Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cryptomining. Show all posts

Cryptomining and Proxyjacking: The Rise of Perfctl Malware


A new and highly sophisticated malware strain has emerged, posing a significant threat to millions of Linux servers worldwide. Dubbed "perfctl," this fileless malware employs advanced evasion techniques and exploits a staggering 20,000 misconfigurations in Linux servers. 

Its primary targets are unprotected or poorly configured systems, where it installs cryptomining and proxyjacking malware. 

The Anatomy of "perfctl"

Unlike traditional malware, "perfctl" is fileless, which means it doesn't rely on files stored on the disk to execute its payload. Instead, it operates entirely in the memory of the infected system, making it extremely difficult to detect and remove. Fileless malware leverages legitimate system tools and processes to carry out its malicious activities, often leaving minimal traces for security software to identify.

Perfctl specifically targets Linux servers, which are widely used in enterprise environments due to their reliability and scalability. By exploiting misconfigurations, this malware gains initial access to the system. Once inside, it deploys its payload directly into the memory, bypassing traditional antivirus and endpoint protection solutions.

Exploiting Misconfigurations

Misconfigurations are the weakness of many systems, and Linux servers are no exception. According to security experts, "perfctl" exploits around 20,000 different misconfigurations to infiltrate its targets. These misconfigurations can range from default or weak passwords to unpatched vulnerabilities and improperly set access controls.

Once the malware gains access, it uses a combination of evasion techniques to stay hidden. It can mask its presence by hijacking legitimate processes, using encryption to conceal its communication, and employing anti-forensic measures to prevent detection and analysis. This makes "perfctl" a formidable adversary for even the most advanced security solutions.

The Impact: Cryptomining and Proxyjacking

The primary goal of "perfctl" is to install cryptomining and proxyjacking malware on infected systems. Cryptomining malware uses the server's computational power to mine cryptocurrencies like Bitcoin or Monero, generating revenue for the attackers at the expense of the victim's resources. This can lead to decreased performance, increased operational costs, and potential hardware damage due to overuse.

Proxyjacking, on the other hand, involves using the compromised server as a proxy to route malicious traffic, often as part of a larger botnet. This can have serious implications for the victim's network, including reduced bandwidth, increased latency, and potential legal consequences if the server is used for illegal activities.

Mitigation and Prevention

Regularly update and patch systems: Ensure that all software, including operating systems and applications, are up-to-date with the latest security patches.

Harden server configurations: Review and harden server configurations to eliminate potential misconfigurations. This includes enforcing strong passwords, disabling unnecessary services, and setting proper access controls.

Implement advanced threat detection solutions: Use behavior-based and memory-resident threat detection solutions that can identify and respond to fileless malware activities.

Conduct regular security audits: Regularly audit systems for vulnerabilities and misconfigurations. Conduct penetration testing to identify and remediate potential weaknesses.

Educate and train employees: Ensure that IT staff and employees are aware of the latest threats and best practices for cybersecurity.

P2Pinfect Worm Now Delivering Ransomware on Redis Servers

 

Cado Security experts warned that the P2Pinfect worm is used in attacks on Redis servers to deliver ransomware and cryptocurrency mining payloads. 

Palo Alto Networks Unit 42 researchers uncovered the P2P worm P2PInfect in July 2023, which targets Redis servers running Linux and Windows operating systems. P2PInfect's ability to target Redis servers running on both Linux and Windows operating systems makes it more expandable and dangerous than other worms.

Cado Security Labs identified a new strain of the P2Pinfect botnet in December 2023, specifically targeting routers, IoT devices, and other embedded devices. This variation was built for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture. The new bot includes enhanced evasion methods, the ability to evade execution in a Virtual Machine (VM) or a debugger, and anti-forensics support for Linux hosts. 

The worm is written in Rust and targets Redis instances using the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0). In September 2023, Cado Security Labs detected a 600x spike in P2Pinfect traffic since August 28. Researchers noted that the malware did not seem to have a goal other than to spread; however, a new upgrade of P2Pinfect has introduced a ransomware and crypto miner payload. 

