Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cryptojacking. Show all posts
US Government
Bitcoin Cryptojacking Cyber Attacks Monero US Government

Hackers Exploit US Government agency’s Cloud System for Cryptojacking

 



A recent cybersecurity breach has exposed vulnerabilities in government agencies, as hackers infiltrated the U.S. Agency for International Development (USAID) to mine cryptocurrency. The attackers secretly exploited the agency’s Microsoft Azure cloud resources, leading to $500,000 in unauthorized service charges before the breach was detected. This incident highlights the growing threat of cryptojacking, a cybercrime where hackers hijack computing power for financial gain.  


How the Hackers Gained Access 

The attackers used a technique called password spraying, which involves trying a set of commonly used passwords on multiple accounts until one works. They managed to breach a high-level administrator account that was part of a test environment, gaining significant control over the system.  

Once inside, they created another account with similar privileges, allowing them to operate undetected for some time. Both accounts were then used to run cryptomining software, which consumes large amounts of processing power to generate digital currency. Since USAID was responsible for cloud costs, the agency unknowingly footed a massive bill for unauthorized usage.  


What is Cryptojacking?  

Cryptojacking is a cyberattack where hackers steal computing resources to mine cryptocurrencies like Bitcoin or Monero. Mining requires powerful hardware and electricity, making it expensive for individuals. By infiltrating cloud systems, cybercriminals shift these costs onto their victims, while reaping financial rewards for themselves.  

This attack is part of a larger trend:  

1. 2018: A cryptojacking incident compromised government websites in the U.S., U.K., and Ireland through a malicious web plugin.  

2. 2019: Hackers accessed an AWS cloud account of a U.S. federal agency by exploiting credentials leaked on GitHub.  

3. 2022: Iranian-linked hackers were found mining cryptocurrency on a U.S. civilian government network.  

Cybersecurity experts warn that cryptojacking often goes unnoticed because it doesn’t immediately disrupt services. Instead, it slowly drains computing resources, resulting in skyrocketing cloud costs and potential security risks.  


How USAID Responded

Once the attack was discovered, USAID took steps to secure its systems and prevent future breaches:  

  •  Tightened password policies to prevent unauthorized access.  
  •  Enabled multi-factor authentication (MFA) to add an extra layer of security.  
  •  Deleted compromised accounts and removed harmful scripts used in the attack.  
  •  Introduced continuous security monitoring to detect suspicious activity earlier.  

A USAID internal report emphasized the need for stronger cybersecurity defenses to prevent similar incidents in the future.  


Experts Warn of Increasing Cryptojacking Threats  

Cryptojacking attacks are typically carried out by individual hackers or cybercrime syndicates looking for quick profits. However, some state-sponsored groups, including those linked to North Korea, have also used this method to fund their operations.  

Cybersecurity professionals explain how these attacks work:  

“If I break into someone’s cloud system, I can mine cryptocurrency using their resources, while they get stuck with the bill,” — Hamish Eisler, Chainalysis.  

Jon Clay, a Threat Intelligence Expert at Trend Micro, describes cryptojacking as a persistent issue, where cybercriminals constantly look for new ways to exploit vulnerabilities.  


How to Protect Against Cryptojacking  

Organizations can take several measures to reduce the risk of cryptojacking attacks:  

  • Implement strong passwords and MFA to make unauthorized access harder.  
  • Monitor cloud usage for unexpected spikes in resource consumption.  
  • Limit administrative access to only essential personnel.  
  • Regularly review security settings to close potential loopholes.  

To combat these threats, Microsoft introduced mandatory MFA for Azure logins, which began rolling out in 2024. This security measure is expected to make it harder for hackers to take over cloud accounts.  

Cryptojacking is a growing cybersecurity threat that can lead to financial losses, operational disruption, and security risks. The USAID breach serves as a wake-up call for both government agencies and businesses to strengthen their cyber defenses. Without proactive measures, organizations remain vulnerable to attacks that silently drain resources and increase costs.

