Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Crypto Mining. Show all posts

Hackers Use Auto-reply to Deliver Crypto-miner Via Malicious Emails

Hackers Use Auto-reply to Deliver Crypto-miner Via Malicious Emails

Threat actors use new techniques to distribute malware, which is evolving constantly. In a recent attack, they used malicious e-mail auto-replies to deliver crypto-mining malware. Russian cybersecurity firm F.A.C.C.T. said that threat actors breached e-mail accounts and set up automatic replies containing links to cryptocurrency mining malware.

Auto-replies for Malware Distribution

In traditional malware distribution attacks, hackers used malicious downloads, compromised websites, and phishing emails. But the new attack method uses auto-replies, experts from F.A.C.C.T explained that the new technique was employed in delivering the Xmrig crypto-miner to workers at Russian tech companies, insurance firms, financial businesses, and retail marketplaces. Experts found 150 emails that contained Xmrig earlier this year. 

Cybercriminals Using New Methods

Dmitry Eremenko, senior analyst at F.A.C.C.T said “This method of malware delivery is dangerous because the potential victim initiates communication first. This is the main difference from traditional mass mailings, where the recipient often receives an irrelevant email and ignores it.” 

Despite not looking convincing, E-mails sent through auto-replies didn't raise suspicions. To avoid detection, the hackers used a scan of a real invoice for equipment payment, different than subject mail. It means the companies as well as users who are in contact with the breached mail can become targets. 

Use of cryptocurrency mining software

Xmrig is an open-source cryptocurrency mining software mainly used for mining Monero (XMR). Cybercriminals have been using new techniques to deliver Xmrig to target devices. For instance, in one campaign, the hackers used a pirated version of Final Cut Pro (a video editing software) to deploy the crypto-miner on Apple computers.

F.A.C.C.T doesn't have any information regarding the main culprit behind the attack and their success. Experts do believe that the breached email accounts had a history of their credentials leaked on darknet, including their data. Breached accounts include construction companies, a furniture factory, a farm, and small trading firms. 

To stay safe, the report suggests “do not save passwords in browsers, install unlicensed software, because it may contain stealers, do not follow dubious links in the mail and do not enter your data on dubious sites (phishing)

Crypto Mining and DDoS Threats: How Hadooken Malware Targets Oracle Web Logic Servers

Crypto Mining and DDoS Threats: How Hadooken Malware Targets Oracle Web Logic Servers

Threat actors were found exploiting poorly secured Oracle WebLogic servers for mining cryptocurrency, building a DDoS botnet, and other malicious activities. 

The Discovery

Researchers from Aqua Cybersecurity found various attacks in the wild and decided to catch culprits by running a honeypot (a cybersecurity technique that creates a decoy system to trick and trap threat actors). Soon after, the experts found a threat actor breaking through weak passwords, and installing a malware called “Hadooken.”

The malware was used in a few other attacks in recent times, and it has two primary functions- a DDoS botnet and cryptocurrency mining. Besides this, the malware gives threat actors complete control over the compromised endpoint. 

About Hadooken Malware

Oracle WebLogic is a Java-based application that allows the management, development, and deployment of enterprise-level apps. It is generally used in financial and banking services, telecommunications, public services, and government organizations. Because of its popularity, WebLogic has also become a major target for threat actors as has “various vulnerabilities” The Register reports. 

Impact on Organizations

Until now, the experts found threat actors use Hadooken for mining crypto, while other functions are yet to be used. Experts also believe that Hadooken has hints of ransomware functions. “It could be the threat actor will introduce this attack to a Linux ransomware as well, or it is already introduced if the malware runs on the system longer than a sandbox execution,” the experts said.

When researchers tracked the IP addresses of the Hadooken malware, they came across tow IP addresses, one IP belongs to a UK hosting company, but it is registered in Germany. Earlier, the address was associated with TeamTNT and Gang 8220, but this link is not strong evidence to connect these attacks with threat actors, according to the experts. The second IP address belongs to Russia, registered with the same hosting company, but currently inactive.

How Hadooken Works

Haddoken abuses flaws in the Oracle WebLogic servers. These flaws come from unpatched misconfigurations or unpatched software. Once the malware gets access, it makes a foothold in the system, letting threat actors perform remote commands. 

Hadooken’s ability to steal passwords is a concern, it captures login credentials, and threat actors can move laterally inside a network, gaining access to other systems and data. It can cause more data breaches and ransomware attacks.

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Recently found malware uses advanced techniques to defeat antivirus safeguards, delete signs of infection, and permanently infect devices with cryptocurrency-mining software, experts said. 

"The first goal of the GhostEngine malware is to disable endpoint security solutions and specific Windows event logs, such as Security and System logs, which record process creation and service registration," said Elastic Security Labs researchers, who found the attacks.

The Anatomy of GhostEngine

  • Targeting Endpoint Security Solutions: GhostEngine specifically aims at endpoint security solutions, which include antivirus software, intrusion detection systems, and endpoint detection and response (EDR) tools. By disabling these defenses, the attackers gain a foothold within the victim’s system.
  • Driver Exploitation: The attack exploits vulnerable drivers from popular security software providers, such as Avast and IOBit. These drivers are essential for communication between the operating system and hardware components. GhostEngine manipulates them to gain access to the kernel, a privileged area of the system.
  • Silent Disabling of EDR: Once inside, GhostEngine silently disables the EDR system. This step is crucial because EDR tools monitor system behavior, detect anomalies, and respond to threats. By neutralizing EDR, GhostEngine ensures that its activities remain undetected.
  • Cryptocurrency Mining Payload: With the defenses down, GhostEngine deploys its payload: XMRig, a popular Monero (XMR) mining software. Monero is favored by cybercriminals due to its privacy features, making it difficult to trace transactions. The compromised system becomes a silent miner, contributing computational power to the attacker’s mining pool.