The most recent campaign began on June 23, based on the TLS certificate used for C2 communications. The malware propagates by leveraging Redis's replication features, where nodes in a distributed cluster follow a leader/follower topology. The attackers exploited this feature by making follower nodes load arbitrary modules, allowing code execution on these nodes. P2Pinfect uses the SLAVEOF command to turn open Redis nodes into followers of a server under the control of its operator. 

“P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated,” Cado researchers stated. “Upon launch it drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.”

The war's primary binary appears to have been changed; it is now built with the Tokio async framework for Rust and includes UPX. The malware's internals have been completely unwritten; researchers discovered that the binary had been stripped and partially obfuscated to make static analysis more challenging. Previously, P2Pinfect maintained persistence by adding it to.bash_logout and running a cron job, however these methods are no longer used. Other behaviours, such as the initial setup, are unaffected.

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.

5 Methods for Hackers Overcome Cloud Security

Nearly every major company has used cloud computing to varying degrees in its operations. To protect against the biggest threats to cloud security, the organization's cloud security policy must be able to handle the integration of the cloud.

The vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.

What is cloud security?

Cloud computing environments, cloud-based apps, and cloud-stored data are all protected by a comprehensive set of protocols, technologies, and procedures known as cloud security. Both the consumer and the cloud provider are jointly responsible for cloud security. 

It helps maintain data security and privacy across web-based platforms, apps, and infrastructure. Cloud service providers and users, including individuals, small and medium-sized businesses, and enterprises, must work together to secure these systems. 

How do hackers breach cloud security?

While crypto mining is the primary focus of each hacking operation at present time, some of their methods may be applied to more malicious aims in the future.

1. Cloud Misconfiguration

A major factor in cloud data breaches is incorrectly configured cloud security settings. The tactics used by many enterprises to maintain their cloud security posture are insufficient for safeguarding their cloud-based infrastructure.

Default passwords, lax access controls, improperly managed permissions, inactive data encryption, and various other issues are usual vulnerabilities. Insider threats and inadequate security awareness are the root causes of many of these flaws.

A large data breach could occur, for instance, if the database server was configured incorrectly and data became available through a simple online search.

2. Denonia Cryptominer

Cloud serverless systems using AWS Lambda are the focus of the Denonia malware. The Denonia attackers use a scheme that uses DNS over HTTPS often referred to as DoH, sending DNS requests to resolver servers that are DoH-based over HTTPS. As a result, the attackers can conceal themselves behind encrypted communication, preventing AWS from seeing their fraudulent DNS lookups. As a result, the malware is unable to alert AWS.

The attackers also seem to have thrown in hundreds of lines of user agent HTTPS query strings as additional distractions to divert or perplex security investigators. In order to avoid mitm attacks and endpoint detection & response (EDR) systems, analysts claim that the malware discovered a way to buffer the binary.

3. CoinStomp malware 

Cloud-native malware called CoinStomp targets cloud security providers in Asia with the intention of cryptojacking. In order to integrate into the Unix environments of cloud systems, it also uses a C2 group based on a dev/tcp reverse shell. Then, using root rights, the script installs and runs additional payloads as system-wide system services. 

4.WhatDog Crptojacker

The WatchDog crypto-mining operation has obtained as many as 209 Monero cryptocurrency coins. WatchDog mining malware consists of a multi-part Go Language binary set. One binary emulates the Linux WatchDog daemon mechanism. 

5. Mirai botnet 

In order to build a network of bots that are capable of unleashing destructive cyberattacks, the Mirai botnet searches the internet for unprotected smart devices before taking control of them.

When ARC-based smart devices are infected with the malware known as Mirai, a system of remotely operated bots is created. DDoS attacks are frequently carried out via botnets.
The Mirai malware is intended to attack weaknesses in smart devices and connect them to form an infected device network called a botnet by exploiting the Linux OS, which many Internet of Things (IoT) devices run on.

