Category Archives: Cryptojacking

92% of organizations rank users as their primary security concern

Cybercrime continues to evolve and become more sophisticated. AI and machine learning are leveraged by many criminal organizations to help them better understand how to improve their attacks and they are now targeting specific industry verticals, organizations and even individuals. Increases in the frequency of ransomware, phishing and crypto jacking attacks were experienced by businesses of nearly every size, vertical and locale. On average, 81% of organizations had some degree of concern around security issues, … More

The post 92% of organizations rank users as their primary security concern appeared first on Help Net Security.

Formjacking is the new get rich quick scheme for cybercriminals

Faced with diminishing returns from ransomware and cryptojacking, cybercriminals are doubling down on alternative methods, such as formjacking, to make money according to Symantec’s Internet Security Threat Report (ISTR), Volume 24. Symantec’s ISTR provides an overview of the threat landscape, including insights into global threat activity, cybercriminal trends, and motivations for attackers. The report analyzes data from Symantec’s Global Intelligence Network, which records events from 123 million attack sensors worldwide, blocks 142 million threats daily … More

The post Formjacking is the new get rich quick scheme for cybercriminals appeared first on Help Net Security.

Cryptojacking Apps Removed From Microsoft App Store

After Apple and Google, the malefactors are turning their attention to the Microsoft app store as well. We have already

Cryptojacking Apps Removed From Microsoft App Store on Latest Hacking News.

The Cloud in 2019: Current Uses and Emerging Risks

In the current tech landscape, one would be hard-pressed to find an organization that operates without the help of cloud environments and capabilities. From data storage and document sharing to enabling remote access and communication, the cloud represents the most critical linchpin of today’s IT-focused business processes.

What’s more, the power of the cloud is only continuing to grow. Organizations across every industry are increasing their cloud investments right alongside their migration plans, shifting a rising number of workloads and key applications to off-prem environments. While this certainly bodes well for key cloud benefits like flexibility and productivity, there are some risks to be aware of.

Enterprises aren’t the only ones with their eyes on the cloud – hackers are attacking these environments more frequently than ever before. As businesses ramp up their cloud initiatives, it’s also imperative that stakeholders keep up with emerging use cases and approaches, as well as the potential threats.

Current cloud use by the numbers

By now, there’s simply no arguing against the cloud as a requirement for business. According to current industry research and predictions, nearly half of all IT expenditures were devoted to cloud initiatives last year, and by 2020, this will increase to as much as 70 percent of all tech spending, Forbes reported.

Let’s take a deeper look at the current cloud market:

  • There’s considerable growth for all types of cloud architectures, including public, private and hybrid. The worldwide public cloud services sector, in particular, is on track to expand by more than 17 percent in 2019 alone, growing from its 2018 value of $175.8 billion to $206.2 billion, according to statistics gathered by Forbes.
  • Financial resource allocation on the part of enterprises is growing as well. This year, IT infrastructure-focused spending, including expenditures on things like server, storage and switches, will experience a more than 10 percent year-over-year growth rate, surpassing a value of $52.3 billion this year.
  • Spending will continue to shift toward cloud initiatives through 2019 and beyond, with over $1.3 trillion in overarching IT spending being impacted by rising cloud allocations by 2022. This includes 22 percent of spending in key enterprise IT markets shifting to the cloud over the next three years, an increase of 9 percent compared to 2018.
  • SaaS is on the rise as well, with the market now contributing $20 billion to software vendors’ quarterly revenues. These profits are also on track to grow by 32 percent each year.

A rise in spending signals a few things, including increasing workloads being supported by cloud environments, as well as a more prominent focus on off-prem operations. So how, exactly, are these cloud investments being harnessed this year?

Cloud usage trends

There are a few trending use cases and cloud-centered approaches coming to light this year. These include emerging initiatives like:

  • Increasing use of cloud services across the board: While this may seem obvious, it’s important to understand that critical role that cloud services, including SaaS, PaaS and IaaS, now play in enterprise infrastructure. As Forbes Technology Council’s Asokan Ashok noted, usage of these cloud-based, as-a-service offerings will experience “an explosion” over the next few years, with the SaaS market on track to grow 18 percent by 2020, and rising investments in PaaS offerings making it the fastest growing sector of cloud solutions currently. Finally, the IaaS market is forecast to reach $72.4 billion by 2020, signaling the fact that more enterprises are jumping on board with subscription cloud solutions.
  • Hybrid continues to grow: While there are certainly key use cases centered around purely public or private environments, 2019 will continue to rising investments in hybrid cloud solutions that can offer the best of both. This is particularly true for businesses that are still getting up and running with their cloud infrastructures. “Making a full transition to the cloud has proved more challenging than anticipated. So here is where hybrid cloud solutions will play an important role,” Ashok wrote.
  • Cloud security become more imperative – and more complex: As enterprises continue to make more investments in cloud solutions, stakeholders’ focus on end-to-end security must increase as well. At the same time, though, emerging threats and new security standards like the EU’s General Data Protection Regulation are making cloud security more complex than before.

