Viry a Červi

IoT Security Disconnect: As Attacks Spike, Device Patching Still Lags - 6 Březen, 2018 - 18:43
More than half of businesses have faced IoT-related attacks, yet only a third consider IoT cyber security “very important.”
Kategorie: Viry a Červi

CryptoLurker hacker crew skulk about like cyberspies, earn $$$

The Register - Anti-Virus - 6 Březen, 2018 - 17:38
Miner prying by minor spying

A sophisticated mystery hacker group is using tactics more familiar to the world of cyber espionage to earn millions through mining malware.…

Kategorie: Viry a Červi

“Prince Charming” is a happily married, gay, identity theft victim

Sophos Naked Security - 6 Březen, 2018 - 13:56
Former BBC producer Steve Bustin has had it with the scammers who've stolen his photos to try to woo women online.

Co-op Bank's shonky IT in spotlight as delayed probe given go-ahead

The Register - Anti-Virus - 6 Březen, 2018 - 13:46
Former chairman banned from holding another financial role

An inquiry into The Co-operative Bank's financial collapse is to open four years after it was first announced by former UK chancellor George Osborne.…

Kategorie: Viry a Červi

“Big Bitcoin Heist” sees 600 Icelandic servers stolen

Sophos Naked Security - 6 Březen, 2018 - 12:26
Police arrested 11 people but haven't found the hardware, which is worth nearly $2 million.

Games site customers offered $5 voucher after credit card breach

Sophos Naked Security - 6 Březen, 2018 - 12:19
Games developer Nippon Ichi Software (NIS) has admitted that a recent hack has put some of its customers at risk of credit card fraud.

Using Mailchimp makes malware campaigns a little bit more successful

Virus Bulletin News - 6 Březen, 2018 - 10:48
In recent months, some malicious spam campaigns have been spreading via the systems of Mailchimp, a well-known email service provider - a tactic which may give the campaigns a slightly higher success rate.

Read more
Kategorie: Viry a Červi

Miner vs miner: Attack script seeks out and destroys competing currency crafters

The Register - Anti-Virus - 6 Březen, 2018 - 05:57
There is no honour among CPU thieves

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers.…

Kategorie: Viry a Červi

World's biggest DDoS attack record broken after just five days

The Register - Anti-Virus - 6 Březen, 2018 - 00:59
Memcached attacks are going to be this year's thing

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.…

Kategorie: Viry a Červi

Pennsylvania AG sues Uber over 2016 data fail

The Register - Anti-Virus - 5 Březen, 2018 - 23:34
Not much brotherly love in this Philly court case

Uber has been hit with a lawsuit over its failure to disclose the 2016 theft of its customer and driver records.…

Kategorie: Viry a Červi

Emirates dinged for slipshod online data privacy practices

The Register - Anti-Virus - 5 Březen, 2018 - 21:59
Fly the insecure skies

Updated  International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox.…

Kategorie: Viry a Červi

Brit semiconductor tech ended up in Chinese naval railgun – report

The Register - Anti-Virus - 5 Březen, 2018 - 17:35
The dark side of easy R&D cash

A Chinese firm's buyout of a British semiconductor company may have directly led to China developing railgun weaponry and electromagnetic aircraft carrier catapults for its navy, according to reports.…

Kategorie: Viry a Červi

Terrorist social media posts should be removed within an hour, says EC

Sophos Naked Security - 5 Březen, 2018 - 14:32
The internet bigwigs say it could do more harm than good as they balance fast illegal content removal with protection of users' rights.

World’s largest DDoS attack thwarted in minutes

Sophos Naked Security - 5 Březen, 2018 - 14:16
What has been tagged the largest DDoS attack ever disclosed slammed into the servers of software development site GitHub at 17:21 UTC last Wednesday.

Bill Gates: Cryptocurrencies killing people in “fairly direct way”

Sophos Naked Security - 5 Březen, 2018 - 14:12
It's also "super risky" over the long term, he said in a Reddit Ask Me Anything session.

