Bleeping Computer

Attackers Take Over WordPress, Joomla, JBoss Servers to Mine Monero

Attackers Take Over WordPress, Joomla, JBoss Servers to Mine Monero

Attacks aimed at delivering cryptocurrency mining tools on enterprise networks have gone up as much as six times, according to telemetry data collected by IBM’s X-Force team between January and August 2017.

A recent report by fellow cyber-security firm Kaspersky found that cryptocurrency mining malware also infected over 1.65 million machines running Kaspersky solutions in the first eight months of the year.

While Kaspersky collected data mainly from desktop endpoints, IBM’s telemetry gathered data from servers and other enterprise systems.

Attackers hid cryptocurrency miners inside fake image files

According to IBM, most of the infections the company saw during the first eight months of the year involved the same mining tool and similar infection techniques.

IBM’s Dave McMillen told Bleeping Computer via email that attackers used “a wide range of exploits […] to first compromise […] CMS platforms (WordPress and Joomla and JBoss server) prior to launching the subsequent CMDi [command injection] attack,” that installed the cryptocurrency mining tool.

“These [mining] tools were hidden within fake image files, a technique known as steganography, hosted on compromised web servers running Joomla or WordPress, or stored on compromised JBoss Application Servers,” McMillen says.

The expert says attackers usually downloaded a customized version of a legitimate mining tool named Minerd, or a Linux port named kworker.

“In most cases, the attackers attempted to mine CryptoNote-based currencies such as Monero (XMR), which employs the CryptoNight mining algorithm,” McMillen said.

Attacks targeted companies in all industry verticals

“We are unable to determine the number of attacking groups or infected servers from our attack data,” McMillen added but said that attackers weren’t picky and infected any target they could get.

Infected servers spread across several industry verticals, such as manufacturing, finance, retail, IT & communications, and others.

IBM mining malware distribution per industry vertical

No more Mirai versions with mining support

Back in April, the same IBM X-Force team discovered a version of the Mirai IoT malware that featured an experimental cryptocurrency mining feature.

As many experts predicted back then, today, McMillen confirmed that IBM had not seen any new Mirai malware strains deploying mining features.

“Exploiting IoT may be more of a proof of concept by attackers,” McMillen told Bleeping. The expert also added that he expects attackers to target both server and desktop endpoints in an equal manner, as both are very lucrative environments for mining operations.

The IBM and Kaspersky reports on the increase in cryptocurrency mining malware detections come after a string of incidents during the past few months that involved virtual currency miners.

Source link

Posted by Bitcoinist in News, 0 comments
LiteBit Bitcoin Exchange Hacked Twice in Two Months

LiteBit Bitcoin Exchange Hacked Twice in Two Months — a multi-currency exchange based in the Netherlands — has suffered data breaches two months in a row.

According to emails sent to affected customers after each event, no Bitcoin or altcoin funds were stolen in any of these two incidents.

The company says the attacker only pilfered user personal information, such as emails, hashed passwords, bank account numbers (IBANs), telephone numbers, and home addresses.

August 2017 breach

The first incident took place on August 5, and the company sent out the following email to affected customers after it detected suspicious activity on one of its servers and fixed the security hole.

On August 5, 2017 we observed unusual activities on LiteBit’s servers. Unfortunately, we have concluded that there has been unlawful access to LiteBit data. No LiteBit wallet servers have been broken, all coins of customers are safe. Also, there are no verification documents (ID or passport) involved in this incident.

The cause of the leak is known, and the problems have now been solved. It is not clear whether data has actually been stolen. In the worst case, an unauthorized person has gained access to yours; Email address, encrypted password, IBAN, phone number, address and your portfolio data.

What does this mean to you? For users who have 2-step authentication, it’s very important that they reset it. We also recommend that you enable this additional security measure, for customers who have not already done so.

In addition, it is important to change your password regularly.

September 2017 breach

The second breach took place last week, on September 12, six weeks after the first incident. This time around, the source of the breach was with one of LiteBit’s “suppliers.”

Again, the exchange said the hacker made off only with PII and user funds remained secure. Authorities have been informed. The content of the second email is below.

