Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label cryptomining. Show all posts
Proxyjacking
cryptomining Linux malware Perfctl Malware Proxyjacking

Cryptomining and Proxyjacking: The Rise of Perfctl Malware


A new and highly sophisticated malware strain has emerged, posing a significant threat to millions of Linux servers worldwide. Dubbed "perfctl," this fileless malware employs advanced evasion techniques and exploits a staggering 20,000 misconfigurations in Linux servers. 

Its primary targets are unprotected or poorly configured systems, where it installs cryptomining and proxyjacking malware. 

The Anatomy of "perfctl"

Unlike traditional malware, "perfctl" is fileless, which means it doesn't rely on files stored on the disk to execute its payload. Instead, it operates entirely in the memory of the infected system, making it extremely difficult to detect and remove. Fileless malware leverages legitimate system tools and processes to carry out its malicious activities, often leaving minimal traces for security software to identify.

Perfctl specifically targets Linux servers, which are widely used in enterprise environments due to their reliability and scalability. By exploiting misconfigurations, this malware gains initial access to the system. Once inside, it deploys its payload directly into the memory, bypassing traditional antivirus and endpoint protection solutions.

Exploiting Misconfigurations

Misconfigurations are the weakness of many systems, and Linux servers are no exception. According to security experts, "perfctl" exploits around 20,000 different misconfigurations to infiltrate its targets. These misconfigurations can range from default or weak passwords to unpatched vulnerabilities and improperly set access controls.

Once the malware gains access, it uses a combination of evasion techniques to stay hidden. It can mask its presence by hijacking legitimate processes, using encryption to conceal its communication, and employing anti-forensic measures to prevent detection and analysis. This makes "perfctl" a formidable adversary for even the most advanced security solutions.

The Impact: Cryptomining and Proxyjacking

The primary goal of "perfctl" is to install cryptomining and proxyjacking malware on infected systems. Cryptomining malware uses the server's computational power to mine cryptocurrencies like Bitcoin or Monero, generating revenue for the attackers at the expense of the victim's resources. This can lead to decreased performance, increased operational costs, and potential hardware damage due to overuse.

Proxyjacking, on the other hand, involves using the compromised server as a proxy to route malicious traffic, often as part of a larger botnet. This can have serious implications for the victim's network, including reduced bandwidth, increased latency, and potential legal consequences if the server is used for illegal activities.

Mitigation and Prevention

Regularly update and patch systems: Ensure that all software, including operating systems and applications, are up-to-date with the latest security patches.

Harden server configurations: Review and harden server configurations to eliminate potential misconfigurations. This includes enforcing strong passwords, disabling unnecessary services, and setting proper access controls.

Implement advanced threat detection solutions: Use behavior-based and memory-resident threat detection solutions that can identify and respond to fileless malware activities.

Conduct regular security audits: Regularly audit systems for vulnerabilities and misconfigurations. Conduct penetration testing to identify and remediate potential weaknesses.

Educate and train employees: Ensure that IT staff and employees are aware of the latest threats and best practices for cybersecurity.

Read more »
Redis Servers
cryptomining Malicious Payload malware P2P Botnets Redis Servers

P2Pinfect Worm Now Delivering Ransomware on Redis Servers

 

Cado Security experts warned that the P2Pinfect worm is used in attacks on Redis servers to deliver ransomware and cryptocurrency mining payloads. 

Palo Alto Networks Unit 42 researchers uncovered the P2P worm P2PInfect in July 2023, which targets Redis servers running Linux and Windows operating systems. P2PInfect's ability to target Redis servers running on both Linux and Windows operating systems makes it more expandable and dangerous than other worms.

Cado Security Labs identified a new strain of the P2Pinfect botnet in December 2023, specifically targeting routers, IoT devices, and other embedded devices. This variation was built for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture. The new bot includes enhanced evasion methods, the ability to evade execution in a Virtual Machine (VM) or a debugger, and anti-forensics support for Linux hosts. 

The worm is written in Rust and targets Redis instances using the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0). In September 2023, Cado Security Labs detected a 600x spike in P2Pinfect traffic since August 28. Researchers noted that the malware did not seem to have a goal other than to spread; however, a new upgrade of P2Pinfect has introduced a ransomware and crypto miner payload. 

The most recent campaign began on June 23, based on the TLS certificate used for C2 communications. The malware propagates by leveraging Redis's replication features, where nodes in a distributed cluster follow a leader/follower topology. The attackers exploited this feature by making follower nodes load arbitrary modules, allowing code execution on these nodes. P2Pinfect uses the SLAVEOF command to turn open Redis nodes into followers of a server under the control of its operator. 