Key cloud threats

While cloud-focused malware samples are certainly nothing new, there are a few dangerous threats poised to impact enterprise cloud usage this year.

As RedLock contributor Michael Higashi noted, one issue that’s continuing to create vulnerabilities for enterprise cloud environments are insecure account credentials and other insider threats. Shadow IT continues to pose an issue, and this combined with a critical lack of insight into cloud operations can compound the overall threat. Higashi reported that only 7 percent of businesses can say they have “good” visibility across their cloud-based data, and the vast majority of successful breaches – 80 percent – rely on the use of privileged account credentials.

In addition, inconsistent patching can create additional holes for malicious actors and other threats to slip through the cracks. One RedLock study found that nearly one-quarter of all businesses leverage cloud hosts that lack the proper high-priority security patches in public cloud environments.

Cryptojacking is also threatening cloud platforms and resources across industry sectors. While this threat may not appear as malicious at first glance, the unauthorized use of considerable resources required to support cryptocurrency mining can severely impact performance levels, impeding legitimate user processes.

Cloud security in 2019

Given current across-the-board cloud usage – which is only on the rise – alongside the increasing threats to cloud-based platforms, there are a few key security processes that enterprises should be sure are in place.

As statistics show, simple passwords are no longer enough to safeguard key accounts. Wherever possible, IT stakeholders should ensure that two-factor authentication is in place to reduce the chances of compromised credentials and a successful breach.

In addition, security leaders should utilize advanced monitoring to ensure they have the proper insight into the cloud architectures, access and usage. It’s important to regularly take stock of the cloud apps employees are using in order to prevent shadow IT and reduce holes in the business’s security posture.

Finally, it’s critical for enterprises to have innovative and intelligent security solutions in place to safeguard the cloud apps that they use the most. Trend Micro’s Hybrid Cloud Security solution helps uncomplicate cloud security while providing you with the high-level visibility needed to manage your on-site and cloud environments.

To find out more about securing your cloud infrastructure connect with us about adding Hybrid Cloud Security today.

The post The Cloud in 2019: Current Uses and Emerging Risks appeared first on .

Zero trust browsing: Protect your organization from its own users

To the casual observer, the cyberattack landscape is constantly shifting. In recent years, the threats and scams have evolved from Nigerian princes to stranded travelers, pop-ups warning of outdated software to ransomware, cryptojacking, phishing and spear phishing. Predictions for 2019 are full of dire warnings about the very-real explosion of phishing, backed by geometric increases in phishing sites as the number of malware sites drops. Just as 2018 predictions focused on cryptojacking and ransomware were … More

The post Zero trust browsing: Protect your organization from its own users appeared first on Help Net Security.

Student Loan Company Fought Off 1 Million Cyberattacks in a Year

The financial services industry registered three times more security incidents than any other industry in 2018. According to data released under Freedom of Information legislation, UK government organization The Student Loans Company (SLC) experienced close to a million cyberattacks in the 2017 – 2018 fiscal year. The information was made public upon written request from the Parliament Street think tank.

While most attacks were categorized as malware (323), Denial-of-Service, and malicious emails or calls (235), they all failed, except for a cryptojacking attack. Manipulating a third-party plugin, hackers injected Monero mining software into the company’s network. This was attributed to third-party incidents.

Dealing with student grants and loans, SLC had access to a high volume of confidential personal and financial information. According to its annual report, the company has 8.1 million customers and a loan book value of £117.8 billion, and it processed about 1.8 million applications in the fiscal year.

The non-profit organization says it stores no customer data on its servers, so no critical information was compromised. The company further said they only “host publicly available data.”

During the 2017 – 2018 fiscal year, The Student Loans Company suffered 1 million attacks meant to compromise the network and access financial information. This figure is of particular concern since the organization only suffered 95 attacks in the previous year and just three the year before that.