The WAF did not recognize the new SQL injection payload that Claroty researchers created, yet it was acceptable for the database engine to analyze. They did this by using a JSON syntax. All of the affected vendors responded to the research by including JSON syntax support in their products, but Claroty thinks additional WAFs may also be affected.


TeamTNT is Back & Targets Servers to Run Bitcoin Encryption Solvers

 

AquaSec threat analysts have detected TeamTNT activity on their honeypots since early September, leading them to believe the infamously hacking group is back in business. 

TeamTNT announced its retirement in November 2021, and most associated observations since then have involved remnants of previous infections, such as automated scripts, but no new payloads. The recent attacks, however, bear various signatures associated with TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.  The researchers observed three attack types utilized in the reportedly new TeamTNT attacks, the most intriguing being the use of hijacked servers' computational power to run Bitcoin encryption solvers.

The attack, dubbed "the Kangaroo attack" because it employs Pollard's Kangaroo WIF solver, scans for vulnerable Docker Daemons, deploys an AlpineOS image, drops a script ("k.sh"), and eventually retrieves the solver from GitHub. Pollard's Kangaroo interval ECDLP (Elliptic Curve Discrete Logarithm Problem) solver algorithm attempts to decipher the SECP256K1 encryption used in Bitcoin's public-key cryptography.

“It [the algorithm] is designed to run in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes (attacked servers), collecting the results which are then written locally to a text file,” explains AquaSec.

While quantum computing is expected to break existing Bitcoin encryption at some point in the future, it is thought to be impossible to achieve with current machines, TeamTNT appears willing to test the theory anyway, using other people's resources.

Perhaps the threat actors are simply experimenting with new attack pathways, payload deployment, and evasion while performing intensive operations on captured systems, with the Kangaroo attack ticking all of the boxes.

Other Attacks

Other attacks detected by AquaSec are similar to previous TeamTNT operations but have some new characteristics.

The "Cronb Attack" employs well-documented rootkits, cron jobs for persistence, cryptominers for profit, and lateral movement tools. The appearance of new C2 infrastructure addresses and more elaborate data exchange is the novel element.

The "What Will Be" attack targets Docker Daemons with shell-file dropping Alpine images once more, taking advantage of a vulnerability to escape from the container to the host. The attackers then download and execute additional scripts, rootkits, and a cryptominer, as well as add cronjobs and perform network SSH scans.

These scripts introduce a new trick in this attack, allowing threat actors to optimise crypto mining performance by modifying CPU model-specific registers. Whether it is TeamTNT or someone else carrying out these attacks, organisations should strengthen their cloud security, strengthen Docker configuration, and implement all available security updates before it is too late.

Malware Targets Weblog Servers And Dockers APIs For Cryptomining

Malicious malware known as Kinsing is using both recently discovered and legacy vulnerabilities in Oracle WebLogic Server to boost cryptocurrency mining malware. 
  
It was discovered by Trend Micro, that a financially-motivated cyber attack group behind the malware was making use of the vulnerability to run Python scripts that could disable Operating System (OS) security features such as Security-Enahnced Linux (SELinux), and many more. 
 
Kinsing malware has a history of acquiring vulnerable servers to co-opt into botnet devices such as Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence vulnerability (CVE-2022-26134). The malware has also reportedly been involved in campaign container environments via misconfigured open Docker Daemon API ports instigating crypto mining and spreading the malware to other containers am host devices. 
 
In the latest wave of attacks, the malicious actor weaponized a two-year-old Remote Code Execution (RCE) bug, dubbed CVE-2020-14882 (CVSS score 9.8), against unpatched vulnerabilities to seize control of the servers and cause harm to the victims through malicious payloads. 
 
The exploitation of the bug further involved deploying a shell script responsible for various actions, such as removing the var/log/syslog/systemlog, disabling security functions and cloud service agents from conglomerates like Alibaba and Tencent – killing competing crypto mining processes.  
 
It is then followed by the shell script downloading the Kinsing malware from a remote server, along with taking steps to ensure persistence through a cron job. 
 
“The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform plethora of malicious activities on the affected systems” Trend Micro said. “This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.”
 