Read more »
Technology
Cryptocurrency threats Cryptojacking cyb News Technology

Cryptojacking: The Silent Cybersecurity Threat Surging in 2023

Cryptojacking, the unauthorized exploitation of an organization’s computing resources to mine cryptocurrency, has emerged as a significant yet often overlooked cybersecurity threat. Unlike ransomware, which overtly disrupts operations, cryptojacking operates covertly, leading to substantial financial and operational impacts. In 2023, cryptojacking attacks surged by 659%, totaling 1.1 billion incidents, according to SonicWall’s 2024 Cyber Threat Report.

This dramatic increase underscores the growing appeal of cryptojacking among cybercriminals. The financial implications for businesses are severe. Research indicates that for every dollar’s worth of cryptocurrency mined illicitly, companies incur approximately USD 53 in cloud service costs. This disparity highlights the hidden expenses organizations face when their systems are compromised for unauthorized mining activities.

How Cryptojacking Works and Its Impact

Attackers employ various methods to infiltrate systems, including:

  • Drive-by Downloads: Compromised websites automatically download mining scripts onto visitors’ devices.
  • Phishing Emails: Trick users into installing malware that enables cryptojacking.
  • Exploiting Vulnerabilities: Targeting unpatched software to gain unauthorized access.

The rise of containerized environments has also provided new avenues for attackers. For example, cybercriminals can embed mining scripts within public repository images or target exposed Docker APIs to deploy cryptojacking malware.

Beyond financial losses, cryptojacking degrades system performance by overutilizing CPU and GPU resources. This leads to slower operations, reduced productivity, and increased energy consumption. Over time, the strain on hardware can cause overheating and potential equipment failure. Additionally, compromised systems are more vulnerable to further security breaches, as attackers can leverage their access to escalate attacks.

Combating Cryptojacking: Proactive Measures

To defend against cryptojacking, organizations must implement proactive security measures. Key strategies include:

  1. Endpoint Protection Tools: Deploy solutions that monitor for unusual resource usage, such as sudden spikes in CPU or GPU activity, which may indicate cryptojacking.
  2. Network Traffic Analysis: Analyze network traffic for connections to known cryptocurrency mining pools, which are often used by attackers to process mined coins.
  3. Cloud Monitoring Solutions: Utilize cloud-based tools to detect unauthorized mining activities in cloud environments, where cryptojacking is increasingly prevalent.
  4. Regular Testing and Validation: Simulate cryptojacking attacks to identify vulnerabilities and strengthen defenses before actual threats materialize.

Organizations should also prioritize employee training to recognize phishing attempts and other common attack vectors. Regularly updating and patching software can close vulnerabilities that attackers exploit to infiltrate systems. Additionally, implementing robust access controls and monitoring for unusual user activity can help prevent unauthorized access.

The surge in cryptojacking attacks highlights the growing sophistication of cybercriminals and the need for organizations to adopt comprehensive cybersecurity measures. While cryptojacking may not be as visibly disruptive as ransomware, its financial and operational impacts can be equally devastating. By deploying advanced detection tools, analyzing network traffic, and regularly testing defenses, businesses can mitigate the risks posed by cryptojacking and protect their computing resources from unauthorized exploitation. As cyber threats continue to evolve, proactive and adaptive security strategies will be essential to safeguarding organizational assets and maintaining operational efficiency.

Read more »
Technology
Cloud Security Cryptojacking Cybersecurity Threats Google Cloud MFA Raccoon Stealer Ransomware Technology

TRIPLESTRENGTH Targets Cloud for Cryptojacking, On-Premises Systems for Ransomware Attacks

 

Google unveiled a financially driven threat actor, TRIPLESTRENGTH, targeting cloud environments for cryptojacking and on-premise ransomware operations.

"This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," Google Cloud noted in its 11th Threat Horizons Report.

TRIPLESTRENGTH employs a three-pronged attack strategy: unauthorized cryptocurrency mining, ransomware deployment, and offering cloud platform access—spanning services like Google Cloud, AWS, Azure, Linode, OVHCloud, and Digital Ocean—to other attackers. The group's primary entry methods involve stolen credentials and cookies, often sourced from Raccoon Stealer logs. Compromised environments are used to create compute resources for mining cryptocurrency using tools like the unMiner application and the unMineable mining pool, optimized for both CPU and GPU algorithms.

Interestingly, TRIPLESTRENGTH has concentrated its ransomware efforts on on-premises systems, deploying lockers such as Phobos, RCRU64, and LokiLocker.