We regret to inform you that on the 12th of september 2017 a supplier to LiteBit has become the victim of a cyberattack. Sadly, the attack also concerned a LiteBit server. We are currently investigating the scope of the attack. Sadly we have to conclude that an unauthorized person has had access to your; email address, hashed password, IBANs, phone number, address and portfolio data.

There has, however, been no breach of the LiteBit wallet servers. All coins belonging to customers are safe. Also, no verification documents have been accessed during the incident.

It is of high importance that you reset your 2FA settings, you can read more about this here: LiteBit 2FA.

We understand that the recent problems at LiteBit and our supplier have damaged your trust in oour organization. We want to show our deepest remorse. We have already taken measures and we will keep improving and expanding on these measures in the future in home to regain trust your trust. We have reported this incident to the police and the Dutch Data Protection Authority.

Source link

Posted by Bitcoinist in News, 0 comments
Malvertising Campaign Mines Cryptocurrency Right in Your Browser

Malvertising Campaign Mines Cryptocurrency Right in Your Browser

Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people’s browsers, without their knowledge.

Crooks are currently deploying this technique on Russian and Ukrainian websites, but expect this trend to spread to other regions of the globe.

Malicious ads delivered on gaming and streaming sites

The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code.

The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser.

Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user’s computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites.

Both types of sites use lots of resources, and users wouldn’t get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.

Crooks mined Monero, Zcash, others

ESET, the security firm that discovered the malvertising campaign, says the JavaScript mining scripts were capable of mining for Monero, Feathercoin, and Litecoin.

Crooks appear to have used only the Monero mining feature. The Litecoin miner configuration was left blank, while the Feathercoin miner was left in its default config, using the same Feathercoin address from this demo page hosted on GitHub.

Furthermore, researchers also spotted a campaign that mined for Zcash. This campaign appears to have been managed by a different group, and they didn’t use malicious ads but instead hosted the JavaScript mining code on the site itself. It is unclear if the site was hacked or the site’s admins were knowingly hosting the Zcash miner on their domain.

Based on the number of DNS lookups for domains associated with the campaign mining Monero, ESET says the malvertising domains received as much DNS lookup traffic as Github’s Gist service.

Ad blockers twarth some JavaScript mining operations

The good news is that users can protect themselves against surreptitious JS-based cryptocurrency miners hidden in ad code by using an ad blocker.

The mining operation also stops once users leave the site, and no extra clean-up is needed to remove malware from computers.

Ad blockers won’t help if the JavaScript mining code loads from outside of designated ad slots/domains — the case when website owners host and load the script from their own domains.

Not the first time it happened

Browser-based miners aren’t anything new. The service experimented with something like this in 2011, but the service eventually shut down.

In 2015, the New Jersey Attorney General’s office shut down a company called Tidbit that was offering website owners a way to mine cryptocurrency on the computers of site visitors. Authorities argued that this was illegal, on the same level as hacking, because Tidbit or website owners didn’t ask for specific permission to carry out such intrusive operations.

Cryptocurrency mining is a lucrative business for malware authors. According to a recent report, at least 1.65 million computers have been infected with cryptocurrency mining malware this year so far.

Security researchers can find a breakdown of the malvertising infection chain, along with indicators of compromise, in ESET reports available here.

Image credits: Pixeden, ESET, Bleeping Computer

Source link

Posted by Bitcoinist in News, 0 comments
Over 1.65 Million Computers Infected With Cryptocurrency Miners in 2017 So Far

Over 1.65 Million Computers Infected With Cryptocurrency Miners in 2017 So Far

Telemetry data collected by Kaspersky Lab shows that in the first nine months of 2017, malware that mines for various types of cryptocurrencies has infected more than 1.65 million endpoints.

According to Kaspersky, detections for cryptocurrency mining trojans rose from a lowly 205,000 infections in 2013 to nearly 1.8 million in 2016, and 2017 looks like it will easily surpass that number.

Zcash and Monero miners on the rise

Of all virtual currencies, Zcash and Monero were the favorites, primarily because of their support for anonymous transactions, which comes in handy to anyone looking to hide a money trail from criminal operations.