TeamTNT malwares makes comeback
 
Researchers at Aqua Security, a cloud-native security company, have linked three new attacks to another “vibrant” cryptojacking group called "TeamTNT", which eventually stopped functioning in November 2021.  
 
“TeamTNT has been scanning for microconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to C2 server”, stated Aqua Security researcher Assaf Morag. 

The attack chain appears to be designed to crack SECP256K1 encryption, which if successful could give the malicious actor the ability to compute the keys for each cryptocurrency wallet. Thus, using high but illegal processing power of its targets to run the ECDLP solver and acquire the key. The other two attacks carried out by the threat group involve exploiting exposed Redis servers and misconfigured Docker API to provide cryptominers and Tsunami binaries. 
 
The targeting of Docker REST APIs by TeamTNTs has been well-documented over the past years. But in an operational security blunder observed by Trend Micro, credentials connected with two of the attacker-controlled DockerHub accounts have been uncovered. 

The accounts namely 'alpineos' and 'sandeep078' are said to have been used to distribute numerous malicious payloads like rootkits, Kubernetes exploits kits, credential stealers, XMTig Monero miners, and even the Kingsing malware. 
 
“The account alpineos was used in exploitation attempts on out honeypots three times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” stated Nitesh Surana, a researcher at Trend Micro. 
 
As estimated by Trends Micro, alpineos image has been downloaded more than 150,000 times. This further notified Docker about these accounts. 
 
The cybersecurity platform recommends organizations configure the exposed RESR API with TLS to steer clear of the adversary-in-the-middle (AiTM) attacks, along with using credential stores and helpers to host user credentials.

8220 Cryptomining Gang Targets Linux and Cloud Apps to Expand Cloud Botnet

 

The 8220 cryptomining gang has widened their Cloud Botnet over the last month to nearly 30,000 hosts globally. 
The exploitation of Linux and cloud app vulnerabilities and poorly secured configurations for services such as Docker, Confluence, Apache WebLogic, and Redis has played a significant role in the growth of the Cloud Botnet. 

"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne explained in a blog post. 

The 8220 gang has been operating since at least 2017, the hackers are Chinese-speaking and the name of the group comes from the port number 8220 employed by the miner to communicate with the C2 servers. In the latest campaign, the Monero-mining hacker targeted i686 and x86_64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to install the PwnRig miner payload. 

"Victims are not targeted geographically, but simply identified by their internet accessibility," Hegel pointed out. Besides executing the PwnRig cryptocurrency miner, the group began employing a specific file for the management of the SSH brute forcing step, which contained 450 hardcoded credentials corresponding to a wide range of Linux devices and apps. 

The latest versions of the script are also known to employ blocklists to bypass compromising specific hosts, such as honeypot servers that could flag their illicit efforts. 

The PwnRig crypto miner, which is based on the open source Monero miner XMRig, has received updates of its own as well, employing a phony FBI subdomain with an IP address linked to a Brazilian federal government domain to design a fake pool request and obscure the real destination of the generated money. 

The sudden surge in mining activities is also linked to the dwindling prices of cryptocurrencies, not to mention a heightened "battle" to take control of victim systems from competing cryptojacking-focused groups. Monero, in particular, has lost over 20% of its value over the past six months. 

"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner," Hegel concluded. "The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally."

NPM JavaScript Package Repository Targeted by Widespread Cryptomining Campaign

 

Checkmarx researchers have unearthed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. 

The hacker behind this malicious campaign, dubbed CuteBoi, published 1,283 modules in the repository and employed over 1,000 different user accounts. The researchers discovered the supply chain assault after spotting a burst of suspicious NPM users and packages designed automatically. 

“Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass the NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point,” reads the post published by Israeli application security testing firm Checkmarx. 

All the rogue packages impersonated a near-identical source code from an already existing package named eazyminer that's employed to mine Monero by means of utilizing unused resources of systems such as ci/cd and web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effect. 

"The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool," researcher Aviad Gershon explained. "The attacker didn't change this feature of the code and for that reason, it won't run upon installation." 