"In Telegram channels focused on hacking, actors linked to TRIPLESTRENGTH have posted advertisements for RCRU64 ransomware-as-a-service and also solicited partners to collaborate in ransomware and blackmail operations," Google Cloud disclosed.

One notable incident in May 2024 involved initial access through Remote Desktop Protocol (RDP), followed by lateral movement and antivirus evasion to execute ransomware across several systems. TRIPLESTRENGTH also regularly advertises access to compromised servers on Telegram, targeting hosting providers and cloud platforms.

To counteract such threats, Google has introduced multi-factor authentication (MFA) and improved logging for detecting sensitive billing actions.

"A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud," Google warned. 

"This access can be further exploited to compromise infrastructure through remote access services, manipulate MFA, and establish a trusted presence for subsequent social engineering attacks."
Read more »
Trojan
cryptocurrency Cryptojacking Cyberattacks Cyberbreach Cyberhakcers Cybersecurity Cyberthreats IoT Malicious program Technology Trojan

Cryptojacking Attacks Soar 409% in India Amid a Global Shift in Cybersecurity Tactics

 


A rise in technology has also led to an increase in cybersecurity concerns as a result of the rise of technology. It is becoming more and more common for users across the world to fall victim to online scams day after day, and this is even getting the authorities in action, as they're now attempting to combat this trend by taking steps to introduce safeguards for users. 

According to the first half of 2024 global statistics, malware volume increased by a whopping 30 per cent on a global scale. As a result of this increase alone, the number of reports increased by 92 per cent in May. Throughout 2024, the number of malware attacks in the country increased by 11 per cent and ransomware attacks rose by 22 per cent, indicating that businesses are facing more cyber threats than ever before, according to a report by SonicWall. 

A SonicWall report published in February 2024 revealed that malware attacks increased by eleven per cent in volume from 12,13,528 in 2023 to 13,44,566 in 2024 as compared to the previous year. IoT (Internet of Things) attacks have increased by 59 per cent in the last year, with 16,80,787 attacks occurring annually in 2024 as opposed to 10,57,320 in 2023, the study found. 

There is no doubt that India is making substantial efforts to become one of the leading countries in the field of technology. While the use of technology has increased over the years, a recent trend has also been accompanied by significant cybersecurity risks. Attacks on Internet of Things (IoT) devices have increased by 59 per cent in 2024 as compared to 1,057,320 in 2023, which marks an increase of 11 per cent in malware attacks, a 22 per cent increase in ransomware attacks, and an 11 per cent increase in Internet of Things (IoT) attacks. 

According to the report, there was a marked increase in both ransomware attacks and crypto attacks; the latter grew by an astonishing 409 per cent. The SonicWall Vice President for APJ Sales, Debasish Mukherjee, noted that organizations are facing an increasingly hostile threat environment because attackers are continuing to innovate beyond traditional defences to become more successful. According to the "Mid-Year Cyber Threat Report" published by SonicWall, the rise of new cyber threats is becoming increasingly prevalent among businesses due to these new developments in cybersecurity. 

Cryptojacking attacks are increasing, and India has reported the highest number of attacks with a 409 per cent increase compared to a global decline of 60 per cent — a startling statistic. In a recent report published by SonicWall Capture Labs, SonicWall released the 2024 SonicWall Mid-Year Cyber Threat Report today. This report reveals that cyber threats are once again on the rise after an 11% increase in 2023, confirming the 11% rise in high-quality attacks since 2023.

A report published by the company details the changing threat landscape over the first five months of this year, showing the persistence, relentlessness, and ever-growing nature of cyber threats across the globe. A report that has been designed with SonicWall's partners in mind, has undergone several changes over the past few years, much like SonicWall itself has undergone several changes. As part of its evolution, the report has recently changed the way it measures vital cyber threat data to include time as a component. 

A key part of the report outlines the latest threats which are affecting our partners and the customers they serve, and for the first time, it highlights how attacks can have a direct impact on our partners, including threats to revenue. According to SonicWall intelligence, on average, companies are likely to be under critical attack - that is, attacks which are most likely to deplete business resources - for 1,104 of the 880 working hours they have in a given month. 