About GhostEngine

A function in the primary payload called GhostEngine disables Microsoft Defender or any other antivirus or endpoint security software that may be running on the targeted computer, which is critical to the extraordinarily complicated malware system's operation. It also masks any signs of compromise. 

When GhostEngine first starts, it checks machines for any EDR, or endpoint protection and response, software that may be running. If it detects any, it loads drivers known to have vulnerabilities that allow attackers to gain access to the kernel, which is severely restricted to prevent manipulation. 

Modus operandi

One of the susceptible drivers is Avast's anti-rootkit file aswArPots.sys. GhostEngine utilizes it to shut down the EDR security agent. A malicious file named smartscreen.exe then deletes the security agent binary using “iobitunlockers.sys” IObit driver.

Once the susceptible drivers are loaded, detection opportunities diminish drastically, and businesses must identify affected endpoints that stop submitting logs to their SIEM, according to the researchers. SIEM stands for security information and event management. Their research is consistent with recent findings from Antiy.

After the EDR has been terminated, smartscreen.exe downloads and installs XMRig, a genuine tool for mining the Monero cryptocurrency, which is frequently abused by threat actors. A configuration file is included, which causes all money generated to be put into an attacker-controlled wallet.

The infection chain begins with the execution of a malicious binary masquerading as the genuine Windows file TiWorker.exe. That file executes a PowerShell script that obtains an obfuscated script called get.png, which downloads additional tools, modules, and configurations from an attacker-controlled server.

File execution to enable the virus

GhostEngine also executes various files that enable the virus to become persistent, which means it loads every time the infected machine restarts. 

To accomplish this, the file get.png creates the following scheduled tasks with SYSTEM, the highest system privileges in Windows:

  • OneDriveCloudSync uses msdtc to start the malicious service DLL C:\Windows\System32\oci.dll every 20 minutes.
  • DefaultBrowserUpdate will launch C:\Users\Public\run.bat, which downloads and executes the get.png script every 60 minutes.
  • OneDriveCloudBackup will run C:\Windows\Fonts\smartsscreen.exe every 40 minutes.

Why GhostEngine Matters

  • Financial Gain: GhostEngine’s primary motive is financial. By harnessing the victim’s computing resources, the attackers mine Monero, potentially yielding substantial profits. The longer the attack remains undetected, the more cryptocurrency they accumulate.
  • Resource Drain: Cryptojacking strains system resources—CPU, memory, and electricity—leading to slower performance and increased energy bills. Users may notice sluggishness but remain unaware of the underlying cause.
  • Corporate Impact: In corporate environments, widespread cryptojacking can disrupt business operations. Overloaded systems affect productivity, and IT teams must allocate resources to investigate and remediate the issue.

BitBrowser Hackers Launder 70.6% of Stolen Funds

Hackers were able to transfer a remarkable 70.6% of the stolen BitBrowser cash through the eXch crypto mixer in a recent cyber robbery that startled the cryptocurrency world. Concerns regarding the security of digital assets and the increasing sophistication of thieves have been sparked by this bold action.

The attack, which targeted BitBrowser, a decentralized finance (DeFi) platform, first came to light when users reported unauthorized transactions and missing funds. The hackers managed to siphon off a substantial amount of cryptocurrency before the breach was discovered. According to reports, the stolen funds included 236 ETH (Ethereum), which were promptly moved through the eXch crypto mixer to obfuscate their origins.

The eXch crypto mixer, known for its privacy-centric features, allows users to mix their cryptocurrencies with those of other users, making it difficult to trace the source of the funds. This tool has become increasingly popular among hackers looking to launder stolen digital assets.

The BitBrowser hack and subsequent use of the eXch crypto mixer highlight the ongoing battle between cybersecurity experts and cybercriminals. As blockchain technology and cryptocurrencies gain mainstream adoption, they also attract malicious actors seeking to exploit vulnerabilities.

Cybersecurity experts and law enforcement agencies are working tirelessly to track the stolen funds and identify the hackers responsible. However, the use of crypto mixers and other privacy-enhancing tools complicates these efforts. These tools are not inherently illegal, as they also serve legitimate purposes, such as protecting user privacy and enhancing fungibility in cryptocurrencies.

This incident underscores the importance of robust security measures for cryptocurrency platforms and the need for continued innovation in the field of blockchain forensics. Blockchain analysis companies are developing advanced techniques to trace the flow of cryptocurrencies through mixers and dark web marketplaces, but it remains a challenging endeavor.

Cryptocurrency exchanges and DeFi platforms must prioritize security and invest in state-of-the-art cybersecurity measures to protect their users' assets. Additionally, regulatory bodies around the world are tightening their grip on cryptocurrency-related activities to prevent money laundering and illegal financial activities.


3 Vital Cybersecurity Threats for Employees

Cybersecurity is no longer just the IT department's job in today's digitally connected society. Protecting confidential firm information is the responsibility of every employee, from the CEO to the newest intern. Cybercriminals are growing more skilled, and their methods are changing. It's crucial that every employee is knowledgeable of potential hazards if your company is to be protected. The following three cyber threats are ones that every employee should be aware of:

1. Phishing Attacks

Phishing attacks are one of the most common and dangerous threats organizations face. Cybercriminals use deceptive emails or legitimate messages to trick employees into revealing sensitive information, such as login credentials or financial data. These emails often contain urgent requests or appear to be from trusted sources. Employees should be cautious and verify the sender's identity before clicking on any links or providing personal information. Regular training on recognizing phishing attempts is crucial in the fight against this threat.

2. Ransomware

Ransomware attacks have been on the rise in recent years. In a ransomware attack, malicious software encrypts an organization's data, rendering it inaccessible. Cybercriminals then demand a hefty ransom to provide the decryption key. Employees should be cautious about downloading attachments or clicking links from unknown sources. Regularly backing up data and keeping software up to date can help mitigate the impact of a ransomware attack.