As observed in the case of RED-LILI earlier this year, the packages are published via an automation methodology that allows hackers to bypass two-factor authentication (2FA) protections. 

However, while the former involved setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically design an NPM user account and defeat 2FA, CuteBoi depends on a disposable email service called mail.tm to automate the creation of the users that upload the packages to the NPM repository. 

Specifically, it utilizes a REST API provided by the free platform that enables "programs to open disposable mailboxes and read the received emails sent to them with a simple API call." In this, hackers behind the CuteBoi campaign can circumvent the NPM 2FA challenge when creating a flood of user accounts to publish the packages. 

Earlier this week, security research uncovered another NPM-related large-scale software supply chain attack dubbed IconBurst designed to siphon sensitive data from forms embedded in downstream mobile applications and websites. 

Microsoft Warns of '8220 Group' Targeting Linux Servers

 

Microsoft Security Intelligence experts have issued a new warning against a known cloud threat actor (TA) group, dubbed 8220, targeting Linux servers to install crypto miners. 

“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a crypto miner and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a series of tweets. 

According to Cisco's Talos Intelligence group, the 8220 gang has been operating since at least 2017, and primarily focuses on crypto mining campaigns. The threat actors are Chinese-speaking, the names of the group come from the port number 8220 used by the miner to communicate with the C2 servers. 

Over the past year, the group has actively upgraded its methodologies and payloads. In a recent campaign, the hacking group targeted i686 and x86_64 Linux systems and employed RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (Oracle WebLogic) for initial access, Microsoft researchers stated. 

Once secured access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools. 

Subsequently, the loader downloads the pwnRig crypto miner and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by designing either a cron job or a script running every 60 seconds as nohup. 

“The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.” 

To guard networks against this threat, Microsoft urged organizations to secure systems and servers, apply updates, and use good credential hygiene. “Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.” 

The findings come after Akamai disclosed that the Atlassian Confluence vulnerability is experiencing a steady 20,000 exploitation attempts per day that are executed from nearly 6,000 IPs. However, these figures represent a substantial decline when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02, 2022.

New Version of 'Sysrv' Botnet is Targeting Windows and Linux Servers

 

Microsoft recently unearthed a new version of the Sysrv botnet, tracked as Sysrv-K, capable of abusing bugs in WordPress and Spring Framework to install crypto-mining malware on vulnerable Windows and Linux servers. The variant has been upgraded with multiple features, including scanning for unpatched WordPress and Spring deployments. 

"The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers" by exploiting various vulnerabilities, the Microsoft Security Intelligence team tweeted. These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins as well as newer vulnerabilities like CVE-2022-22947." 

CVE-2022-22947 (CVSS score of 10) is a code injection critical vulnerability in Spring Cloud Gateway that exposes applications to code injection assaults, allowing unauthenticated, remote attackers to achieve remote code execution. 
 
Sysrv-K scans for WordPress configuration files for their backups, in an attempt to steal database credentials and take over the webserver. Moreover, the botnet packs updated communication capabilities, such as support for Telegram. 

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and hostnames, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” the Microsoft team added. 

The botnet has been active since at least December 2020, but its activity was documented in April 2021 by multiple security researchers. Sysrv-K secures control of web servers by scanning the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads, and remote code execution. Once the malware runs on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner. 

After killing competing cryptocurrency miners and deploying its own payloads, the botnet auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files). 

Subsequently, the botnet aggressively scans the Internet for more vulnerable Windows and Linux systems to add to its army of Monero mining bots. To mitigate the risks, organizations are recommended to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.

Autom Cryptomining Malware Employs Upgraded Evasion Techniques

 

The malicious Autom crypto mining campaign has upgraded its weapons while adding new defense evasion methods that allow attackers to fly under the radar of anti-virus scanning tools. 

According to researchers at DevSecOps and cloud security firm AquaSecurity, the malicious campaign was first identified in 2019, and since then a total of 84 attacks against researchers’ honeypot servers have been reported, four of these occurring in 2021.