In the first five months of 2024, businesses were shielded from potential downtime of up to 46 days, a critical safeguard that protected 12.6% of total revenues from potentially devastating cyber intrusions. This significant finding was among the key insights from a recent report, underscoring the escalating threats faced by modern enterprises. 

Douglas McKee, Executive Director of Threat Research at SonicWall, emphasized the importance of robust cybersecurity measures, stating, "The data and examples found in the report provide real-life scenarios of how crafty and swift malicious actors operate, underscoring that traditional cybersecurity defences often prove to be the most reliable." One of the most pressing concerns highlighted in the report is the increasing sophistication of supply chain attacks. 

These attacks exploit the interconnectedness of modern enterprises, targeting vulnerabilities in third-party software and services to compromise broader networks. The first half of 2024 saw several sophisticated attacks, including a high-profile breach involving the JetBrains TeamCity authentication bypass. By the end of 2023, three out of the top five companies globally had already suffered supply chain breaches, affecting more than 50% of their customers. 

These breaches were primarily due to vulnerabilities such as Log4j Log4Shell and Heartbleed. The report also revealed that organizations, on average, took 55 days to patch even 50% of their critical vulnerabilities, further exposing them to risk. In response to these growing threats, Microsoft has made significant strides in addressing vulnerabilities. 

In 2023, the company patched more than 900 vulnerabilities, with Remote Code Execution (RCE) vulnerabilities accounting for 36% of them. Despite the high number of RCE vulnerabilities, they were exploited only 5% of the time. In contrast, Elevation of Privilege vulnerabilities, which were leveraged 52% of the time, posed a greater risk. By mid-2024, Microsoft had already patched 434 vulnerabilities, matching the record set in 2023. 

Notably, 40% of these vulnerabilities were classified as RCE, yet 86% of the exploited vulnerabilities were related to Security Feature Bypass or Elevation of Privilege issues. The report also sheds light on the growing threat posed by Remote Access Trojans (RATs). These malicious programs disguise themselves as legitimate applications to obtain necessary permissions and connect to command-and-control servers, enabling them to steal sensitive information and bypass multi-factor authentication (MFA). Industries will experience several sophisticated RAT attacks in 2024, with malware such as Anubis, AhMyth, and Cerberus evolving to bypass MFA, making them a significant cybersecurity threat. PowerShell, a versatile scripting language and command-line shell, has also become a favoured tool among malicious actors due to its user-friendly features. 

The report revealed that 90% of prevalent malware families, including AgentTesla, AsyncRAT, GuLoader, DBatLoader, and LokiBot, utilize PowerShell for malicious activities. Of these, 73% use PowerShell to download additional malware, evade detection, and carry out other harmful actions. This report serves as a stark reminder of the increasing sophistication and prevalence of cyber threats in 2024, underscoring the need for continued vigilance and robust cybersecurity measures to protect businesses and their customers.
Read more »
malware
Crypto Mining Cryptojacking Endpoint security GhostEngine malware

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Recently found malware uses advanced techniques to defeat antivirus safeguards, delete signs of infection, and permanently infect devices with cryptocurrency-mining software, experts said. 

"The first goal of the GhostEngine malware is to disable endpoint security solutions and specific Windows event logs, such as Security and System logs, which record process creation and service registration," said Elastic Security Labs researchers, who found the attacks.

The Anatomy of GhostEngine

  • Targeting Endpoint Security Solutions: GhostEngine specifically aims at endpoint security solutions, which include antivirus software, intrusion detection systems, and endpoint detection and response (EDR) tools. By disabling these defenses, the attackers gain a foothold within the victim’s system.
  • Driver Exploitation: The attack exploits vulnerable drivers from popular security software providers, such as Avast and IOBit. These drivers are essential for communication between the operating system and hardware components. GhostEngine manipulates them to gain access to the kernel, a privileged area of the system.
  • Silent Disabling of EDR: Once inside, GhostEngine silently disables the EDR system. This step is crucial because EDR tools monitor system behavior, detect anomalies, and respond to threats. By neutralizing EDR, GhostEngine ensures that its activities remain undetected.
  • Cryptocurrency Mining Payload: With the defenses down, GhostEngine deploys its payload: XMRig, a popular Monero (XMR) mining software. Monero is favored by cybercriminals due to its privacy features, making it difficult to trace transactions. The compromised system becomes a silent miner, contributing computational power to the attacker’s mining pool.

