Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Crypto Currency mining. Show all posts

Hacked Devices Generated $53 for Every $1 Cryptocurrency Through Crypto Jacking

 


The team of security researchers evaluated the financial impact of crypto miners affecting cloud servers. They stated that this costs cloud server victims about $53 for every $1 of cryptocurrency mined by threat actors through crypto-jacking. 

Cryptojacking refers to the illegal method of extracting cryptocurrency from unauthorized devices, including computers, smartphones, tablets, and even servers with an intent of making a profit. Its structure allows it to stay hidden from the victims. The malicious actors generate income through hijacking hardware, as the mining programs use the CPUs of hijacked devices.  

The mining of cryptocurrency through the hijacked devices was primarily an activity of financially motivated hacking groups, especially Team TNT. It was responsible for most of the large-scale attacks against vulnerable Doctors Hub, AWS, Redis, and Kubernetes deployments.  

The cyber attackers updated the OS image by distributing the network traffic across servers that contained XMRig. It is a CPU miner for a privacy-oriented hard-to-trace cryptocurrency that has recently been considered the most profitable CPU mining.   

As opposed to ransomware, software that blocks access to systems until the money is paid, and includes aggressive law enforcement, rouge crypto mining is less risky for the cyber attackers.  

The Sysdig researchers used "Chimaera", a large campaign of TeamTNT for estimating the financial damage caused by crypto miners. The research revealed that over 10,000 endpoints were disclosed to unauthorized persons. 

In order to hide the wallet address from the hijacked machines and make tracking even harder, the cyber-attackers used XMRig-Proxy but the analysts were still able to discover 10 wallet IDs used in the campaign. 

Later the researchers disclosed that the 10 wallets held a total of 39XMR, valuing $8,120. However, they also mentioned that the estimated cost to victims incurred from mining those 29 XMR is $429,000 or $11,000 per 1 XMR. 

Moreover, they explained that, according to their estimates, the amount does not include amounts that are stored in unknown older wallets, the damage suffered by the server owner as a result of hardware damage, the potential interruptions of online services caused by hogging processing power, or the strategic changes firms had to make to sustain excessive cloud bills as a result of hogging processing power.

Chinese Group Botnet Illegally Mine Crypto

 

Linux and cloud app vulnerabilities have been used by the 8220 Group crypto mining gang to expand their botnet to over 30,000 affected systems.

Over the course of just the previous month, SentinelOne researchers reported detecting this notable rise in the number of infected hosts. The malicious botnet, according to analysts, was only active on 2,000 servers worldwide by the middle of 2021.

The 8220 group has been operating at least since 2017. The hackers are China-based and the organization's name is derived from the port 8220 that the miner uses to connect to the C2 servers. 

Operation tactics

According to reports, the growth was spurred by the adoption of Linux, widespread vulnerabilities in cloud applications, and inadequately secured setups for services like Docker, Apache WebLogic, and Redis.

This group has used a publically available exploit in the past to breach confluence systems. Once inside, the attackers employ SSH brute force to spread out and commandeer the available computing power to operate crypto miners that point to untraceable pools.

Another improvement is the script's usage of block lists to prevent infections on particular hosts, usually, honeypots set up by security researchers.

Lastly, 8220 Gang has updated PwnRig, their proprietary crypto miner based on XMRig, an open-source Monero miner.

Microsoft researchers claim that the gang has actively upgraded its payloads and tactics over the past year. In a recent campaign, the organization targeted Linux systems running on i686 and x86 64 architectures and gained early access using RCE exploits for CVE-2022-26134 (Atlassian Confluence) CVE-2019-2725 (WebLogic) vulnerabilities.

In addition to underscoring a more intense "fight" to seize control of victim systems from rival cryptojacking-focused groups, the operations' expansion is seen as an effort to counteract the declining value of cryptocurrencies.



Malware Abcbot Related to the Xanthe Cryptomining Bug Developer's

 

Abcbot, the newly discovered botnet has a longer history than what was originally believed. The Xanthe-based cryptojacking campaign found by Cisco's Talos security research team in late 2020 has a clear link, according to the ongoing examination of this malware family. When Talos was notified of an intrusion on one of their Docker honeypots, they discovered malware that looked like a bitcoin mining bot. 