“Firstly we’d stress that malicious online activity affects every organization and individual,” a company spokesperson said for IT Pro. “It is also necessary to put in context that 99.9 % of the ‘attempts’ recorded in 17/18 present an extremely low level of threat. The apparent increase in 17/18 figures is largely due to changes in the way security incidents are recorded. It is also worth stressing that, while we remain permanently aware and vigilant, every one of these attempts was detected and prevented at an early stage, with no violation of systems or data security.”

Thieves stole $1.7 billion in cryptocurrency in 2018 as mining gives way to stealing in crypto space

Bitcoin’s legendary ascension to the $20,000 mark a little more than a year ago inspired legions of fast-buck makers to hop on the bandwagon and invest in this intriguing yet volatile asset.

Mining cryptocurrency worked for a while, but it is no longer feasible because of the increasing complexity behind the algorithms, especially in the case of Bitcoin. So players in the cryptocurrency market are now (loosely) divided into two categories: those who trade it and those who steal it.

And the line between the ICOs and exchanges in the former group and the thieves, scammers and hackers of the second group is blurring by the day. Some exchanges and initial coin offerings are now entirely set up to perform an exit scam.

Playing with digital currency today is like playing with fire, as the risks now outweigh the benefits. New research reveals that thieves and scammers stole $1.7 billion in cryptocurrency in 2018. Theft from cryptocurrency exchanges accounted for most of the criminal activity: more than $950 million was stolen by hackers in 2018 – 3.6 times more than in 2017. Investors and exchange users lost at least $725 million in cryptocurrency in 2018 to exit scams, phony exchange hacks, and Ponzi schemes, according to CipherTrace.

Criminals now need to launder all these funds to cash out before a wave of crypto-centric regulations go into effect this year.

3.6x More Cryptocurrency Stolen in 2018 Versus 2017 According to CipherTrace (Graphic: Business Wire)

CipherTrace has also identified the top 10 trending crypto threats (below) in an effort to provide “actionable threat intelligence for anyone dealing with cryptocurrency.” From the report:

  • SIM swapping: An identity theft technique that takes over a victim’s mobile device to steal credentials and break into wallets or exchange accounts to steal cryptocurrency.
  • Crypto dusting: A new form of blockchain spam that erodes the recipient’s reputation by sending cryptocurrency from known money mixers.
  • Sanction evasion: Nation states that use cryptocurrencies promoted by the Iranian and Venezuelan governments to circumvent sanctions.
  • Next-generation crypto mixers: Money laundering services that promise to exchange tainted tokens for freshly mined crypto, but in reality cleanse cryptocurrency through exchanges.
  • Shadow money service businesses (MSBs): Unlicensed MSBs that bank cryptocurrency without the knowledge of host financial institutions, exposing banks to unknown risk.
  • Datacenter-scale cryptojacking: Takeover attacks that mine for cryptocurrency at a massive scale and that have been discovered in datacenters, including AWS.
  • Lightning Network transactions: Enabling anonymous bitcoin transactions by going “off-chain” and now scaling to $2,150,000.
  • Decentralized stable coins: Stabilized tokens that can be designed for use as hard-to-trace private coins.
  • Email extortion and bomb threats: Mass-customized phishing email campaigns by cyber-extortionists using old passwords and spouse names to demand bitcoin. Bomb threat extortion scams spiked in December.
  • Crypto-robbing ransomware: New malware distributed by cyber-extortionists that empties cryptocurrency wallets and steals private keys while holding user data hostage.

In the wake of numerous such incidents, countries around the world are accelerating the adoption of anti-money-laundering regulations and cryptocurrency forensics. However, as in the classical monetary system, some countries are lagging behind in regulating cryptocurrency, serving as potential havens for money laundering, fraud, and tax evasion.

ENISA’s Latest Threat Landscape Report Reveals Top Cyber Threats and Trends in Europe

The European Union Agency for Network and Information Security (ENISA) reveals in its latest report that malware and web-based attacks

ENISA’s Latest Threat Landscape Report Reveals Top Cyber Threats and Trends in Europe on Latest Hacking News.

Cryptojacking Up 4,000% How You Can Block the Bad Guys

Cryptojacking RisingThink about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick up countless, undetectable malware or javascript that can infect our devices.

Which is why it’s possible that hackers may be using malware or script to siphon power from your computer — power they desperately need to fuel their cryptocurrency mining business.

What’s Cryptocurrency?