3. Social Engineering

Social engineering attacks involve manipulating employees into divulging confidential information or performing actions that compromise security. This can involve impersonating colleagues, superiors, or even IT support. Employees should always confirm the identity of individuals making unusual requests, especially those involving sensitive data or financial transactions. Training programs should include simulations of social engineering attacks to prepare employees for real-world scenarios.

Educating employees about these cybersecurity threats is not a one-time effort; it should be an ongoing process. Regular training sessions, email reminders, and updates on emerging threats are essential components of a robust cybersecurity awareness program. Additionally, employees should be encouraged to report any suspicious activity promptly.

A cybersecurity breach doesn't just result in financial losses, keep that in mind. It may damage a company's reputation and undermine client and partner trust. Organizations can greatly minimize their risk and better safeguard their sensitive data by prioritizing cybersecurity knowledge for all employees.

Each employee must be aware of potential dangers because cybersecurity is a shared responsibility. Among the risks that businesses today must deal with include phishing attempts, ransomware, and social engineering. Employees can become a key line of defense in the ongoing fight against cybercrime by remaining alert and knowledgeable.

Ransomware Actors are Using Crypto Mining Pools to Launder Money

 

According to a recent analysis by the blockchain forensic company Chainalysis, the use of cryptocurrency mining as a technique to improve money laundering skills extends beyond nation state actors and has particular appeal to regular criminals. 

As per reports, sanctioned nation-states like Iran have turned to cryptocurrency mining as a way to amass money away from the traditional banking system. In a recent development, cybersecurity firm Mandiant also disclosed how the Lazarus Group, a notorious North Korean hacker group, has been utilising stolen cryptocurrencies like Bitcoin to buy freshly-mined cryptocurrency through hashing rental and cloud mining services.

Simply explained, online criminals mine "clean" coins using stolen crypto and then utilise different businesses to launder them. One of these sites, according to Chainalysis, is an unnamed "mainstream exchange" that has been acknowledged as having received "substantial funds" from wallets and mining pools connected to ransomware activity. 

In total, $94.2 million was sent to one of these recognised deposit addresses, of which $19.1 million came from ransomware addresses and the remaining $14.1 million from mining pools. However, Chainalysis found that the ransomware wallet in question was occasionally sending money to a mining pool "both directly and via intermediaries." 

“This may represent a sophisticated attempt at money laundering, in which the ransomware actor funnels funds to its preferred exchange via the mining pool in order to avoid triggering compliance alarms at the exchange,” the report reads. 

Chainalysis further asserts that "ransomware actors may be increasingly abusing mining pools"; citing its data, the company stated that "since the start of 2018, we've seen a large, steady increase in value sent from ransomware wallets to mining pools." 

A total of 372 exchange deposit addresses have received cryptocurrency transfers totaling at least $1 million from mining pools and ransomware addresses. Instances like these, in the opinion of the company, point to ransomware criminals trying to pass off their stolen money as earnings from cryptocurrency mining. 

Chainalysis said that "this sum is certainly an underestimate," adding that "these exchange deposit addresses have received a total of $158.3 million from ransomware addresses since the beginning of 2018. 

Illegal money transfers 

Chainalysis cites BitClub as an additional noteworthy instance of cybercriminals using mining pools. BitClub was a notorious cryptocurrency Ponzi scheme that deceived thousands of investors between 2014 and 2019 by making claims that its Bitcoin mining operations would generate significant returns. 

The company claims that BitClub Network transmitted Bitcoin valued at millions of dollars to wallets connected to "underground money laundering services" allegedly based in Russia. These money laundering wallets then transferred Bitcoin to deposit addresses at two well-known exchanges over the course of three years. 

The same period, between October 2021 and August 2022, saw the transfer of millions of dollars' worth of Bitcoin to the identical deposit addresses at both exchanges by an unidentified Russian Bitcoin mining company. 

The cryptocurrency exchange BTC-e, which the U.S. authorities accuse of promoting money laundering and running an illegal money service business, sent money to one of the wallets allegedly linked to the alleged money launderers. Additionally, it has been claimed that BTC-e handled money that was stolen from Mt. Gox, the biggest Bitcoin exchange in the early 2010s. 

These accusations led to the seizure of BTC-e by American authorities in July 2017, the removal of its website, and the arrest of its founder, Alexander Vinnik, in Greece the same month. 

Prevention Tips

According to Chainalysis, mining pools and hashing providers should put strict wallet screening procedures in place, including Know Your Customer (KYC) protocols, in order to "ensure that mining, which is a core functionality of Bitcoin and many other blockchains, isn't compromised."

The company also believes that these verification processes can successfully stop criminals from using mining as a means of money laundering by using blockchain analysis and other tools to confirm the source of funds and rejecting cryptocurrency coming from shady addresses.

Malware Authors Unknowingly Take Down Their Own Botnet

 

It is not often that malware authors go through the difficulties of establishing a malicious tool for botnet assembly, only to discover a way to effectively sabotage it themselves. But that seems to be the case with "KmsdBot," a distributed denial-of-service (DDoS) and crypto mining botnet discovered by Akamai researchers last month infecting systems across multiple industries. 

It has since gone mostly silent due to a single incorrectly formatted command on the part of its author. In DDoS attacks, the malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and employs UDP, TCP, and HTTP POST and GET commands. The malware, according to Kaspersky, is designed to target multiple architectures, including Windows, Arm64, and mips64 systems.

Luxury car manufacturers, gaming companies, and IT firms are among those affected by the malware. The threat actors used KmsdBot to execute DDoS attacks in all of the attacks witnessed by Akamai, despite the malware's cryptomining functionality.