The virus is known as Xanthe, and its main goal is to mine cryptocurrency using the resources of a compromised system. Based on the findings, the same threat actor is behind both Xanthe and Abcbot, and its goal has shifted from mining cryptocurrency on compromised hosts to more classic botnet activity like DDoS attacks.

Abcbot attacks, first reported by Qihoo 360's Netlab security team in November 2021, are triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is an updated version of one found by Trend Micro in October 2021, which targeted Huawei Cloud's vulnerable ECS instances. 

Further investigation of the botnet, which included mapping all known Indicators of Compromise (IoCs) such as IP addresses, URLs, and samples, revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which spread the infection using incorrectly configured Docker implementations. 

The semantic similarities between the two malware families range from the way the source code is formatted to the names given to the routines, with some functions having not only identical names and implementations (e.g., "nameservercheck"), but also have the word "go" appended to the end of the function names (e.g., "filerungo"). According to experts, Abcbot also contains spyware that allows four malicious users to be added to the hacked machine: 
  • Logger 
  • Ssysall 
  • Ssystem 
  • sautoupdater 
Researchers believe that there are substantial links between the Xanthe and Abcbot malware families, implying that the same threat actor is involved. The majority of these would be difficult and inefficient to recreate identically, including string reuse, mentions of shared infrastructure, stylistic choices, and functionality that can be seen in both instances. If the same threat actor is behind both campaigns, it signals a shift away from cryptocurrency mining on compromised devices and toward botnet-related operations like DDoS attacks.

New Mac Malware Samples Highlight The Growing Risk

 


Despite Apple's best attempts, Mac malware exists to keep in mind that Mac malware and viruses are quite rare in the wild. Apple has a number of safeguards in place to protect against such attacks. For example, according to the Security & Privacy settings in System Preferences > Security & Privacy > General, macOS should only allow the installation of third-party applications from the App Store or identified developers. If you were to install something from an unknown developer, Apple would prompt you to verify its legitimacy. 

Apple also has its own built-in anti-malware program and keeps all of the malware definitions in its XProtect file on your Mac, and whenever you download a new app, it checks to see whether any of them are there. This is a feature of Apple's Gatekeeper software, which prevents malware developers from creating apps and certifies that they haven't been changed. 

For the sixth year in a row, security researcher Patrick Wardle has compiled a list of all new Mac malware threats discovered during the previous year:
  1. ElectroRAT, a cross-platform remote access trojan that first appeared in January.
  2. Silver Sparrow, a malware tool designed specifically for Apple's M1 chip that was released last year.
  3. XLoader, a cross-platform password stealer. It was identified by XLoader to be a rebuilt version of a well-known information stealer named Formbook. 
  4. When analyzing sophisticated watering hole assaults targeting users to the Hong Kong websites of a media outlet and a pro-democracy organization, MacMa (OSX.CDDS) came up with a solution. To install the MacMa backdoor, the attackers used a zero-day privilege escalation vulnerability (CVE-2021-30869) in macOS Catalina. 
  5. XcodeSpy, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike agent on compromised systems.
  6. ElectrumStealer, a cryptocurrency mining tool that Apple inadvertently signed digitally; WildPressure, a cross-platform Python backdoor that Kaspersky discovered targeting industrial companies in the Middle East.
  7. ZuRu, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike.
Cryptominers like ElectroRAT and OSAMiner, adware loaders like Silver Sparrow, information stealers like Xloader and Macma, and cross-platform Trojans like WildPressure were among the most dangerous Mac malware threats last year, according to Willy Leichter, CMO of LogicHub.

Cryptocurrency Farm in Kyrgyzstan Have Been Shut Down by Authorities

 

Central Asia, especially the Republic of Kyrgyzstan, has recently become a powerhouse for cryptocurrency mining farms. Businesses involved in the extraction of digital currency have indeed been drawn to the region because of its low energy costs, despite China's increasing crackdown upon that industry. 