“P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated,” Cado researchers stated. “Upon launch it drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.”

The war's primary binary appears to have been changed; it is now built with the Tokio async framework for Rust and includes UPX. The malware's internals have been completely unwritten; researchers discovered that the binary had been stripped and partially obfuscated to make static analysis more challenging. Previously, P2Pinfect maintained persistence by adding it to.bash_logout and running a cron job, however these methods are no longer used. Other behaviours, such as the initial setup, are unaffected.
Read more »
Trend Micro
cryptomining Cyber Threats DarkGate malware malware Malware attacks malware-as-a-service (MaaS). Microsoft Teams Phishing Campaigns QakBot Botnet Ransomware Trend Micro

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.
Read more »
SQL
Botnet Cloud Security Command and Control(C2) cryptomining DNS Flaw Hackers malware SQL

5 Methods for Hackers Overcome Cloud Security

Nearly every major company has used cloud computing to varying degrees in its operations. To protect against the biggest threats to cloud security, the organization's cloud security policy must be able to handle the integration of the cloud.

The vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.

What is cloud security?

Cloud computing environments, cloud-based apps, and cloud-stored data are all protected by a comprehensive set of protocols, technologies, and procedures known as cloud security. Both the consumer and the cloud provider are jointly responsible for cloud security. 

It helps maintain data security and privacy across web-based platforms, apps, and infrastructure. Cloud service providers and users, including individuals, small and medium-sized businesses, and enterprises, must work together to secure these systems. 

How do hackers breach cloud security?

While crypto mining is the primary focus of each hacking operation at present time, some of their methods may be applied to more malicious aims in the future.

1. Cloud Misconfiguration

A major factor in cloud data breaches is incorrectly configured cloud security settings. The tactics used by many enterprises to maintain their cloud security posture are insufficient for safeguarding their cloud-based infrastructure.

Default passwords, lax access controls, improperly managed permissions, inactive data encryption, and various other issues are usual vulnerabilities. Insider threats and inadequate security awareness are the root causes of many of these flaws.

A large data breach could occur, for instance, if the database server was configured incorrectly and data became available through a simple online search.

2. Denonia Cryptominer

Cloud serverless systems using AWS Lambda are the focus of the Denonia malware. The Denonia attackers use a scheme that uses DNS over HTTPS often referred to as DoH, sending DNS requests to resolver servers that are DoH-based over HTTPS. As a result, the attackers can conceal themselves behind encrypted communication, preventing AWS from seeing their fraudulent DNS lookups. As a result, the malware is unable to alert AWS.

The attackers also seem to have thrown in hundreds of lines of user agent HTTPS query strings as additional distractions to divert or perplex security investigators. In order to avoid mitm attacks and endpoint detection & response (EDR) systems, analysts claim that the malware discovered a way to buffer the binary.

3. CoinStomp malware 

Cloud-native malware called CoinStomp targets cloud security providers in Asia with the intention of cryptojacking. In order to integrate into the Unix environments of cloud systems, it also uses a C2 group based on a dev/tcp reverse shell. Then, using root rights, the script installs and runs additional payloads as system-wide system services. 

4.WhatDog Crptojacker

The WatchDog crypto-mining operation has obtained as many as 209 Monero cryptocurrency coins. WatchDog mining malware consists of a multi-part Go Language binary set. One binary emulates the Linux WatchDog daemon mechanism. 

5. Mirai botnet 

In order to build a network of bots that are capable of unleashing destructive cyberattacks, the Mirai botnet searches the internet for unprotected smart devices before taking control of them.

When ARC-based smart devices are infected with the malware known as Mirai, a system of remotely operated bots is created. DDoS attacks are frequently carried out via botnets.
The Mirai malware is intended to attack weaknesses in smart devices and connect them to form an infected device network called a botnet by exploiting the Linux OS, which many Internet of Things (IoT) devices run on.

The WAF did not recognize the new SQL injection payload that Claroty researchers created, yet it was acceptable for the database engine to analyze. They did this by using a JSON syntax. All of the affected vendors responded to the research by including JSON syntax support in their products, but Claroty thinks additional WAFs may also be affected.


Read more »
Flaws
Bitcoin Bugs Crypto cryptomining Cyber Attacks Flaws

TeamTNT is Back & Targets Servers to Run Bitcoin Encryption Solvers

 

AquaSec threat analysts have detected TeamTNT activity on their honeypots since early September, leading them to believe the infamously hacking group is back in business. 