Following Akamai's initial disclosure in November, the company's researchers continued to monitor and analyse the threat. They modified a recent sample of KmsdBot as part of the exercise and decided to test various scenarios related to the malware's command and control (C2) functionality.

Akamai researchers discovered a location in the malware's code that consisted the IP address and port for KmsdBot's C2 server and changed it so that the address pointed to Akamai's IP space.

During the testing, Akamai researchers discovered that the bot abruptly stopped working after obtaining a command to send a large amount of junk information to bitcoin.com in an obvious attempt to DDoS the website. According to Cashdollar, the bot lacks error-checking functionality to ensure that the commands it receives are properly formatted. As a result, the Go binary crashes with the error message "index out of range."

He also claims that Akamai was able to reproduce the problem by sending the bot an incorrectly formatted command of its own.

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Akamai noted in its update on the malware this week.

Notably, the bot does not support any kind of persistence mechanism. As a result, the malware authors' only option for rebuilding the KmsdBot botnet is to infect systems from scratch. Cashdollar asserts that almost all of the KmsdBot-related activity tracked by Akamai in recent weeks has ceased. However, there are indications that threat actors are attempting to infect systems again, he says.

Cryptominer Malware Posing as Desktop Version of Google Translate

 

While advertising desktop versions of well-known apps, a crypto mining effort from Turkey has been found infecting thousands of PCs. This campaign's offender is known as "Nitrokod." 

Nitrokod is a Turkish-speaking software company that has been operating since 2019 and promotes its free and secure software. The majority of the programs Nitrokod provides are well-known apps without a formal desktop version. For instance, the desktop version of Google Translate is the most used Nitrokod application. Since Google hasn't made a desktop version available, the hackers' version is quite tempting.

Over 111,000 individuals have been infected by Nitrokod in 11 countries so far.

Malware operation 

Free software that is hosted on websites like Uptodown and Softpedia is used by the campaign to spread malware. Every dropper in the executable's four-stage attack chain pulls the one after it. In the seventh stage, this ultimately results in the download of actual malware (XMRig) falling.

The victims of the campaign are spread throughout a number of nations, including the United Kingdom, Sri Lanka, the United States, Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.

The creators of Nitrokod segregate destructive activities from the Nitrokod program that was initially downloaded in order to escape detection:
  • Nearly a month after the Nitrokod software was set up, the malware is first executed.
  • After six earlier phases of infected programs, the malware is deployed.
  • A scheduled job technique was used to maintain the virus chain after a lengthy wait, giving the hackers time to destroy any evidence.
Using Check Point's Infinity XDR (Extended Detection and Response) platform, a prevention-focused XDR solution, CPR discovered this new crypto miner malware campaign. With the use of this technology, SOC teams can swiftly identify, look into, and react to assaults across their whole IT infrastructure. By utilizing data collected from all products, including Endpoint, Networks, Web security, and others, it detects risks inside the company and stops its growth.

Nearly a month after the first infection, the malware is removed. The third stage dropper runs five days after the last run, and the fourth stage dropper adds four more scheduled activities with intervals ranging from one to fifteen days. The phases are removed following the creation of these assignments.

Detection &prevention  

The investigators will have an extremely difficult time identifying the attack and linking it to the bogus installation as a result of this. In order to obtain a configuration file to launch the XMRig mining operation, the virus also creates a connection to a distant C2 server.

Due to extended infection chains and staged infection, hackers were able to avoid detection for months. This gave them plenty of time to change the final payload into crypto miners or ransomware. In order to keep the malware versions in demand and unique, the virus is removed from popular apps like Google Translate that doesn't actually have a desktop version.

Hacker's Spread ModernLoader, XMRig Miner Malware

 


During March and June 2022, Cisco Talos researchers discovered three distinct but connected campaigns that were spreading various malware to victims, including the ModernLoader bot, RedLine info-stealer, and cryptocurrency miners.

The hackers spread over a targeted network via PowerShell,.NET assemblies, HTA, and VBS files before releasing further malware, like the SystemBC trojan and DCRat, to enable different stages of its exploits, according to a report by Cisco Talos researcher Vanja Svajcer.

Cisco Talos further said that the infections were caused by a previously unidentified but Russian-speaking spyware, that used commercial software. Users in Bulgaria, Poland, Hungary, and Russia were among the potential targets. 

The first stage payload is an HTML Application (HTA) file that executes a PowerShell script stored on the command-and-control (C2) server to start the deployment of interim payloads that eventually use a method known as process hollowing to inject the malware.

ModernLoader (also known as Avatar bot), a straightforward.NET remote access trojan, has the ability to download and run files from the C2 server, run arbitrary instructions, acquire system information, and alter modules in real-time. 

Additionally, the actors dispersed across a targeted network using PowerShell,.NET assemblies, HTA, and VBS files before releasing additional malware, such as the SystemBC trojan, and DCRAT, to carry out various operations related to their activities.

It is challenging to identify a specific adversary behind this behavior because the attackers used various commercially available tools, according to Cisco Talos.

Despite the lack of clarity surrounding attribution, the business reported that threat actors used ModernLoader as the final payload in all three campaigns. This payload then functioned as a remote access trojan (RAT) by gathering system data and delivering further modules.

In addition, two older attacks from March 2022 were discovered by Cisco's analysis. These campaigns use ModerLoader as its principal malware C2 communication tool and also spread other malware, such as XMRig, RedLine Stealer, SystemBC, DCRat, and a Discord token stealer, among others. 

Days prior to the publication of the piece, the corporation hosted a webinar in which it reaffirmed its cybersecurity support for Ukraine in honor of the nation's Independence Day.

That 'Clean' Google Translate App is Actually Windows Crypto-mining Malware

 

 
The Turkish-speaking group responsible for Nitrokod, which has been active since 2019 is said to have infected thousands of systems in 11 countries. Nitrokod, a crypto mining Trojan, is usually disguised as a clean Windows app and functions normally for days or weeks before its hidden Monero-crafting code is executed. What's interesting is that the apps offer a desktop version of services that are normally only available online.