Officials in Kyrgyzstan discovered and pulled down a massive crypto mining farm in the country's northern region. According to law enforcement authorities, the unlicensed currency minting operation has caused "colossal damage" to the nation's electricity network grid, and they are still attempting to determine the damages. 

The inflow of miners has been criticized for rolling blackouts, and several countries have taken steps to address a developing power shortfall. 

The Kyrgyzstan government raised its electricity price for crypto mining firms, amongst many other consumers, in early October, emphasizing the energy-intensive aspect of their activities. A similar scheme has been suggested by lawmakers in neighboring Kazakhstan. 

Authorities in Bishkek are also on the lookout for subterranean cryptocurrency miners. In May, law enforcement agents confiscated 2,000 mining equipment from numerous facilities minting digital money illegally throughout the capital city and Chuy area. 

The State Committee for National Security (GKNB) also uncovered a big illicit mining farm in the town of Druzhba, Issyk-Ata region, during a similar operation. According to media reports, its officials have detained another 2,500 mining machines. 

According to a news release published by the department and quoted by Sputnik Kyrgyzstan, the data center, which had been operated inside a greenhouse, was administered by foreign nationals. The GKNB goes on to say that their illicit operations have "caused colossal damage to Kyrgyzstan's electric networks."

Kyrgyzstan has begun to control its burgeoning cryptocurrency mining industry. The Ministry of Economy proposed a bill establishing mining taxation in August 2020. The proposal calls for a 15% tax on the price of power used to generate digital currency. The law required mining corporations to register with regulatory agencies to function in the country. 

Furthermore, researchers are now attempting to assess the state's losses and determine whether the mining equipment was properly imported into the nation. The committee further stated that it is attempting to identify all those participating in the project.

Chimaera Toolkit Found on Thousands of Windows and Linux Systems Worldwide

 

AT&T's Alien Labs security branch has raised the alarm about a TeamTNT malware campaign that has gone almost totally undiscovered by anti-virus systems and is converting target machines into bitcoin miners, according to the company. TeamTNT, dubbed "one of the most active threat organizations since 2020" by Alien Labs researcher Ofer Caspi, is notorious for its exploitation - and misuse - of open-source security tools for anything from identifying susceptible targets to dumping remote-control shells. 

Last year, TeamTNT was discovered and linked to bitcoin mining malware being installed on susceptible Docker containers. Trend Micro discovered that the organization tries to steal AWS credentials in order to spread to other servers, while Cado Security discovered TeamTNT targeting Kubernetes installations more recently. 

The port scanner Masscan, libprocesshider software for running the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne are among TeamTNT's open-source tools. 

Palo Alto Networks' Unit 42 found Chimaera, a software repository that "highlights the expanding scope of TeamTNT operations within cloud environments as well as a target set for current and future operations," according to the company.

Now, AT&T's Alien Labs has shed additional light on Chimaera, claiming that it has been in use since July and is "responsible for thousands of infections globally" across Windows, Linux, AWS, Docker, and Kubernetes targets, all while eluding detection by anti-virus and anti-malware programmes. 

The usage of Lazagne, an open-source application developed with one goal in mind: collecting credentials from major browsers, is a significant element of the Chimaera toolkit. Another programme tries to find and exfiltrate Amazon Web Services (AWS) credentials, while an IRC bot serves as a command and control server.

"In this case, most of the used files that are placed on disk at some point lack a clear malicious purpose by themselves," Caspi told of the reason the malware could go undetected for so long. "The malicious processes injected into memory without touching the disk are harder to identify if they don't share indicators with previous malicious activity or perform any clearly malevolent activity." 

TeamTNT's primary objective is to mine Monero, a privacy-focused cryptocurrency, on victim hardware rather than harvesting credentials. "Mining cryptocurrency has always been TeamTNT's major goal," Caspi stated.

Thousands of PS4s Seized, Employed in Mining Cryptocurrency Illegally

 

In Vinnytsia city located along the Southern Bug river, a large-scale electricity theft was revealed and recorded by the SBU. In one of the JSC Vinnytsiaoblenerho's old premises, the culprits mined cryptocurrency illegally. Nearly 5000 computers were confiscated by Ukrainian law enforcement. This underground crypto farm is the largest. 

