that inevitably affects the user experience in general,” Kaspersky Lab ICS-CERT said. “In terms of ICS, a spike in CPU load, as a result of miners’ infection, leads to an increase in response time of monitoring tools for SCADA/HIM servers. It’s important to note that most of the ICS are real-time systems designed for process control, where response time is the critical system indicator.”

Darktrace, a security firm known for its AI-based defense technology, said it had identified more than 20 cryptocurrency miner attacks over the past six months among its customers in the energy and utilities sectors.

Overall, Darktrace said it had identified more than 400 crypto-mining related incidents across 5,000 customer deployments in more than 30 industries. There has been a steady increase in the number of detections, with roughly 100 mining scripts and cryptocurrency malware incidents detected in January.

CyberX used the Shodan search engine to locate a European wastewater facility infected with cryptocurrency mining malware. Just like in the incident described by Radiflow, the threat had been found on an HMI device running CIMPLICITY software from GE Digital. The industrial cybersecurity firm managed to grab a screenshot of the infected HMI.

HMI in European wastewater facility infected with cryptocurrency miner - Credits: CyberX

While the infection vector is not known, CyberX VP of Research David Atch pointed out that older versions of the CIMPLICITY software are affected by CVE-2014-0751, a path traversal vulnerability that can be exploited for arbitrary code execution. This flaw was exploited a few years ago by Russia-linked hackers to deliver the BlackEnergy malware.

“Although it's widely believed that Black Energy was developed by a state-sponsored hacking group (most likely Sandworm aka Telebots), the vulnerability is relatively easy to exploit and therefore it's easy to imagine that non-state actors such as cybercriminal organizations now have access to tools that can exploit the same vulnerability,” Atch explained.

Crypto Mining Malware Infects Thousands of Websites
12.2.2018 securityweek CoinMine
Hacked Script Infects Several Government Sites with Cryptominer

The websites of numerous government, health and education organizations worldwide were infected with a crypto-currency miner over the weekend, after a script running on all of them was maliciously modified.

The culprit was Browsealoud, a script developed by Texthelp to add “speech, reading, and translation to websites.” The software was designed to provide access and participation to people with Dyslexia, Low Literacy, English as a Second Language, and to those with mild visual impairments, the company says.

Over the weekend, Texthelp was the target of a cyber-attack that resulted in a JavaScript file, part of the Browsealoud script, being modified. Because of that, Browsealoud would inject a Coinhive cryptojacking script into the visitors’ browsers, to turn them into crypto-currency mining machines.

“At 11:14 am GMT on Sunday 11th February 2018, a JavaScript file which is part of the Texthelp Browsealoud product was compromised during a cyber-attack. The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency. This was a criminal act and a thorough investigation is currently underway,” the company revealed in a blog post.

As a result of this attack, numerous government websites in the United Kingdom, the United States, and Australia were infected with the crypto-mining software.

As Scott Helme, the researcher who noticed the malicious script quickly discovered, a total of 4275 websites were impacted in this attack, including prominent sites such as UK's Information Commissioner's Office, the NHS, the General Medical Council, U.S. Courts, academic websites, and many others.

“The ba.js had been altered to include a document.write call that added a CoinHive crypto miner to any page it was loaded in to. The sheer number of sites affected by this is huge and some of them are really prominent government websites,” Helme points out.

The reason so many websites were impacted isn’t only the ease of use Browsealoud promises, as admins only need to copy and paste one script to take advantage of it, but also regulatory requirements around accessibility that many sites need to comply with, especially government sites.

Soon after realizing the cause of the infection, Helme notified Texthelp, which decided to take Browsealoud offline, thus removing it from all of their customer sites immediately. The company claims that taking the product down allowed them to address the issue without requiring customers to take action.

“Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday,” Martin McKay, CTO and Data Security Officer, Texthelp, says.

McKay also noted that, although the issue has been addressed, Browsealoud will remain offline until Tuesday, so that customers could be informed on the issue. He also pointed out that no other Texthelp products have been affected.

“A security review will be conducted by an independent security consultancy. The investigation is ongoing, and customers will receive a further update when the security investigated has been completed,” McKay concluded.

UK’s National Cyber Security Centre also said they were examining the incident.

“The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk,” the NCSC said.