"The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.

"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."

Nitrokod also uses other translation applications, such as Microsoft Translator Desktop, and MP3 downloader programmes in addition to Google Translate. On some websites, malicious applications will highlight about being "100% clean," despite the fact that they are infected with mining malware. Nitrokod has been productive in spreading its malicious code through download sites such as Softpedia. Since December 2019, the Nitrokod Google Translator app has been downloaded over 112,000 times, according to Softpedia.

Nitrokod programmers, according to Check Point, are patient, taking a long time and multiple steps to conceal the malware's presence inside an infected PC before installing aggressive crypto mining code. Due to the lengthy, multi-stage infection efforts, the campaign went unnoticed for years before being discovered by cybersecurity experts.

"Most of their developed programs are easily built from the official web pages using a Chromium-based framework. For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them."

After the program is downloaded and the user launches the software, an actual Google Translate app, built using Chromium as described above, is installed and runs normally. Simultaneously, the software quietly fetches and saves a series of executables, eventually scheduling one specific.exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, retrieves Monero miner code configuration settings, and begins the mining process, with generated coins sent to the miscreants' wallets. To conceal its tracks, some of the early-stage code will self-destruct.

One stage also looks for known virtual-machine processes and security products, which may indicate that the software is being researched. If one is discovered, the programme will terminate. If the programme is allowed to run, it will create a firewall rule that will allow incoming network connections.

Throughout the various stages, the attackers deliver the next stage using password-protected RAR-encrypted files to make them more difficult to detect. According to Marelus, Check Point researchers were able to investigate the crypto mining campaign using the vendor's Infinity extended detection and response (XDR) platform.

CISA Updates its Database With 10 New Actively Exploited Vulnerabilities

 

A high-severity security vulnerability impacting industrial automation software from Delta Electronics was among 10 new actively exploited vulnerabilities that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed in its Known Exploited Vulnerabilities (KEV) Database on Friday.

FCEB agencies are required to address the vulnerabilities by the deadline in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, in order to safeguard their networks from attacks that take advantage of the flaws in the catalog.

Private firms should analyze the Catalog and fix any infrastructure weaknesses, according to experts.

The problem, which has a CVSS score of 7.8, affects DOPSoft 2 versions 2.00.07 and earlier. It is listed as CVE-2021-38406. A successful exploit of the issue could result in the execution of arbitrary code.

Delta Electronics DOPSoft 2's incorrect input validation causes an out-of-bounds write that permits code execution, according to a CISA notice. "Delta Electronics DOPSoft 2 lacks sufficient validation of user-supplied data when parsing specified project files," the alert stated.

Notably, CVE-2021-38406 was first made public as part of an industrial control systems (ICS) advisory that was released in September 2021.

It is crucial to emphasize that the impacted product is no longer being produced and that there are no security updates available to solve the problem. On September 15, 2022, Federal Civilian Executive Branch (FCEB) organizations must abide by the directive.

The nature of the attacks that take advantage of the security issue is not well known, but a recent analysis by Palo Alto Networks Unit 42 identified instances of in-the-wild assaults that took place between February and April 2022.

The development supports the idea that attackers are becoming more adept at using newly reported vulnerabilities as soon as they are made public, which encourages indiscriminate and opportunistic scanning attempts that intend to benefit from postponed patching.

Web shells, crypto miners, botnets, remote access trojans (RATs), initial access brokers (IABs), and ransomware are frequently used in a precise order for the exploitation of these assaults.

CVE-2021-31010 (CVSS score: 7.5), an unpatched hole in Apple's Core Telephony component that could be used to get around sandbox constraints, is another high-severity flaw added to the KEV Catalog. In September 2021, the tech giant corrected the flaw.

The IT giant appears to have quietly updated its advisory on May 25, 2022, to add the vulnerability and clarify that it had actually been utilized in attacks, even though there were no signs that the hole was being exploited at the time.

The iPhone manufacturer said that it was aware of a claim that this flaw might have been extensively exploited at the time of release. Citizen Lab and Google Project Zero were credited with making the finding. 

Another noteworthy aspect of the September update is the patching of CVE-2021-30858 and CVE-2021-30860, both of which were used by NSO Group, the company behind the Pegasus spyware, to circumvent the security measures of the operating systems.

This suggests that CVE-2021-31010 may have been linked to the previously described two issues as part of an attack chain to get past the sandbox and execute arbitrary code.



IoT and OT Impacted by Forescout Proof-of-Concept Ransomware Attack

 

Attackers will grow as defenders improve at resisting double extortion. Rather than focusing on IT, an option is to target operational technology (OT). Attacks on OT are not only harder to execute, but their consequences are also more difficult to mitigate.

Vedere Labs, a division of Forescout, has released a proof of concept (PoC) for a 'ransomware' attack that employs IoT for access, IT for traversal, and OT for detonation. Commonly known as R4IoT, it's the latest version of ransomware. R4IoT's ultimate purpose is to get an initial foothold by exploiting exposed and unprotected IoT devices like IP cameras, then installing ransomware in the IT network and using poor operational security procedures to enslave mission-critical systems. 

"It basically comes out of our observation of the shifting nature of the threat actors involved in ransomware — they've been changing strategies in the last couple of years," Daniel dos Santos, head of security research at Forescout's Vedere Labs, explained. The tipping point for thieves to start attacking such devices for ransomware assaults, according to dos Santos, "will most likely be when the IT and OT devices cross 50%." "And that'll be very soon. It will take between one and two years." 

According to the survey, Axis and Hikvision account for 77% of the IP cameras used by Forescout's 1,400 global customers. Axis cameras alone were responsible for 39% of the total. "This shows that exploiting IP camera flaws as a repeatable point of entry to a variety of businesses is a possibility," stated dos Santos in a report. 