SBU officials found that in the JSC Vinnytsiaoblenerho's abandoned warehouse in the industrial park of the facility the citizens of Kyiv and Vinnytsia towns established illegal crypto-farm. 

The criminals stole JSC Vinnytsiaoblenerho's electricity for mining. They exploited electricity meters to cover up their actions that showed no real consumption of energy. 

After being found in an abandoned warehouse, operated illegally for bitcoin, thousands of PlayStation 4 Gaming systems have been confiscated. 

There were approximately 3,800 game consoles, which were trimmed together and housed on metal racks, with more than 500 graphics cards and 50 processors. The hardware was supposed to make it easier to extract cryptocurrencies while those who are presumably responsible stole the electricity needed from the town. 

Current estimates show somewhere between $186,200 and $259,300 a month of electricity that has been stolen. 

Raids occurred on the Cryptocurrency farm, and Ukrainian police said investigations were also carried out at "offender's residences," which reportedly captured drafting notes on the use of power, notebooks, mobile phones, and USB storage devices. 

In a statement, JSC Vinnytsiaoblenergo said that "our company has nothing to do with any illegal activity," and "cryptocurrency mining equipment has never operated in the premises owned by our company." 

Furthermore, the utility firm said that there was no proof of electricity theft. The inquiry took place under the supervision of the Prosecutor General's Office by the Ukrainian law enforcement agencies. 

Chinese law enforcement detected wires in fish ponds used to link to an electric power grid on an oil system, in a separate but remarkable bitcoin farm plot in 2019. After drones were dispatched to track the criminal, Active Bitcoin (BTC) rigs were found in a shed. Currently, further investigation is underway.


$350,000 Stolen from Users by Fake Cryptocurrency Mining Apps

 

The year 2021 will be remembered as a watershed moment for cryptocurrencies. Despite its ups and downs, Bitcoin is still valued at over $32,000 per coin. Not only Bitcoin, but most other cryptocurrencies have enjoyed significant price increases this year. As a result, there has been a surge of crypto apps, both in app stores and from third-party developers. Many of these apps, however, are scams. Lookout, a security organization, has published a detailed analysis on dangerous crypto-mining apps. 

More than 170 Android apps that claim to provide cryptocurrency mining services for a fee are essentially scams, according to the researchers. 25 of the 170 were hosted on Google Play, and they are attempting to defraud cryptocurrency enthusiasts by proposing cloud-based mining services. 

Cryptocurrency mining is using computing power (from a personal computer or a rented system) to solve computational and cryptographic tasks in exchange for coins. However, the processing power necessary for many types of cryptocurrency is now greater than a single personal computer, allowing individuals to join mining pools and share the effort — and the profits.

Because they didn't appear to be doing anything that would trigger the Play Store's automated policy compliance checks, these apps were able to dodge any and all detection and checks in place for apps listed on the Play Store. In reality, these apps were doing absolutely nothing. Google has since deleted the apps from the Play Store. Bitcoin and Ethereum are among the coins they claim to be mining. These apps cost $12.99 to $259.99, and you could pay with Google Play's saved payment methods or crypto coins like Bitcoin, which you could send directly to the developer's crypto wallet. 

There were even higher-tier membership options that required users to pay more money in exchange for a lower minimum balance requirement and better benefits. The Lookout Threat Lab thinks that these apps, which are available on the Google Play Store and third-party app stores, have defrauded more than 93,000 consumers and stole at least $350,000 in subscription fees and in-app purchases.

“While CloudScam and BitScam apps have now been removed from Google Play, there are dozens more still being circulated in third-party app stores. In total, the operators generated at least $350,000. They stole $300,000 from selling the fake apps and an additional $50,000 in cryptocurrencies from victims paying for fake upgrades and services. Most of the scam apps either have fake information or don’t have any terms available,” say the researchers.