However, it appears that the issue might have not been completely resolved, as Helme points out on Twitter. The researcher claims that even today the malicious script attempts to load when accessing the UK's Information Commissioner's Office website, likely from cache. This means that returning visitors might still be impacted.

49% of crypto mining scripts are deployed on pornographic related websites
12.2.2018 securityaffairs CoinMine

The number of crypto mining scripts discovered by security experts continues to increase, especially those ones illegally deployed by hacking servers online.
The experts from Qihoo 360’s Netlab analyzed crypto mining scripts online by analyzing DNS traffic with its DNSMon system. The experts were able to determine which sites load the scripts from domains associated with in-browser mining services.

According to the researchers, 49% of crypto mining scripts are deployed on pornographic related websites.

The study revealed that cryptocurrency mining scripts are also deployed on fraud sites (8%), advertising domains (7%), and cryptocurrency mining (7%).

“0.2% of websites have web mining code embedded in the homepage : 241 (0.24%) in Alexa Top 100,000 websites, 629 (0.21%) in Alexa Top 300,000 websites” reads the analysis published by NetLab.

“Pornographic related websites are the main body , accounting for 49% of these websites. Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories”

The most used crypto mining script is Coinhive (68%+10%), followed by JSEcoin (9%).
crypto currency mining scripts

The fact that cryptocurrency mining scripts are most deployed on porn websites is not a surprise because they have a large number of visitors that used to spend a lot of time watching their content.

Mining activities online are rapidly increasing, the following graph shows the mining site DNS traffic trends:

crypto currency mining scropts 2.png

Below the categories of new actors most involved in mining activities:

Advertisers : The mining activity of some websites is introduced by the advertisers’ external chains
Shell link : Some websites will use a “shell link” to obscure the mining site link in the source code
Short domain name service provider : goobo . COM .br Brazil is a short domain name service provider, the website home page, including a short domain name through the service generated when access to the link will be loaded coinhive mining
Supply chain contamination : the WWW . Midijs . NET is a JS-based MIDI file player, website source code used in mining to coinhive
Self-built pool : Some people in github open source code , can be used to build from the pool
Web users informed mining : authedmine . COM is emerging of a mining site, the site claims that only a clear case of known and authorized users, began mining

Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack
12.2.2018 securityaffairs CoinMine

Thousands of websites worldwide hijacked by a cryptocurrency mining code due to the hack of the popular Browsealoud plugin.
A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.

The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.

Once discovered the hack some sites web down, the ICO also took its website down.

The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.

In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.

The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.

cryptocurrency mining script obfuscated_mining_code

The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.

“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.” said Helme.

“Someone just messaged me to say their local government website in Australia is using the software as well.”

Scott Helme

Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site... 😮

2:46 PM - Feb 11, 2018
789 people are talking about this
Twitter Ads info and privacy
The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.

Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”

Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”

Texthelp for Edu
Our Data security investigation underway at Texthelp, statement on our website: http://okt.to/EtJobI
Browsealoud was automatically removed from all our customers' websites in response. No action needed by our customers.

10:20 PM - Feb 11, 2018
See Texthelp for Edu's other Tweets
Twitter Ads info and privacy
The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.

FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins
11.2.2018 securityaffairs CoinMine

Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.
The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

This week, security experts at Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.

“Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.

The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.

While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”

The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.

The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.

Russian Federation Nuclear Center facility

The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”

Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware
8.2.2018 thehahckernews CyberSpy  CoinMine

Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.
Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States.
Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.
However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency.
The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.
Since at least July last year, the PZChao campaign has been targeting organizations with a malicious VBS file attachment that delivers via highly-targeted phishing emails.