Preliminary attacks of this campaign involved implementing a malicious command, once a user runs a vanilla image with the name "alpine:latest.” That action resulted in a shell script named "autom.sh." being downloaded on the device. 

"Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," the researchers explained in a blog post. "Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded."

The shell script initiates the attack sequence, allowing the attackers to create a new user account beneath the title "akay". Then, the account’s privileges are upgraded to a root user, enabling malicious actors to run arbitrary commands on the compromised machine and, eventually, abuse the available resources to mine crypto-currency. In the early stages of the 2019 campaign, there were no special methods to hide the mining activity, but the later versions depict the extreme measures its developers have taken to keep it hidden from scanning tools. 

The malicious campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by several threat actors such as Kinsing, which has been spotted scanning the internet for misconfigured Docker servers to invade the unguarded hosts and install a previously undocumented coin miner strain. 

"Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the greatest risk to their cash flow being competing miners discovering the same vulnerable servers," Sophos senior threat researcher Sean Gallagher explained in an analysis of a Tor2Mine mining campaign, which involves the use of a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials.

Russian experts warned about the dangers of watching movies on pirate sites

 

It is noted that hackers use streaming platforms, TV series and movies to distribute advertising and malware. They can add them to files with the names of popular shows, or use well-known brands to conduct phishing attacks, said Dmitry Galov, a cybersecurity expert at Kaspersky Lab.

"Among the malware there are various Trojans that allow, for example, to delete or block data, or steal passwords from online banking, as well as spyware that can be used to access information on the device,” said Mr. Galov.

Pirate sites may also request a person's social media data, passport, or Bankcard details under the pretext of completing a trial period. As a result, hackers will gain access to personal data, can steal money, and in other cases, start blackmailing the user.

According to the expert, in this regard, users need to watch movies through legal services, as well as install an antivirus on all devices.

If users need to download programs to watch a video, such as Flash Player, then they should leave these sites immediately.

"Even pirated sites no longer require additional software to be installed on your computer, be it Java or Flash Player. In no case should any files, including application files, as well as files declared as videos or documents, be downloaded from such sites,” said Artem Gavrichenkov, Technical Director of Qrator Labs.

In addition, experts have recently warned about the dangers of visiting financial services, mailboxes and social networks, as well as making online purchases through public points with free Wi-Fi.

Hackers can intercept and analyze data in the current session using public Wi-Fi networks, and then use the information obtained. Experts do not advise users to register or log in to sites from free points, so as not to pass critical information about the user to scammers.

New China-Based Campaign Targets Windows MS-SQL and Phpmyadmin Servers Worldwide


A china based attack campaign has primarily targeted on servers having a place with the healthcare, telecommunications, media, and IT segments. The campaign named as Nansh0u is known to target Windows MS-SQL and PHPMyAdmin servers around the world.

Despite the fact that the campaign was detected towards the start of April, however the attacks were observed to go back to February 26. All through the campaign the threat actors used 20 unique payloads, and continued making at least one payload a week and utilized them right away.


More than 50,000 servers were reported to be breached in this campaign, when the targeted servers compromised they were infected with a rather pernicious payload, which thusly drops a crypto-miner that mines TurtleCoin and sophisticated kernel-mode rootkit.

The hackers behind this campaign utilize propelled systems pursued by APTS groups, like the 'fake certificates and privilege escalation exploits' so to state the Nansh0u campaign isn't only a crypto-miner attack.

The attack begins with a serious of login endeavors targeting MS-SQL servers in order to gain administrator privileges. Attacker’s infrastructure consolidates the following modules to dispatch an attack on MS-SQL servers.
  • Port scanner
  • MS-SQL brute-force tool
  • Remote Code Executor


And by analysing the 20 payload samples from the attacker’s servers and Guardicore Global Sensor Network, each payload is a wrapper and has several functionalities.