Whoa, let’s back up. What’s cryptocurrency and why would people rip off other people’s computer power to get it? Cryptocurrencies are virtual coins that have a real monetary value attached to them. Each crypto transaction is verified and added to the public ledger (also called a blockchain). The single public ledger can’t be changed without fulfilling certain conditions. These transactions are compiled by cryptocurrency miners who compete with one another by solving the complex mathematical equations attached to the exchange. Their reward for solving the equation is bitcoin, which in the crypto world can equal thousands of dollars.

Power Surge

Cryptojacking RisingHere’s the catch: To solve these complex equations and get to crypto gold, crypto miners need a lot more hardware power than the average user possesses. So, inserting malicious code into websites, apps, and ads — and hoping you click — allows malicious crypto miners to siphon power from other people’s computers without their consent.

While mining cryptocurrency can often be a harmless hobby when malware or site code is attached to drain unsuspecting users CPU power, it’s considered cryptojacking, and it’s becoming more common.

Are you feeling a bit vulnerable? You aren’t alone. According to the most recent McAfee Labs Threats Report, cryptojacking has grown more than 4,000% in the past year.

Have you been hit?

One sign that you’ve been affected is that your computer or smartphone may slow down or have more glitches than normal. Crypto mining code runs quietly in the background while you go about your everyday work or browsing and it can go undetected for a long time.

How to prevent cryptojacking

Be proactive. Your first line of defense against a malware attack is to use a comprehensive security solution on your family computers and to keep that software updated.

Cryptojacking Blocker. This new McAfee product zeroes in on the cryptojacking threat and helps prevent websites from mining for cryptocurrency (see graphic below). Cryptojacking Blocker is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

Cryptojacking Rising

Discuss it with your family. Cryptojacking is a wild concept to explain or discuss at the dinner table, but kids need to fully understand the digital landscape and their responsibility in it. Discuss their role in helping to keep the family safe online and the motives of the bad guys who are always lurking in the background.

Smart clicks. One way illicit crypto miners get to your PC is through malicious links sent in legitimate-looking emails. Be aware of this scam (and many others) and think before you click on any links sent via email.

Stick with the legit. If a website, an app, or pop-up looks suspicious, it could contain malware or javascript that instantly starts working (mining power) when you load a compromised web page. Stick with reputable sites and apps and be extra cautious with how you interact with pop-ups.

Install updates immediately. Be sure to keep all your system software up-to-date when alerted to do so. This will help close any security gaps that hackers can exploit.

Strong passwords. These little combinations are critical to your family’s digital safety and can’t be ignored. Create unique passwords for different accounts and be sure to change out those passwords periodically.

To stay on top of the latest consumer and security threats that could impact your family, be sure to listen to our podcast Hackable? And, like us on Facebook.

The post Cryptojacking Up 4,000% How You Can Block the Bad Guys appeared first on McAfee Blogs.

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


Evasive Monero Miners: Deserting the Sandbox for Profit

Authored by: Alexander Sevtsov
Edited by: Stefano Ortolani


It’s not news that the cryptocurrency industry is on the rise. Mining crypto coins offers to anybody a lucrative way to exchange computation resources for profit: every time a miner guesses the solution of a complex mathematical puzzle, he is awarded with a newly minted crypto coin. While some cryptocurrencies are based on puzzles that are efficiently solved by special-purpose devices (such as Bitcoin on ASICs), others are still mined successfully on commodity hardware.

One, in particular, is the Monero (XMR) cryptocurrency. Besides being efficiently mined on standard CPUs and GPUs, it is also anonymous, or fungible to use the precise Monero term. This means that while it is easy to trace transactions between several Bitcoin wallets, a complex system relying on ring signatures ensures that Monero transactions are difficult if not impossible to trace, effectively hiding the origin of a transaction. Because of this, it should come as no surprise that the Monero cryptocurrency is also used for nefarious purposes, often mined by rogue javascripts or binaries downloaded onto and running on an unsuspecting user’s system.

Recent statistics show that 5% of all Monero coins are mined by malware. While the security industry is responding to this cryptojacking phenomenon by introducing new improved detection techniques, developers of these binaries began to replicate the modus operandi of ransomware samples: they started embedding anti-analysis techniques to evade detection as long as possible. In this blog article, we highlight some of our findings when analyzing a variant of the XMRig miner, and share insights about some evasion tricks used to bypass dynamic analysis systems.


The sample (sha1: d86c1606094bc9362410a1076e29ac68ae98f972) is an obfuscated .Net application that uses a simple crypter to load an embedded executable at runtime using the Assembly.Load method. The following XOR key is used for its decryption:

50 F5 96 DF F0 61 77 42 39 43 FE 30 81 95 6F AF

Execution is later transferred via the EntryPoint.Invoke method to its entry point, after which another binary resource is decrypted. Figure 1 shows the encryption (AES-256) and the key derivation (PBKDF2) algorithms used to decrypt the binary.