China and its Humongous Bitcoin Mining Industry has Severe Impact on the Global Climate

 

According to a new study in Nature Communications, electricity consumption and carbon emissions from bitcoin mining in China have accelerated speedily. These effects could weaken global sustainable practices without stricter regulations and policy changes. 

Bitcoin and other cryptocurrencies depend heavily on "blockchain" technology, a shared transaction database that requires confirmation and encryption of entries. Blockchain is a digital recording device that offers secure means for payments, pacts, and contracts to be documented and authenticated. But uniquely, the database is shared between a network of computers, and not in a place such as the conventional ledger book. Only a few users or hundreds and thousands of people can enter this network. However, the network is secured by people known as "miners," who use high-powered computers to check transactions. These computer systems consume huge quantities of electricity. 

Around 40% of China's Bitcoin mines are coal operated and the rest utilize renewable sources, according to the study. The coal power stations, however, are so large that Beijing's promise to peak carbon emissions by 2030 could be undermined and carbon neutralized by 2060, the study warned. 

With a simulated carbon emissions model, Dabo Guan, Shouyang Wang, and colleagues track carbon emissions streams from Bitcoin blockchain operations in China. Given recent developments in Bitcoin mining, it is estimated that this procedure will spike energy consumption at around 297 terawatt-hours by 2024 and generate approximately 130 million metric tons of carbon emissions. This exceeds the total annual emission volumes of greenhouse gas in entire mid-sized European countries, for example, Italy and the Czech Republic. 

In order to guarantee a stable supply from renewable sources it should concentrate on updating the power grid, said Wang. He further added that “Since energy prices in clean-energy regions of China are lower than that in coal-powered regions … miners would then have more incentives to move to regions with clean energy.” 

In the past year, Bitcoin's price rose five times and reached a record of $61,000 in March, presently it’s just below the mark of $60,000. Due to the available profits, Wang said carbon taxation isn’t sufficient to determiners. The research teams said the "attractive financial incentive of bitcoin mining" has triggered an arms race in the mining hardware industry. The price hike in Bitcoin was further driven by some renowned companies, including electric carmaker Tesla, implementing it as a method of payment. The Covid 19 pandemic also probably played a role, where more people shopped online and left physical currencies in their accounts.

A Crypto Mining Botnet is Abusing Bitcoin Blockchains

 

Security experts from Akamai have detected another botnet utilized for illegal cryptocurrency mining exercises that are abusing Bitcoin (BTC) transactions to remain under the radar. This procedure permits botnet operators to make their infrastructure resilient to takedown led by law enforcement. 

“A recent piece of malware from a known crypto mining botnet campaign has started leveraging Bitcoin blockchain transactions in order to hide its backup C2 IP address. It’s a simple, yet effective, way to defeat takedown attempts.” reads the post published by Akamai. “Recent infection attempts against Akamai SIRT’s custom honeypots uncovered an interesting means of obfuscating command and control (C2) infrastructure information. The operators of a long-running crypto-mining botnet campaign began creatively disguising their backup C2 IP address on the Bitcoin blockchain.” 

The infection chain starts the exploitation of Remote Code Execution (RCE) vulnerabilities affecting Hadoop Yarn, Elasticsearch (CVE-2015-1427), and ThinkPHP (CVE-2019-9082). Botnet operators utilized Redis server scanners to discover installs that could be undermined to mine cryptocurrencies. The experts assessed that botnet operators have mined more than $30,000 in Monero in public pools since 2018. Experts distinguished various variations over time, using different techniques and tools. 

The more seasoned variants were utilizing a shell script to do the main functions, for example, disabling security features, killing off competing infections, establishing persistence, and in some cases, propagating within the compromised network. Newer variations of the shell script leverage binary payloads for handling more system interactions, like killing off competition, disabling security features, modifying SSH keys, downloading, and starting the miners. Botnet operators use cron jobs and rootkits to accomplish persistence and re-infect with the most recent rendition of the malware. 