The reasons being why the researchers are quite confident in accessing that Chinese attackers have operated this campaign are:
  •  The attacker choosing to write their tools with EPL, a Chinese-based programming language.
  • Some of the file servers deployed for this campaign are HFSs in Chinese.
  • Many log files and binaries on the servers included Chinese strings, such as (“duplicates removed”) in logs containing breached machines, or (“start”) in the name of the script initiating port scans.

Crypto-jacking: A New Vector of the Cyber-Cons after Ransomware!




Apparently, according to the records of 2018, after getting bored with ransomware attacks, crypto-jacking has become the new tool of cyber-cons for harvesting crypto-currency.



Crypto-jacking by nature is more insidious and stealthy and hence in the past year has emerged as a better way of harvesting crypto-currency.

Initially, the best choice for doing the same was ransomware, but having surpassed it, Crypto-jacking is now cyber-cons’ favorite option.

2018, unlike any other year in the cyber-crime history saw a lot of cyber-attacks, wherein the crypto-jacking attacks constituted to be amongst the most.

The report of IBM strictly mentioned that the crypto-currency attacks hiked by quite a large number.

Whereas, ransomware attacks plummeted by 45% including both mobile and desktop platforms.

The major reason behind this shift of inclination towards crypto-jacking happens to be the less-disruptive and furtive disposition.

After a ransomware is introduced to the victim, the attack weapon goes waste after just one attack, leaving no chances for a recurrence.

Meanwhile, in the case of crypto-jacking, a recurrence is almost ensured, making it possible for more profits from a single weapon.

Somehow, crypto-jacking appears to be the more malicious of the two, which if ignored could lead to serious ramifications.

Reportedly, crypto-jacking could soon transform from currency mining to fabrication its own botnets to function spyware attacks.

Leaving the users with the only advice and option; to use the latest versions of anti-viruses and keep the systems updated.

Trezor Wallet: Not So Hack-Safe After All!









The hackers have found another way to penetrate the safety walls of the seemingly “quite safe” Trezor Wallet.


One of the inquisitive crypto-mining fans took to twitter, to shout out that the device which goes by the name of Trezor wallet has a vulnerability which lays bare  "un-password-protected" users.


This is not the first time such an attack has been possible on devices of the aforementioned kind and the researchers deem it as inevitable, given the poor fabrication of the devices.


At the Chaos Communication Congress, the theme was solidly elucidated and discussed upon, by specialists who talked about the hack-ability of crypt0-wallets.


The Congress spread across the different kinds of vulnerabilities, hardware, software and firmware could be affected by.


The gathered specialists expounded about recurring and systematic problems in wallets.


The team also worked upon creating a library of malicious attacks related with harvesting of funds from the hardware wallet.


The vulnerabilities these wallets possess, the ways to move around them and the available courses of action were discussed at the congress at length.


The team demonstrated how breaking the boot-loader protection and breaking web interfaces which are used to communicate with the wallets, is done.


Some physical attacks such as “Glitching”(an attempt at bypassing security of the micro-controllers of the wallet) were also a part of the CCC team’s drill.


The vulnerabilities uncovered by the team, have detailed implications which could only be solved via a firmware update or even a new hardware revision.


There is hope as to companies deliberating on the severity of the situation and that they will put forth some improvements.


With an extreme rise in the trend if hardware wallets, there has also been an extreme rise in the users, given these devices hoard a consequent number of crypto-currency.


There exist crypto-traders who work essentially and daily over and on these famous wallets.


Thousands and Millions of dollars’ worth crypto-currency is stored within the “walls” of these hardware wallets, rendering the reason behind all these attacks on them, apparent.


As to what the recently found attack did? It majorly concerned and focused upon breaking the interfaces that aid the communication with the wallet.

  
The Trezor wallet was attached to various devices which included a socket with an FPGA. Then supposedly a code was run to give the hackers access to the seed and pin.
But the hack would only go through if the wallet wasn’t password protected.


The engineer who is in charge of Trezor, Pavol Rusnak, took to twitter to let the public know that they weren’t previously privy to the situation.


But, now that they are, by the end of January a new firmware update will see its way through to the wallet.


He also cited that the issue is currently being investigated and that it soon is expected to be patched.