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key derivation.

The decrypted data consists of yet another executable. We can see it in Figure 2 surrounded by some strings already giving away some of the functionalities included (in particular, note the CheckSandbox and CheckVM strings, most likely indicating routines used to detect whether the sample is run inside an analysis environment).

Figure 2. Decrypted binary blob with an embedded executable file.

Figure 2. Decrypted binary blob with an embedded executable file.

As the reader can imagine, we are always interested in discovering novel evasion techniques. With piqued curiosity, we decided to dive into the code a bit further.


After peeling off all encryption layers, we finally reached the unpacked payload (see Figure 3). As expected, we found quite a number of anti-analysis techniques.

Figure 3. The unpacked payload

Figure 3. The unpacked payload (sha1: 43f84e789710b06b2ab49b47577caf9d22fd45f8) as found in VT.

The most classic trick (shown in Figure 4) merely checked for known anti-analysis processes. For example, Process Explorer, Process Monitor, etc., are all tools used to better understand which processes are running, how they are spawned, and how much CPU resources are consumed by each executing thread. This is a pretty standard technique to hide from such monitoring tools, and it has been used by other crypto miners as well. As we will see, others were a bit more exotic.

Figure 4. Detecting known process monitoring tools

Figure 4. Detecting known process monitoring tools via GetWindowTextW.

Evasion Technique – Lack of User Input

This technique specifically targets dynamic analysis systems. It tries to detect whether it is executing on a real host by measuring the amount of input received by the operating system. Admittedly, this is not that rare, and we indeed covered it before in a previous article describing some evasion techniques as used by ransomware.

Figure 5. Detecting sandbox by checking the last user input

Figure 5. Detecting sandbox by checking the last user input via GetLastInputInfo.

Figure 5 shows the logic in more details: the code measures the time interval between two subsequent inputs. Anything longer than one minute is considered an indicator that the binary is running inside a sandbox. Note that besides being prone to false positives, this technique can easily be circumvented simulating random user interactions.

Evasion Technique – Multicast IcmpSendEcho

The second anti-analysis technique that we investigated delays the execution via the IcmpCreateFile and IcmpSendEcho APIs. As it is further detailed in Figure 6, they are used to ping a reserved multicast address ( with a timeout of 30 seconds. Ideally, as no answer is meant to be returned (interestingly enough we have knowledge of some devices erroneously replying to those ICMP packets), the IcmpSendEcho API has the side effect of pausing the executing thread for 30 seconds.

Figure 6. Delaying the execution via IcmpSendEcho API.

Figure 6. Delaying the execution via IcmpSendEcho API.

It’s worth noticing that a similar trick has been previously used by some infected CCleaner samples. In that case, the malicious shellcode was even going a step further by checking if the timeout parameter was being patched in an attempt to accelerate execution (and thus counter the anti-analysis technique).


Any dynamic analysis system wishing to cope with advanced evasive malware must be able to unpack layers of encryption and counter basic anti-analysis techniques. In Figure 7 we can see all the behaviors extracted when fully executing the original sample: the final payload is recognized as a variant of the XMRig Monero CPU Miner, and its network traffic correctly picked up and marked as suspicious.

Figure 7. Lastline analysis of the XMRig CPU miner.

Figure 7. Lastline analysis of the XMRig CPU miner.

Nevertheless it is quite worrying that anti-analysis techniques are becoming this mainstream. So much so that they started to turn into a standard feature of potentially unwanted applications (PUA) as well, including crypto-miners. Hopefully, it is just an isolated case, and not the first of a long series of techniques borrowed from the ransomware world.

Appendix – IOCs

Attached below the reader can find all the hashes related to this analysis, including the mutex identifying this specific strain, and the XMR wallet.

Sha1 (sample): d86c1606094bc9362410a1076e29ac68ae98f972
Sha1 (payload): 43f84e789710b06b2ab49b47577caf9d22fd45f8
Mutex: htTwkXKgtSjskOUmArFBjXWwLccQgxGT
Wallet: 49ptuU9Ktvr6rBkdmrsxdwiSR5WpViAkCXSzcAYWNmXcSZRv37GjwMBNzR7sZE3qBDTnwF9LZNKA8Er2JBiGcKjS6sPaYxY

The post Evasive Monero Miners: Deserting the Sandbox for Profit appeared first on Lastline.