TeamTNT announced its retirement in November 2021, and most associated observations since then have involved remnants of previous infections, such as automated scripts, but no new payloads. The recent attacks, however, bear various signatures associated with TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.  The researchers observed three attack types utilized in the reportedly new TeamTNT attacks, the most intriguing being the use of hijacked servers' computational power to run Bitcoin encryption solvers.

The attack, dubbed "the Kangaroo attack" because it employs Pollard's Kangaroo WIF solver, scans for vulnerable Docker Daemons, deploys an AlpineOS image, drops a script ("k.sh"), and eventually retrieves the solver from GitHub. Pollard's Kangaroo interval ECDLP (Elliptic Curve Discrete Logarithm Problem) solver algorithm attempts to decipher the SECP256K1 encryption used in Bitcoin's public-key cryptography.

“It [the algorithm] is designed to run in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes (attacked servers), collecting the results which are then written locally to a text file,” explains AquaSec.

While quantum computing is expected to break existing Bitcoin encryption at some point in the future, it is thought to be impossible to achieve with current machines, TeamTNT appears willing to test the theory anyway, using other people's resources.

Perhaps the threat actors are simply experimenting with new attack pathways, payload deployment, and evasion while performing intensive operations on captured systems, with the Kangaroo attack ticking all of the boxes.

Other Attacks

Other attacks detected by AquaSec are similar to previous TeamTNT operations but have some new characteristics.

The "Cronb Attack" employs well-documented rootkits, cron jobs for persistence, cryptominers for profit, and lateral movement tools. The appearance of new C2 infrastructure addresses and more elaborate data exchange is the novel element.

The "What Will Be" attack targets Docker Daemons with shell-file dropping Alpine images once more, taking advantage of a vulnerability to escape from the container to the host. The attackers then download and execute additional scripts, rootkits, and a cryptominer, as well as add cronjobs and perform network SSH scans.

These scripts introduce a new trick in this attack, allowing threat actors to optimise crypto mining performance by modifying CPU model-specific registers. Whether it is TeamTNT or someone else carrying out these attacks, organisations should strengthen their cloud security, strengthen Docker configuration, and implement all available security updates before it is too late.

Read more »
Oracle
cryptocurrency cryptomining Cryptomining News Docker Engine API malware Malware Campaign Oracle

Malware Targets Weblog Servers And Dockers APIs For Cryptomining

Malicious malware known as Kinsing is using both recently discovered and legacy vulnerabilities in Oracle WebLogic Server to boost cryptocurrency mining malware. 
  
It was discovered by Trend Micro, that a financially-motivated cyber attack group behind the malware was making use of the vulnerability to run Python scripts that could disable Operating System (OS) security features such as Security-Enahnced Linux (SELinux), and many more. 
 
Kinsing malware has a history of acquiring vulnerable servers to co-opt into botnet devices such as Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence vulnerability (CVE-2022-26134). The malware has also reportedly been involved in campaign container environments via misconfigured open Docker Daemon API ports instigating crypto mining and spreading the malware to other containers am host devices. 
 
In the latest wave of attacks, the malicious actor weaponized a two-year-old Remote Code Execution (RCE) bug, dubbed CVE-2020-14882 (CVSS score 9.8), against unpatched vulnerabilities to seize control of the servers and cause harm to the victims through malicious payloads. 
 
The exploitation of the bug further involved deploying a shell script responsible for various actions, such as removing the var/log/syslog/systemlog, disabling security functions and cloud service agents from conglomerates like Alibaba and Tencent – killing competing crypto mining processes.  
 
It is then followed by the shell script downloading the Kinsing malware from a remote server, along with taking steps to ensure persistence through a cron job. 
 
“The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform plethora of malicious activities on the affected systems” Trend Micro said. “This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.”
 
TeamTNT malwares makes comeback
 
Researchers at Aqua Security, a cloud-native security company, have linked three new attacks to another “vibrant” cryptojacking group called "TeamTNT", which eventually stopped functioning in November 2021.  
 
“TeamTNT has been scanning for microconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to C2 server”, stated Aqua Security researcher Assaf Morag. 

The attack chain appears to be designed to crack SECP256K1 encryption, which if successful could give the malicious actor the ability to compute the keys for each cryptocurrency wallet. Thus, using high but illegal processing power of its targets to run the ECDLP solver and acquire the key. The other two attacks carried out by the threat group involve exploiting exposed Redis servers and misconfigured Docker API to provide cryptominers and Tsunami binaries. 
 