About GhostEngine

A function in the primary payload called GhostEngine disables Microsoft Defender or any other antivirus or endpoint security software that may be running on the targeted computer, which is critical to the extraordinarily complicated malware system's operation. It also masks any signs of compromise. 

When GhostEngine first starts, it checks machines for any EDR, or endpoint protection and response, software that may be running. If it detects any, it loads drivers known to have vulnerabilities that allow attackers to gain access to the kernel, which is severely restricted to prevent manipulation. 

Modus operandi

One of the susceptible drivers is Avast's anti-rootkit file aswArPots.sys. GhostEngine utilizes it to shut down the EDR security agent. A malicious file named smartscreen.exe then deletes the security agent binary using “iobitunlockers.sys” IObit driver.

Once the susceptible drivers are loaded, detection opportunities diminish drastically, and businesses must identify affected endpoints that stop submitting logs to their SIEM, according to the researchers. SIEM stands for security information and event management. Their research is consistent with recent findings from Antiy.

After the EDR has been terminated, smartscreen.exe downloads and installs XMRig, a genuine tool for mining the Monero cryptocurrency, which is frequently abused by threat actors. A configuration file is included, which causes all money generated to be put into an attacker-controlled wallet.

The infection chain begins with the execution of a malicious binary masquerading as the genuine Windows file TiWorker.exe. That file executes a PowerShell script that obtains an obfuscated script called get.png, which downloads additional tools, modules, and configurations from an attacker-controlled server.

File execution to enable the virus

GhostEngine also executes various files that enable the virus to become persistent, which means it loads every time the infected machine restarts. 

To accomplish this, the file get.png creates the following scheduled tasks with SYSTEM, the highest system privileges in Windows:

  • OneDriveCloudSync uses msdtc to start the malicious service DLL C:\Windows\System32\oci.dll every 20 minutes.
  • DefaultBrowserUpdate will launch C:\Users\Public\run.bat, which downloads and executes the get.png script every 60 minutes.
  • OneDriveCloudBackup will run C:\Windows\Fonts\smartsscreen.exe every 40 minutes.

Why GhostEngine Matters

  • Financial Gain: GhostEngine’s primary motive is financial. By harnessing the victim’s computing resources, the attackers mine Monero, potentially yielding substantial profits. The longer the attack remains undetected, the more cryptocurrency they accumulate.
  • Resource Drain: Cryptojacking strains system resources—CPU, memory, and electricity—leading to slower performance and increased energy bills. Users may notice sluggishness but remain unaware of the underlying cause.
  • Corporate Impact: In corporate environments, widespread cryptojacking can disrupt business operations. Overloaded systems affect productivity, and IT teams must allocate resources to investigate and remediate the issue.

Read more »
Vulnerabilities
Cryptojacking Cryptojacking Campaign Imperva Imperva Threat Research malware Oracle Weblogic Server Threat research TTPs Vulnerabilities

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

Read more »
Smartphone Keyboard
Android Trojan Cryptojacking malware Malware apps Smartphone Keyboard

Is Malware The Reason Your Smartphone Keyboard is Not Working?


A user is required to be utilizing a function keyboard if he wants to use a smartphone for social media posting, web browsing, or communication with a friend. 

Most problems, faced when a smartphone is not functioning properly, can be resolved by resetting the device, deleting the cache, or installing an alternative keyboard app. But, what if none of that is helpful?

Malware Might Cause Keyboard Malfunctions 

While Android phones are apparently more vulnerable to malwares than any iOS, iPhones as well are vulnerable. If your smartphone’s keyboard glitches, lags, takes a long time to display on the screen or does not respond when you hit the keys, your smartphone may be infected by malware. 

Smartphone keyboards may as well turn malfunctional due to malware since it generally affects the entire device. Malware may cause various issues, like overeating, lags and crashes, a decreased battery life, etc. A user’s personal data and privacy could also be compromised, depending on the kind of malware. 

Malware frequently utilizes a significant amount of computing power; this is what initially causes the performance issues. Since the operating system of your smartphone is impacted, the malware will ultimately affect all the programs installed in it, plus the default keyboard apps. 