In a neutral setting, this may mean infiltrating a corporate network system to drop ransomware and retrieve other payloads from a remote server to deploy cryptocurrency miners and perform DoS assaults against OT assets. Organizations should identify and patch vulnerable devices, enforce network segmentation, adopt strong password rules, and monitor HTTPS connections, FTP sessions, and network traffic to reduce the possibility and impact of possible R4IoT incidents.

"Ransomware has been the most frequent threat in recent years, and it has largely crippled enterprises by exploiting flaws in traditional IT equipment," the researchers noted. Dos Santos advised using the NIST Cybersecurity Framework and zero-trust architecture, as well as effective network segmentation.

Safeguarding From Container Attacks Inside the Cloud


As an alternative to virtualization, containerization has become a key trend in software development. It entails encapsulating or packaging software code and all of its dependencies so it may execute consistently and uniformly across any infrastructure. Containers are self-contained units that represent whole software environments that may be transported. They include everything a program needs to run, including binaries, libraries, configuration data, and references. Docker and Amazon Elastic, as an illustration, are two of the extra well-known choices. 

Although many containers can run on the same infrastructure and use the same operating system kernel, they are isolated from such a layer and have a little interface with the actual hosting elements, for instance, a public cloud occasion. The ability to instantly spin up and down apps  for users, is one of the many advantages of running cloud-based containers. Admins may utilize orchestration to centrally manage containerized apps and services at scale, such as putting out automatic updates and isolating any malfunctioning containers.

Container adoption is at an all-time high, worldwide businesses of all sizes are eager to jump on board. According to a poll conducted by the Cloud Native Computing Foundation (CNCF), 83 percent of respondents plan to use Kubernetes in production in 2020, up from 78 percent the year before and just 58 percent in 2018. As adoption grows, cybercriminals' interest grows as well. According to a June Red Hat study, 94 percent of respondents have experienced a Kubernetes security problem in the last 12 months. 

Larry Cashdollar, an Akamai security researcher, recently set up a basic Docker container honeypot to test what type of attention it would get from the larger web's cybercriminals. The results were alarming: in just 24 hours, the honeypot was used for four different nefarious campaigns. Cashdollar had integrated SSH protocol for encryption and developed a “guessable” root password. It wouldn't stick out as an obvious honeypot on the web because it was running a typical cloud container configuration, he explained. It would instead appear to be a vulnerable cloud instance. The assaults had a variety of objectives: one campaign aimed to utilize the container as a proxy to access Twitch feeds or other services, another attempted a botnet infection, a third attempted crypto mining, and the fourth attempted a work-from-home hoax. 

"Profit is still the key motivator for cybercriminals attacking containers," as these cases demonstrate, according to Mark Nunnikhoven, a senior cloud strategist at Lacework. "CPU time and bandwidth can be rented to other criminals for buried services, or even used to directly mine cryptocurrencies. Data can be sold or ransomed at any time. In an environment where containers are frequently used, these reasons do not change." 

According to a recent Gartner study, client misconfigurations or mistakes would be the primary cause of more than 99 percent of cloud breaches by 2025. As per Trevor Morgan, product manager at comfort AG, most businesses, particularly smaller businesses, rely on default configuration options rather than more advanced and granular setup capabilities: "Simple errors or selecting default settings  that are far less safe than customized options." The problems with configuration typically go beyond the containers themselves. Last July, for example, misconfigured Argo Workflows servers were detected attacking Kubernetes clusters. 

Argo Workflows is an open-source, container-native workflow engine for coordinating parallel activities on Kubernetes to reduce processing time for compute-intensive tasks such as machine learning and large data processing. 

According to an examination by Intezer, malware operators were using publicly available dashboards which did not require authentication for outside users to drop crypto miners into the cloud. Far above misconfiguration, compromised images or layers are the next most serious threat to containers, according to Nunnikhoven. "Lacework Labs has witnessed multiple instances of cybercriminals infiltrating containers, either through malware implants or pre-installed crypto mining apps," he said. "When a group deploys the pictures, the attacker has access to the victim's resources."

According to Gal Singer, an Aqua Security researcher, the flaw (CVE-2020-15157) was discovered in the container image-pulling process. Adversaries may take advantage of this by creating dedicated container images which stole the host's token when they were pulled into a project.  Similarly, a denial-of-service vulnerability in one of Kubernetes' Go libraries (CVE-2021-20291) was discovered to be exploited by storing a malicious picture in a registry. When the image was taken from the registry by an unwary user, the DoS condition was generated.

The second source of concern is vulnerabilities, both known and unknown. In 2021, several container flaws were discovered, but "Azurescape" was likely the most alarming. Within Microsoft's multitenant container-as-a-service offering, Unit 42 researchers found a chain of exploits that might allow a hostile Azure user to infect other customers' cloud instances. 

Containerized environments can provide unique issues in terms of observability and security controls, according to Nunnikhoven, but a comprehensive security approach can help. Researchers recommended that users apply a laundry list of best practices to secure their Kubernetes assets: 

  • Avoid using default settings; use secure passwords.
  • To prevent attackers from impersonating the token owner, do not send privileged service account tokens to anyone other than the API server. 
  • Enable the feature "BoundServiceAccountTokenVolume": When a pod ends, its token becomes invalid, reducing the risk of token theft.
  • Examine orchestrators for least-privilege settings to verify that CI/CD movements are authenticated, logged, and monitored. 
  • Be comprehensive: Create a unified risk picture that includes both cloud-based applications and traditional IT infrastructure. 
  • Have data-analysis software in place, as well as an automatic runbook that can react to the findings.

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.