The targeting of Docker REST APIs by TeamTNTs has been well-documented over the past years. But in an operational security blunder observed by Trend Micro, credentials connected with two of the attacker-controlled DockerHub accounts have been uncovered. 

The accounts namely 'alpineos' and 'sandeep078' are said to have been used to distribute numerous malicious payloads like rootkits, Kubernetes exploits kits, credential stealers, XMTig Monero miners, and even the Kingsing malware. 
 
“The account alpineos was used in exploitation attempts on out honeypots three times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” stated Nitesh Surana, a researcher at Trend Micro. 
 
As estimated by Trends Micro, alpineos image has been downloaded more than 150,000 times. This further notified Docker about these accounts. 
 
The cybersecurity platform recommends organizations configure the exposed RESR API with TLS to steer clear of the adversary-in-the-middle (AiTM) attacks, along with using credential stores and helpers to host user credentials.
Read more »
Technology
Cloud Botnet Crypto Hack cryptomining Linux Technology

8220 Cryptomining Gang Targets Linux and Cloud Apps to Expand Cloud Botnet

 

The 8220 cryptomining gang has widened their Cloud Botnet over the last month to nearly 30,000 hosts globally. 
The exploitation of Linux and cloud app vulnerabilities and poorly secured configurations for services such as Docker, Confluence, Apache WebLogic, and Redis has played a significant role in the growth of the Cloud Botnet. 

"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne explained in a blog post. 

The 8220 gang has been operating since at least 2017, the hackers are Chinese-speaking and the name of the group comes from the port number 8220 employed by the miner to communicate with the C2 servers. In the latest campaign, the Monero-mining hacker targeted i686 and x86_64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to install the PwnRig miner payload. 

"Victims are not targeted geographically, but simply identified by their internet accessibility," Hegel pointed out. Besides executing the PwnRig cryptocurrency miner, the group began employing a specific file for the management of the SSH brute forcing step, which contained 450 hardcoded credentials corresponding to a wide range of Linux devices and apps. 

The latest versions of the script are also known to employ blocklists to bypass compromising specific hosts, such as honeypot servers that could flag their illicit efforts. 

The PwnRig crypto miner, which is based on the open source Monero miner XMRig, has received updates of its own as well, employing a phony FBI subdomain with an IP address linked to a Brazilian federal government domain to design a fake pool request and obscure the real destination of the generated money. 

The sudden surge in mining activities is also linked to the dwindling prices of cryptocurrencies, not to mention a heightened "battle" to take control of victim systems from competing cryptojacking-focused groups. Monero, in particular, has lost over 20% of its value over the past six months. 

"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner," Hegel concluded. "The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally."
Read more »
Technology
cryptocurrency cryptomining JavaScript NPM Package Technology

NPM JavaScript Package Repository Targeted by Widespread Cryptomining Campaign

 

Checkmarx researchers have unearthed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. 

The hacker behind this malicious campaign, dubbed CuteBoi, published 1,283 modules in the repository and employed over 1,000 different user accounts. The researchers discovered the supply chain assault after spotting a burst of suspicious NPM users and packages designed automatically. 

“Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass the NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point,” reads the post published by Israeli application security testing firm Checkmarx. 

All the rogue packages impersonated a near-identical source code from an already existing package named eazyminer that's employed to mine Monero by means of utilizing unused resources of systems such as ci/cd and web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effect. 

"The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool," researcher Aviad Gershon explained. "The attacker didn't change this feature of the code and for that reason, it won't run upon installation." 

As observed in the case of RED-LILI earlier this year, the packages are published via an automation methodology that allows hackers to bypass two-factor authentication (2FA) protections. 

However, while the former involved setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically design an NPM user account and defeat 2FA, CuteBoi depends on a disposable email service called mail.tm to automate the creation of the users that upload the packages to the NPM repository. 

Specifically, it utilizes a REST API provided by the free platform that enables "programs to open disposable mailboxes and read the received emails sent to them with a simple API call." In this, hackers behind the CuteBoi campaign can circumvent the NPM 2FA challenge when creating a flood of user accounts to publish the packages. 

Earlier this week, security research uncovered another NPM-related large-scale software supply chain attack dubbed IconBurst designed to siphon sensitive data from forms embedded in downstream mobile applications and websites. 
Read more »
Subscribe to: Posts (Atom)