If executed, the VBS script downloads additional payloads to an affected Windows machine from a distribution server hosting "down.pzchao.com," which resolved to an IP address ( in South Korea at the time of the investigation.
The threat actors behind the attack campaign have control over at least five malicious subdomains of the "pzchao.com" domain, and each one is used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.
The payloads deployed by the threat actors are "diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," researchers noted.
The first payload dropped on the compromised machines is a Bitcoin miner, disguised as a 'java.exe' file, that mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.
For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords and upload them to the command and control server.
PZChao's final payload includes a slightly modified version of Gh0st remote access trojan (RAT) which is designed to act as a backdoor implant and behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.
The Gh0st RAT is equipped with massive cyber-espionage capabilities, including:
Real-time and offline remote keystroke logging
Listing of all active processes and opened windows
Listening in on conversations via microphone
Eavesdropping on webcams' live video feed
Allowing for remote shutdown and reboot of the system
Downloading binaries from the Internet to remote host
Modifying and stealing files and more.
All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims and exfiltrate confidential data easily.
While the tools used in the PZChao campaign are a few years old, "they are battle-tested and more than suitable for future attacks," researchers say.
Active since 2010, Iron Tiger, also known as "Emissary Panda" or "Threat Group-3390," is a Chinese advanced persistent threat (APT) group that was behind previous campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.
Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, and Tibet, besides attacking targets in the U.S.
For further insights, you can read the detailed technical paper published by Bitdefender.

Watch Out! New Cryptocurrency-Mining Android Malware is Spreading Rapidly
8.2.2018 thehahckernews Android  CoinMine

Due to the recent surge in cryptocurrency prices, threat actors are increasingly targeting every platform, including IoT, Android, and Windows, with malware that leverages the CPU power of victims' devices to mine cryptocurrency.
Just last month, Kaspersky researchers spotted fake antivirus and porn Android apps infected with malware that mines Monero cryptocurrency, launches DDoS attacks, and performs several other malicious tasks, causing the phone's battery to bulge out of its cover.
Now, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new piece of wormable Android malware, dubbed ADB.Miner, that scans wide-range of IP addresses to find vulnerable devices and infect them to mine digital cryptocurrency.
According to the researchers, ADB.Miner is the first Android worm to reuse the scanning code programmed in Mirai—the infamous IoT botnet malware that knocked major Internet companies offline last year by launching massive DDoS attacks against Dyndns.
ADB.Miner scans for Android devices—including smartphones, smart TVs, and TV set-top boxes—with publicly accessible ADB debug interface running over port 5555 and then infects them with a malware that mines Monero cryptocurrency for its operators.
Android Debug Bridge (ADB) is a command-line tool that helps developers debug Android code on the emulator and grants access to some of the operating system’s most sensitive features.
It should be noted that almost all Android devices by default come with the ADB port disabled, so botnet would target only those devices that have manually been configured to enable port 5555.
Besides mining Monero cryptocurrency, ADB.Miner installed on an infected device also attempts to propagate itself by scanning for more targets on the Internet.
Researchers did not reveal exactly how or by exploiting which ADB flaw hackers are installing malware onto Android devices.
However, the researchers believed hackers are not exploiting any vulnerability that targets any specific device vendor since they found devices from a wide range of manufacturers impacted.
According to the researchers, the infection started on January 21, and the number of attacks has increased recently. As of Sunday, the researchers detected 7,400 unique IP addresses using the Monero mining code—that's more than 5,000 impacted devices in just 24 hours.
Based on the scanning IP addresses, the highest number of infection has been noticed in China (40%) and South Korea (31%), the researchers estimated.
In order to fight against such malware Android users are advised not to install unnecessary and untrusted applications from the app store, even from Google Play Store, and keep your devices behind a firewall or a VPN.

Cryptocurrency Mining Malware Hits Monitoring Systems at European Water Utility
8.2.2018 securityweek  CoinMine
Malware Chewed Up CPU of HMI at Wastewater Facility

Cryptocurrency mining malware worked its way onto four servers connected to an operational technology (OT) network at a wastewater facility in Europe, industrial cybersecurity firm Radiflow told SecurityWeek Wednesday.

Radiflow says the incident is the first documented cryptocurrency malware attack to hit an OT network of a critical infrastructure operator.

The servers were running Windows XP and CIMPLICITY SCADA software from GE Digital.

“In this case the [infected] server was a Human Machine Interface (HMI),” Yehonatan Kfir, CTO at Radiflow, told SecurityWeek. “The main problem,” Kfir continued “is that this kind of malware in an OT network slows down the HMIs. Those servers are responsible for monitoring physical processes.”

Radiflow wasn’t able to name the exact family of malware it found, but said the threat was designed to mine Monero cryptocurrency and was discovered as part of routine monitoring of the OT network of the water utility customer.