While Monero is a long-time favorite of cryptocurrency mining trojans, Zcash is a recent addition, as the cryptocurrency launched only last November.

Nonetheless, one month later, several criminal mining operations had adopted the currency, with one group’s earnings estimated at $75,000/year/~1,000 computers.

A review of past major operations

Since last year, the rise in cryptocurrency mining malware distribution was easily observable by the number of reports put out by cyber-security firms. Such reports often help infosec industry observers to gauge new trends.

Below is a list with the most important malware distribution
campaigns that pushed cryptocurrency miners in 2017.

These are only some of the major campaigns, but there are countless of other smaller operations that went unreported.

If you’re wondering why is this rise in cryptocurrency mining malware taking place, the answer is quite simple. During the past year, trading prices for virtual currencies have skyrocketed across the board, almost for all major cryptocurrencies. Bitcoin, Monero, Ethereum, Zcash, and others, have seen huge price spikes that have fueled market speculation and attracted both legitimate users and the criminal underground looking to make a quick buck.

Source link

Posted by Bitcoinist in News, 0 comments
Bitcoin Price Takes a Tumble Amid Rumors of China Banning Cryptocurrency Trading

Bitcoin Price Takes a Tumble Amid Rumors of China Banning Cryptocurrency Trading

Bitcoin price took a huge fall on Friday after Caixin, a Chinese financial magazine, reported that Chinese Central Bank officials are working on rules to ban the trading of Bitcoin and all other cryptocurrencies on Chinese exchanges.

The decision will apply only to online trading and not to over-the-counter transactions. Owning Bitcoin and other virtual currencies would still be allowed, but users won’t be able to exchange it into fiat currency online.

The Central Bank has not issued an official statement on the matter, but Bloomberg and the Wall Street Journal verified Caixin’s report via their own sources.

Bitcoin fell 10%, from nearly $4,500 on Friday, to $4,100 on Monday. This is the second major Bitcoin price fall this past two weeks.

China previously banned ICOs

On September 4, China’s Central Bank banned ICOs (Initial Coin Offerings) citing that ICOs have “seriously disrupted the economic and financial order.”

ICOs are similar to IPOs. They allow companies to issue “tokens,” similar to shares. Online companies use ICOs to sell tokens that users by using virtual currencies. The company raises funds for their ventures while users gain a share of the profits in the future when the company will re-buy its tokens.

While governments around the world regulate and closely watch IPOs, ICOs are not regulated, and they have been used by many companies to raise funds without a guarantee that the token issuer will re-buy tokens and not run away with most of the funds.

Despite the concerns, ICOs have become the hottest thing in the world of virtual currencies and have helped companies raise billions of dollars.

When China banned ICOs, Bitcoin price took its first dive in many months, from nearly $4,900 – $5,000 to $4,500. The decision impacted trading prices for almost all virtual currencies.

Bitcoin price falls

Chinese financial officials said last year they plan to crack down on cryptocurrencies because Bitcoin and other virtual currencies were often used to finance terrorist groups and launder money out of the country. Officials said they don’t plan to shut down cryptocurrency trading, but merely regulate it.

China’s looming ban on virtual currency trading won’t affect the global market as exchanges based in other countries will continue to operate.

Many experts believe that Chinese officials accelerated this process over the summer as Bitcoin price grew from $3,000 to nearly $5,000, fueling market speculation by domestic investors, and driving Chinese Yuan value down as people started using Bitcoin to move funds in and out of the country, bypassing and disrupting traditional Chinese financial institutions.

Source link

Posted by Bitcoinist in News, 0 comments
CodeFork Group Uses Fileless Malware to Deploy Monero Miners

CodeFork Group Uses Fileless Malware to Deploy Monero Miners

A group of experienced hackers — tracked under the name of CodeFork — have launched a new malware distribution campaign that uses advanced tools and new techniques to go undetected by security solutions.

Active since 2015, the group has recently changed its mode of operation by advancing from the usage of malware that stores components on disk to malware that loads malicious code directly into the infected computer’s memory (RAM) in order to bypass traditional antivirus solutions.

This type of malware — known as fileless malware — is becoming more prevalent each day, for obvious reasons, and is just one of the several new changes in CodeFork’s modus operandi.