Log4Shell Utilized for Crypto Mining and Botnet Creation

 

The serious problem in Apache's widely used Log4j project, known as Log4Shell, hasn't caused the calamity predicted, but it is still being exploited, primarily from cloud servers in the United States. Because it was reasonably straightforward to exploit and since the Java application logging library is implemented in many different services, the Log4Shell vulnerability was brought to attention as it raised concerns for being potentially abused by attackers. 

According to a Barracuda study, the targeting of Log4Shell has fluctuated over the last few months, but the frequency of exploitation attempts has remained pretty stable. Barracuda discovered the majority of exploitation attempts originated in the United States, followed by Japan, Central Europe, and Russia. 

Researchers discovered the Log4j version 2.14.1 in December 2021. Reportedly, all prior versions were vulnerable to CVE-2021-44228, also known as "Log4Shell," a significant zero-day remote code execution bug.

Log4j's creator, Apache, attempted to fix the problem by releasing version 2.15.0. However, the vulnerabilities and security flaws prolonged the patching race until the end of every year, when version 2.17.1 ultimately fixed all issues. 

Mirai malware infiltrates a botnet of remotely managed bots by targeting publicly outed network cameras, routers, and other devices. The threat actor can then use this botnet to launch DDoS assaults on a single target, exhausting its resources and disrupting any online services. The malicious actors behind these operations either rent vast botnet firepower to others or undertake DDoS attacks to extort money from businesses. Other payloads which have been discovered as a result of current Log4j exploitation include: 

  • Malware is known as BillGates (DDoS)
  • Kinsing is a term used to describe the act of (cryptominer) 
  • XMRig XMRig XMRig X (cryptominer) 
  • Muhstik Muhstik Muhstik (DDoS) 

The payloads range from harmless online jokes to crypto-mining software, which utilizes another person's computers to solve equations and earn the attacker cryptocurrency like Monero. 

The simplest method to protect oneself from these attacks is to update Log4j to version 2.17.1 or later, and to maintain all of the web apps up to date. Even if the bulk of threat actors lose interest, some will continue to target insecure Log4j deployments since the numbers are still significant. 

Security updates have been applied to valuable firms which were lucrative targets for ransomware assaults, but neglected systems running earlier versions are good targets for crypto mining and DDoS attacks.

Financier Diakonov Called Russia the Future Cryptocurrency Center of the World

 

Mr. Diakonov predicted the future of cryptocurrency and called it a possible alternative to traditional money. "Time will tell how it will be built into the system of international payments and trade," he said.
The financier also stated that Russia can become a cryptocurrency world center since it has the necessary knowledge, capabilities and technologies to create this product. However, it is difficult to guess when this scenario will come to life,since the concepts of cryptocurrencies proposed by the Ministry of Finance and the Central Bank do not reflect the current situation. 

"If the task is to transfer part of the international settlements into the "new currency," in case this instrument will acquire the scale, then sanctions measures from the West may affect it as well. And we may see the next prohibitive measures of an international nature," he explained. 

According to Mr. Diakonov, China, as Russia's largest business partner, is not yet ready to switch to cryptocurrency trading. However, he suggested that the country would start using the digital yuan. "Here we see great prospects for creating new synthetic products that will become a growth point for the economy," he concluded. 

Earlier, the founder and CEO of the world's largest cryptocurrency exchange Binance, Changpeng Zhao, said that next year there will be more transparency in the regulation of crypto-assets, and this is a positive signal for the market. In addition, there will be new options for their use. But the crypto market moves cyclically, and an upturn is followed by a downturn. Whether it happens next year or later is hard to predict. Asset volatility will continue regardless of who comes to the market. "Our personal goal for next year is to get as many licenses around the world as we can; we expect to get 10 to 20 more licenses next year." 

In addition, there will be new ways to use them. But the crypto market moves cyclically, and a period of recovery is followed by a recession – it will happen next year or later, it is difficult to predict. Asset volatility will continue regardless of who comes to the market. "Our personal goal for next year is to get as many licenses around the world as possible. We expect to get another 10-20 licenses next year." 

Earlier, the Ministry of Finance submitted to the government a bill on the legalization of cryptocurrencies. According to the document, Russians will have the right to legally invest up to 600 thousand rubles ($7,600) in cryptocurrency annually. However, this will require special testing.

The Ministry of Finance Proposed to Test Russians Before Buying Cryptocurrencies

 

On February 18, the Ministry of Finance submitted a bill on the regulation of cryptocurrencies to the government. At the same time, public discussions began. On Monday, February 21, the agency published details of the document on its official website. 

According to the proposal of the Ministry of Finance, the use of digital currencies as a means of payment in Russia will continue to be prohibited. However, the Ministry of Finance suggests leaving cryptocurrencies only as a tool for investment. The bill defined the requirements for exchanges and exchangers that will deal with cryptocurrencies. 

Foreign cryptocurrency exchanges will have to register in Russia in order to obtain a license. The Ministry of Finance proposes to allow transactions with the purchase or sale of cryptocurrencies only if the client is identified. The deposit and withdrawal of cryptocurrencies will be possible only through banks using a bank account. 

Exchanges must inform citizens about the high risks associated with purchasing digital currencies. Citizens will undergo online testing before purchasing cryptocurrencies, which will determine the level of knowledge of the specifics of investing in digital currencies and awareness of possible risks. 

According to the official website of the Ministry of Finance, "with successful testing, citizens can invest up to 600 thousand rubles in digital currencies annually. If the testing is not passed, then the maximum amount of investment will be limited to 50 thousand rubles (about 0.015 bitcoins at the time of writing the news). Qualified investors and legal entities will make transactions without restrictions." 

The agency also proposes to consolidate the definition of digital mining as an activity aimed at obtaining cryptocurrency. The Ministry of Finance noted that they had received proposals from the Bank of Russia on the introduction of a ban on the organization of the issuance and circulation of digital currencies. 