“A cryptocurrency malware attack increases device CPU and network bandwidth consumption, causing the response times of tools used to monitor physical changes on an OT network, such as HMI and SCADA servers, to be severely impaired,” the company explained. “This, in turn, reduces the control a critical infrastructure operator has over its operations and slows down its response times to operational problems.”

While the investigation is still underway, Radiflow’s team has determined that the cryptocurrency malware was designed to run in a stealth mode on a computer or device, and even disable its security tools in order to operate undetected and maximize its mining processes for as long as possible.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical process of a critical infrastructure operator,” Kfir said. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

“PCs in an OT network run sensitive HMI and SCADA applications that cannot get the latest Windows, antivirus and other important updates, and will always be vulnerable to malware attacks,” Kfir said.

While the malware was able to infect an HMI machine at a critical infrastructure operator, the attack was likely not specifically targeted at the water utility.

Thousands of industrial facilities have their systems infected with common malware every year, and the number of attacks targeting ICS is higher than it appears, according to a 2017 report by industrial cybersecurity firm Dragos.

Existing public information on ICS attacks shows numbers that are either very high (e.g. over 500,000 attacks according to unspecified reports cited by Dragos), or very low (e.g. roughly 290 incidents per year reported by ICS-CERT). It its report, Dragos set out to provide more realistic numbers on malware infections in ICS, based on information available from public sources such as VirusTotal, Google and DNS data.

As part of a project it calls MIMICS (malware in modern ICS), Dragos was able to identify roughly 30,000 samples of malicious ICS files and installers dating back to 2003. Non-targeted infections involving viruses such as Sivis, Ramnit and Virut are the most common, followed by Trojans that can provide threat actors access to Internet-facing environments.

These incidents may not be as severe as targeted attacks and they are unlikely to cause physical damage or pose a safety risk. However, they can cause liability issues and downtime to operations, which leads to increased financial costs, Robert M. Lee, CEO and founder of Dragos, told SecurityWeek in March 2017.

One example is the incident involving a German nuclear energy plant in Gundremmingen, whose systems got infected with Conficker and Ramnit malware. The malware did not cause any damage and it was likely picked up by accident, but the incident did trigger a shutdown of the plant as a precaution.

How to Mitigate the Threat Cryptocurrency Mining Poses to Enterprise Security
6.2.2018 thehackernews CoinMine

The growing popularity of Bitcoin and other cryptocurrencies is generating curiosity—and concern—among security specialists. Crypto mining software has been found on user machines, often installed by botnets. Organizations need to understand the risks posed by this software and what actions, if any, should be taken.
To better advise our readers, we reached out to the security researchers at Cato Networks. Cato provides a cloud-based SD-WAN that includes FireWall as a Service (FWaaS). Its research team, Cato Research Labs, maintains the company's Cloud IPS, and today released a list of crypto mining pool addresses that you can use as a blacklist in your firewall. (To download the list, visit this page.)
Cato Research Labs determined crypto mining represents a moderate threat to the organization. Immediate disruption of the organization infrastructure or loss of sensitive data is not likely to be a direct outcome of crypto mining.
However, there are significant risks of increased facility cost that must be addressed.
Understanding Blockchain and Crypto Mining
Crypto mining is the process of validating cryptocurrency transactions and adding encrypted blocks to the blockchain. Miners solve a hash to establish a valid block, receiving a reward for their efforts. The more blocks mined, the more difficult and resource-intensive becomes solving the hash to mine a new block.
Today, the mining process can require years with an off-the-shelf computer. To get around the problem, miners use custom hardware to accelerate the mining process, as well as forming "mining pools" where collections of computers work together to calculate the hash.
The more compute resources contributed to the pool, the greater the chance of mining a new block and collecting the reward. It's this search for more compute resources that have led some miners to exploit enterprise and cloud networks.
Participating in mining pools requires computers run native or JavaScript-based mining software (see Figure 1). Both will use the Stratum protocol to distribute computational tasks among the computers in the mining pool using TCP or HTTP/S (technically, WebSockets over HTTP/S).