CodeFork group deploys Monero miner, USB infector

The purpose of these improvements is to harden the group’s malware — a basic downloader (dropper) — against antivirus detection and analysis by security researchers.

The CodeFork gang uses this downloader, which is a modified version of Gamarue, to drop malware on infected computers. Speaking to Bleeping Computer, Radware — the company that uncovered and tracked the group’s evolution during the past two years — says that CodeFork used their dropper for both targeted attacks against high-value targets, but also against regular users in a shotgun approach.

“We think they do both [approaches] in order to get both mass and quality of machines to install different malware on,” a Radware spokesperson told Bleeping Computer via email.

CodeFork targeted attacks are still shrouded in mystery, but researchers have more insight into day-to-day operations that spread mundane malware. During the past few months, Radware says that CodeFork used their improved fileless malware downloader to spread the Necrus malware, a module for infecting USB thumb drives (used to spread laterally inside networks), and a modified Microsoft cdosys.dll file it repurposed to send spam from infected hosts.

More recently, Radware has also seen CodeFork deploy a modified version of xmrig.exe, a legitimate Monero miner.

Group most likely rents access to infected hosts

The secondary payloads downloaded via the CodeFork dropper are all over the place, but one theory can explain why researchers are seeing so many different binaries.

“We believe they sell the installations of other modules we saw installed on victim machines,” Radware told Bleeping. Most likely, the group is selling access to infected computers to other criminal groups, albeit no ads or forum posts were discovered advertising this service as of yet.

“The CodeFork group will certainly continue to try to distribute its tools, finding new ways to bypass current protections,” Radware explains. “Such groups continuously create new malwares and mutations to bypass security controls.”

Security researchers and other technically inclined readers can read a technical report about the new techniques used by CodeFork’s malware downloader in a security alert published yesterday by Radware researchers.

Source link

Posted by Bitcoinist in News
Nearly 3,000 Bitcoin Miners Exposed Online via Telnet Ports, Without Passwords

Nearly 3,000 Bitcoin Miners Exposed Online via Telnet Ports, Without Passwords

Dutch security researcher Victor Gevers has discovered 2,893 Bitcoin miners left exposed on the Internet with no passwords on their Telnet port.

Gevers told Bleeping Computer in a private conversation that all miners process Bitcoin transactions in the same mining pool and appear to belong to the same organization.

“The owner of these devices is most likely a state sponsored/controlled organization part of the Chinese government, ” Gevers says, basing his claims on information found on the exposed miners and IP addresses assigned to each device.

Miners taken offline shortly after

Gevers is also the chairman of the GDI Foundation, a non-profit organization that coordinates vulnerability disclosures and works to secure exposed devices. For the past two days, Gevers has been investigating the incident and was planning to reach out to the affected organization.

This will not be necessary anymore as it appears that someone from the affected party saw Gevers’ tweets and secured the exposed devices shortly after.

“Most of the miners are now not available anymore via Telnet,” Gevers told Bleeping Computer. “Just a few are left, and I am keeping an eye out for those.”

“At the speed they were taken offline, it means there must be serious money involved,” Gevers added. “A few miners is not a big deal, but 2,893 [miners] working in a pool can generate a pretty sum.”

According to a Twitter user, the entire network of 2,893 miners Gevers discovered could generate an income of just over $1 million per day, if mining Litecoin.

Based on firmware details Gevers found on the devices, the researcher believes that most are ZeusMiner THUNDER X3 Bitcoin miners.

Some devices infected with malware, backdoors

The expert is still investigating to see how long were these devices left exposed online without a Telnet password.

“I have proof of other visitors on the boxes where they tried to install a backdoor or malware,” Gevers said.

According to another researcher who also took a look over the miners, they also appeared to be participating in a bandwidth sharing scheme run via Chinese service Xunlei.

Last week, Gevers worked to secure thousands of smart devices that were still running default Telnet credentials. IP addresses, usernames, and passwords were leaked online via a list uploaded on Pastebin. One of the IP addresses included on that list belonged to one of the Bitcoin miners and this is how Gevers discovered the whole mining network.

Source link

Posted by Bitcoinist in News