What Types of Mobile Malware Would Cause Keyboard Issues? 

A Trojan horse, which is malware imposing as a legit program, is one of the examples. More such malwares may include adware (malware displaying unwanted advertisements), spyware (malware that records information without consent), worms (malicious programs replicating themselves), and cryptojackers.

Cryptojacking attack includes threat actor accessing a targeted device to mine cryptocurrency. Thus, if a smartphone is attacked by a cryptojacker, its processing power would be utilized in order to solve cryptographic equations and create virtual currency for someone else. This would ultimately make the keyboard glitch, resulting in a variety of performance difficulties. 

How to Remove Malware from Smartphones?

If a user suspects malware, that is responsible for affecting a keyboard, the initial caution he should take is by installing and programming an anti-virus software. There are numerous free anti-virus softwares available to users in all major app stores. Although not all would aid in removing the malicious program, they could be utilized to at least detect the malwares. 

Users may as well look out for any unfamiliar or suspicious apps on their phones if they do not remember installing the same. Since there is a good chance for these apps to be deploying malware on your phones. Thus, these apps must immediately be removed, followed by monitoring your device with an antivirus program. 

If none of this works, users are left with one option, i.e. master reset or factory reset. This would eventually restore the affected smartphone to its initial state when it was first powered up. However, this will lead your device to compromise its entire data, unless it is backed up somewhere so that you could retrieve it once the reset is successfully executed.  

Read more »
Spyware
Cryptojacking Cyber Attacks OneDrive Ransomware Spyware

Cryptojacking Campaign Exploits OneDrive Vulnerability, Can Deploy Spyware and Ransomware Too


New cryptojacking campaign

Cryptojacking is becoming a nightmare for customers and enterprises, and threat actors have started using various techniques to deploy cryptojackers on victims' systems. As per recent developments, cybersecurity software developer Bitdefender found a crypto jacking campaign exploiting Microsoft OneDrive vulnerability to get access and run without getting caught on compromised devices. 

BitDefender report says:

"OneDrive was specifically chosen in this attack because it permits the actor to achieve easy persistence. Adding OneDrive to startup is an action done by the dropper malware, but even if it did not do so, OneDriveStandaloneUpdater.exe is by default scheduled to execute each day. Of the detections we received, 95.5% came from OneDriveStandaloneUpdater.exe loading the malicious secur32.dll."

From May 1 to July 1, Bitdefender identified around 700 users impacted by the campaign. The campaign operates using four cryptocurrency mining algorithms- Ton, XMR, Ethash, and Etchash. It makes an average of $13 worth of cryptocurrency per compromised device.

Cryptojacking uses OneDrive sideloading bug

Cryptojacking is an unauthenticated exploit of computer manufacture for mining cryptocurrency. The threat actors in the recent cryptojacking campaign used a DLL sideloading vulnerability in OneDrive by writing a fake secur32.dll file. After the file is loaded into the OneDrive process, the fake secur32.dll will download open-source cryptocurrency mining software and install it into genuine Windows processes. 

Sideloading is basically installing a code that has not been approved for running on a system by the developer of the machine's operating system. DLL files are a combination of small programs having instructions that can assist a larger program finish non-core tasks of the original program. 

The campaign also uses Spyware, Ransomware

Meanwhile, the OneDrive sideloading campaign is used only in cryptojacking, DLL side-loading is also used for the deployment of ransomware or spyware. Besides this, as cryptocurrency minutes are resource-sensitive, the victims can instantly see falling CPU and GPU performance, increased energy consumption, and overheating, these issues can ruin expensive hardware. 

OneDrive, by default, is set to reboot on a daily basis, and the threat actors behind the latest cryptojacking campaign were found to run the OneDrive.exe process to run after a reboot, even if the user shuts it down. The attackers use this method to gain persistence. In 95% (estimated) of the findings, the scheduled reboot was found to deploy the infected secur32.dll. 

"Given that the “per machine” installation method may not be suitable for all environments and privilege levels, user caution should be one of the strongest lines of defense against commodity malware. Bitdefender recommends that users ensure their AVs and operating systems are up to date, to avoid cracked software and game cheats, and to download software from trusted locations only"-Bitdefender report.


Read more »
Subscribe to: Posts (Atom)