Figure 1: An example of a website running JavaScript-based mining software. Typically, websites do not ask for permission.
Native mining software will typically use long-lasting TCP connections, running Stratum over TCP; JavaScript-based software will usually rely on shorter-lived connections and run Stratum over HTTP/S.
The Risk Crypto Mining Poses to the Enterprise
Mining software poses a risk to the organization on two accounts. In all cases, mining software is highly compute-intensive, which can slow down an employee’s machine. Running CPUs with a “high-load” for an extended period of time will increase electricity costs and may also shorten the life of the processor or the battery within laptops.
Mining software is also being distributed by some botnets. Native mining software accesses the underlying operating system in a way similar to how botnet-delivered malware exploits a victim’s machine. As such, the presence of native mining software may indicate a compromised device.
How To Protect Against Crypto Mining
Cato Research Labs recommends blocking crypto mining on your network. This can be done by disrupting the process of joining and communicating with the mining pool.
The deep packet inspection (DPI) engine in many firewalls can be used to detect and block Stratum over TCP. Alternatively, you can block the addresses and domains for joining public mining pools.
Approach 1: Blocking Unencrypted Stratum Sessions with DPI
DPI engines can disrupt blockchain communications by blocking Stratum over TCP. Stratum uses a publish/subscribe architecture where servers send messages (publish) to subscribed clients. Blocking the subscription or publishing process will prevent Stratum from operating across the network.
DPI rules should be configured for JSON. Stratum payloads are simple, readable JSON-RPC messages (see Figure 2).
Stratum uses a request/response over JSON-RPC:

Figure 2: Detail of a JSON-RPC batch call (reference: http://www.jsonrpc.org/specification)
A subscription request to join a pool will have the following entities: id, method, and params (see Figure 3). Configure DPI rules to look for these parameters to block Stratum over unencrypted TCP.
{"id": 1, "method": "mining.subscribe", "params": []}
Three parameters are used in a subscription request message when joining a pool.
Approach 2: Blocking Public Mining Pool Addresses
However, some mining pools create secure, Stratum channels. This is particularly true for JavaScript-based applications that often run Stratum over HTTPS.
Detecting Stratum, in that case, will be difficult for DPI engines who do not decrypt TLS traffic at scale. (For the record, Cato IPS can decrypt TLS sessions at scale.) In those cases, organizations should block the IP addresses and domains that form the public blockchain pools.
To determine the IP addresses to block, look at the configuration information needed to join a mining pool. Mining software requires miners to fill in the following details:
the appropriate pool address (domain or IP)
a wallet address to receive equity
the password for joining the pool
The configuration information is usually passed via JSON or via command-line arguments (see Figure 3).

Figure 3: A JSON file providing the necessary miner pool configuration
Organizations could configure firewall rules to use a blacklist and block the relevant addresses. In theory, such a list should be easy to create as the necessary information is publicly available. Most mining pools publish their details over the Internet in order to attract miners to their networks (see Figure 4).

Figure 4: Public addresses for mining pools are well advertised as demonstrated by mineXMR.com’s “Getting Started” page
Despite extensive research, though, Cato Research Labs could not find a reliable feed of mining pool addresses. Without such a list, collecting the target mining pool addresses for blocking would be time-consuming.
IT professionals would be forced to manually enter in public addresses, which will likely change or increase, requiring constant maintenance and updates.
Cato Research Labs Publishes List of Mining Pool Addresses
To address the issue, Cato Research Labs generated its own list of mining pool addresses for use by the greater community. Using Google to identify sites and then employing scraping techniques, Cato researchers were able to extract pool addresses for many mining pools.

Figure 5: Partial list of mining pool addresses compiled by Cato Research Labs
Cato researchers wrote code that leveraged those results to develop a mining-pool address feed. Today, the list identifies hundreds of pool addresses (see Figure 5) and should be suitable for most DPI rule engines. See here for the full list.
Final Thoughts
The combined risk of impairing devices, increasing costs, and botnet infections led Cato Research Labs to strongly recommend IT prevent and remove crypto mining from enterprise networks.
Should software-mining applications be found on the network, Cato Research Labs strongly recommends investigating active malware infections and cleaning those machines to reduce any risk to organization's data.
Cato Research Labs provided a list of address that can be used towards that goal, blocking access to public blockchain pools. But there's always a chance of new pools or addresses, which is why Cato Research Labs strongly recommend constructing rules using a DPI engine with sufficient encrypted-session capacity.