In December 2020, the researchers found a BTC wallet address that was included in new variations of the miner, alongside a URL for a wallet-checking API and bash one-liners. The experts found that the wallet information was being fetched by the API and used to figure an IP address used to maintain persistence. By fetching addresses through the wallet API, botnet operators are able to obfuscate and backup configuration data on the blockchain. Experts noticed that by pushing a modest quantity of BTC into the wallet, operators can recuperate infected systems that have been orphaned.

New Self-Spreading Golang Worm Dropping XMRig Miner on Servers

 

Security researchers at Intezer have found a new self-spreading worm written in GoLang. The malware variant has been actively targeting both Windows and Linux servers, predominantly since December 2020. Researchers noted that the worm developed by China-based hackers attempts to mine Monero, an open-source cryptocurrency launched in 2014 which gained immense popularity and wide acceptance for its privacy-oriented features.
 
GoLang's rich library ecosystem makes it a top preference for malware developers, who can infiltrate the systems without being detected while working with GoLang's smooth malware creation process. The language makes it easier for hackers to bypass security as the malware written in GoLang is large-sized and scanning large files is beyond the capabilities of most of the antivirus software.

The 'GoLang' malware that has been dropping XMRig cryptocurrency miners on Windows and Linux servers, has worm-like capabilities that let it propagate itself to other systems through brute-forcing. 

The worm attacks application servers, non-HTTP services, and web application frameworks; it has targeted public-facing services rather than "the end-users". MySQL, Tomcat admin panel, and Jenkins are some of its latest victims. Besides, these public-facing services with weak passwords, the malware operators have also tried to compromise Oracle WebLogic Server by exploiting its remote code execution vulnerability – CVE-2020-14882, in an older variant.

Attack Execution 

The worm on the Command and Control (C&C) server was periodically updated by the operators, signifying the current "active" status of the malware. Once the target is being successfully compromised, the attack proceeds with deploying the loader script, a Golang binary worm, and an XMRig Miner – three files hosted on the aforesaid C&C server.

While giving insights into the matter, Chad Anderson, Senior Security Researcher at DomainTools said, “While it’s certainly alarming that there were no detections for this worm’s initial sample, that’s not surprising as Golang malware analysis tooling has still been playing a bit of catch up in the automation space,” 
 
“We would expect that with the rise in cryptocurrency prices over the last few weeks that actors looking to cash in for a few extra dollars would cause a surge in mining malware,” he further added. 
 
“The fact that the worm’s code is nearly identical for both its PE and ELF malware—and the ELF malware going undetected in VirusTotal—demonstrates that Linux threats are still flying under the radar for most security and detection platforms,” the report by Intezer read.

Microsoft discovers Vietnamese Govt sponsored threat actor deploying cryptocurrancy malware

Microsoft on Monday claimed that Vietnamese government-backed hackers have been behind the cryptocurrency-mining malware campaign.

These state-run cyberspies have started additional activities of gaining financial aid along with running government-backed projects. Similar groups have been already reported from Russia, China, and Korea making it difficult to determine whether the campaign is for intelligence gathering or capital gain.  
Discovered by Microsoft Security Intelligence, Bismuth based in Vietnam also known as APT32 and OceanLotus has been active since 2012 doing backhand work for the government like hacking and data/info gathering for political, economic, and foreign policy matters. But, recently Microsoft observed a transformation in their activities earlier in the year.

 "In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam," Microsoft said in their blog.

Microsoft suspects two theories behind this change: 

One of the reason could be to avoid suspicion and throw light over random crimes like crypto-mining malware and hide their cyber-espionage pursuits. This tactic will help them disguise and decrease security responses. 

Another and the more likely reason Microsoft believes is - it is what it looks like. These groups as they have total immunity from the government are expanding into gaining revenue from the systems they already went through during their spying operations. 

 Crypto-miners usually are suspected to be cybercriminals and not government-sponsored threat actors and are also not taken into account by security in normal routine checkups. But, these APT from the Chinese, Russian, Iranian, and North Korean state have started upside businesses of gaining capital via tactics like crypto-mining. 

 The reason being, since these groups are state-sponsored, they have total immunity. In-home state, they help the government and these countries doesn't have extradition treaties with the US, they can do anything with little or no consequence.