Last week it became known that the Central Bank proposes to ban not only the organization of the issuance of cryptocurrencies and their circulation but also the dissemination of information about them. Also, the Central Bank prohibits banks and other financial market participants from owning private digital currencies. 

In addition, on February 18, the Central Bank proposed to introduce fines of up to one million rubles ($12,700) for the issue of private cryptocurrency. If the bill is adopted, individuals may face fines in the amount of 300 ($3,800) to 500 ($6,300) thousand rubles, and organizations from 700 thousand ($8,800) to one million rubles ($12,700). 

Earlier, CySecurity News reported that the Kremlin and the Russian government have estimated the Russian cryptocurrency market at $214 billion.

Georgia goes after crypto miners

On January 10, Georgian Economy Minister Natia Turnava told reporters that the Government of Georgia and the energy distribution company Energo-pro Georgia are engaged in solving the problem of illegal mining of cryptocurrencies in the Svaneti region, which leads to an overload of power grids.

The problem is connected with a sharp increase in electricity consumption over the past year in the Mestia region of Svaneti. Widespread mining in the area is associated with low tariffs for businesses in the highland area and free electricity for the local population.

In December, the Georgian authorities had to introduce an electricity supply schedule in Mestia due to network congestion and recurring accidents.

"Of course, illegal electricity consumption is unacceptable, especially the so-called problems with household mining, which, as we know, exist there. We are working with the local government, as well as with Energo-pro Georgia, which supplies electricity to Svaneti, to solve this issue step by step," Turnava said.

She added that she does not think it is justified to involve the police in identifying the mining farms. The Minister of Economy hopes that the population itself is aware of the threat to the tourism sector inherent in the district, and will draw conclusions about this based on its own interests.

It's interesting to note that at the end of December, Mestia residents held protests demanding the closure of mining farms and accused the authorities of patronizing miners.

Energo-pro Georgia announced that it will be forced to introduce tariffs for the population in this situation. Before the New Year, local residents swore on an icon in the church that they would turn off all mining farms in the area. But after the New Year, the energy distribution company said that electricity consumption has not decreased.

According to a study by the Cambridge Center for Alternative Finance, in 2018 Georgia was in second place in terms of the amount of electricity spent on mining cryptocurrencies — 60 megawatts.

Malware Abcbot Related to the Xanthe Cryptomining Bug Developer's

 

Abcbot, the newly discovered botnet has a longer history than what was originally believed. The Xanthe-based cryptojacking campaign found by Cisco's Talos security research team in late 2020 has a clear link, according to the ongoing examination of this malware family. When Talos was notified of an intrusion on one of their Docker honeypots, they discovered malware that looked like a bitcoin mining bot. 

The virus is known as Xanthe, and its main goal is to mine cryptocurrency using the resources of a compromised system. Based on the findings, the same threat actor is behind both Xanthe and Abcbot, and its goal has shifted from mining cryptocurrency on compromised hosts to more classic botnet activity like DDoS attacks.

Abcbot attacks, first reported by Qihoo 360's Netlab security team in November 2021, are triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is an updated version of one found by Trend Micro in October 2021, which targeted Huawei Cloud's vulnerable ECS instances. 

Further investigation of the botnet, which included mapping all known Indicators of Compromise (IoCs) such as IP addresses, URLs, and samples, revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which spread the infection using incorrectly configured Docker implementations. 

The semantic similarities between the two malware families range from the way the source code is formatted to the names given to the routines, with some functions having not only identical names and implementations (e.g., "nameservercheck"), but also have the word "go" appended to the end of the function names (e.g., "filerungo"). According to experts, Abcbot also contains spyware that allows four malicious users to be added to the hacked machine: 
  • Logger 
  • Ssysall 
  • Ssystem 
  • sautoupdater 
Researchers believe that there are substantial links between the Xanthe and Abcbot malware families, implying that the same threat actor is involved. The majority of these would be difficult and inefficient to recreate identically, including string reuse, mentions of shared infrastructure, stylistic choices, and functionality that can be seen in both instances. If the same threat actor is behind both campaigns, it signals a shift away from cryptocurrency mining on compromised devices and toward botnet-related operations like DDoS attacks.

Avira Antivirus Introduces Crypto Mining To Its 500M Customers

 

You might be surprised to know that Norton 360 antivirus came up with a program that allows customers like you to make money mining virtual currency. However, Avira antivirus, having a user base of 500 million users globally, is popular for offering free products. Avira was recently bought by the same company that owns Norton 360, and customers can now access a service called "Avira Crypto." Avira Operations GmbH & Co. KG, founded in 2006, is a German MNC software company, popular for its Avira Free Security (Avira Antivirus). 

Last year, Avira was bought by Tempe, Arizona-based NortonLife Inc, the company which now owns Norton 360. In 2017, Lifelock was acquired by Symantec Corp., which was later renamed to NortonLifeLock 2019. LifeLock is now included in the Norton 360 service; Avira offers you a similar feature Breach Monitor. Similar to Norton 360, Avira will come with an installed crypto miner but you have to select the service that allows it. 

Avira Crypto allows you to use your computer's idle time to mine Ethereum cryptocurrency. "Since crypto mining requires a high level of processing power, it is not suitable for users with an average computer. Even with compatible hardware, mining cryptocurrencies on your own can be less rewarding. Norton hasn't responded to any of the comments, so it's not certain if Avira uses crypto mining code similar to Norton Crypto. But there are hints that suggest it can be the same. 

NortonLifeLock released Avira Crypto in October 2021, but other antivirus companies have flagged it as unsafe and malicious for including a crypto-miner as far as Sept. 9, 2021. "Some longtime Norton customers took to NortonLifeLock’s online forum to express horror at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default," KrebsonSecurity. Other companies have alleged that crypto offerings might end up costing customers more in electricity bills than they can ever recover from mining ETH.