Spring break! Critical vuln in Pivotal framework's Data parts plugged

The Register - Anti-Virus - 5 Březen, 2018 - 12:57
Similar to Apache Struts flaw that stuffed Equifax

Pivotal's Spring Data REST project has a serious security hole that needs patching.…

Kategorie: Viry a Červi

Monday review – the hot 22 stories of the week

Sophos Naked Security - 5 Březen, 2018 - 11:30
From the bug that lets you logon as someone else and US border agents not verifying e-passports to the cryptojacking attack on LA Times, and more!

Cryptomining Gold Rush: One Gang Rakes In $7M Over 6 Months - 5 Březen, 2018 - 11:00
Report outlines lucrative rise of nefarious cryptomining groups and their complex new business models.
Kategorie: Viry a Červi

Mining is the new black

Kaspersky Securelist - 5 Březen, 2018 - 11:00

UPDATED March 5th, 15.00

Last year we published a story revealing the rise of miners across the globe. At the time we had discovered botnets earning millions of USD. We knew this was just the beginning of the story, which turned out to develop rapidly.

Together with the rest of the world, we have been watching the hike in cryptocurrency, for example, the price of Bitcoin and Altcoins continuously beat records throughout 2017.

Bitcoin and Altcoins prices growth in 2017

While some spend time talking about what’s good or bad for the market and the global economy, we’ve seen that such a spike in prices was definitely a call for threat actors, meaning there are good opportunities for cybercriminals to earn money.

As a result, many cybercriminal groups have switched to malicious miner distribution, and the number of users that have encountered cryptocurrency miners has increased dramatically. We have found, that by the end of 2017, 2.7 million users had been attacked by malicious miners – this is almost 1.5 times higher than in 2016 (1.87 mln).

Number of Kaspersky Lab users attacked by malicious miners in 2017

They become so active and popular that even ransomware – which has frightened the world for the last couple of years, seems to step aside for this threat.

Here are some reasons why:

Firstly, miners and ransomware both have a clear monetization model. In the case of ransomware, attackers infect PCs, decrypt files and earn money by receiving a ransom for users’ data. The miners model is similar in its simplicity: attackers infect victims, make coins using CPU or GPU power, and earn real money through legal exchanges and transactions.

Miners’ monetization scheme

Secondly, unlike ransomware, it is very hard for users to understand if they’ve been infected by miners or not. In general, users use their computer for Internet surfing. This activity is not high loaded for CPU. The other 70-80% of CPU power is used by mining programs, and some of them have special functions to reduce mining capacities or cancel the process at all, if another resource-demanding program (for example, a videogame) is executed.

Most importantly, it is now very easy to make your own miner. Those interested can get everything that they need:

  • Ready to use partner programs
  • Open mining pools
  • A lot of miner builders

We have found that the most popular miner pool used by threat actors is Nanopool.

Statistics for used legitimate pools

If actors use open pools, it’s possible to find out how much money threat actors could earn.

Example of wallet information

Also, according to our data, 80% of illegal miners contain the open source code of legal miners, or it is just a legal miner that has been packed.

Ways of spreading

Usually, threat actors collaborate with potentially unwanted application (PUA) partner programs to spread miners. However, some small criminal groups try to spread malware by using different social engineering tricks, such as fake lotteries, etc. Potential victims need to download a generator of random numbers from a file-sharing service and run this on a PC to participate. It’s a simple trick, but a very productive one.

Another popular method is web-mining through a special script being executed in browser. For example, in 2017 our security solutions stopped the launch of web miners on more than 70 million occasions. The most popular script used by cybercriminals is Coinhive, and usual cases of its use in the wild are websites with a lot of traffic. The longer the user session on those sites, the more money the site’s owner earned from mining. Major incidents involving Coinhive are hacked web pages, such as the Pirate Bay case, YouTube ads or UFC fight pass mining. However, other examples of its legal use are also known.

There are other groups, which do not need to spread miners to many people. Instead, their targets are powerful servers in big companies. Thus, for instance, Wannamine was spreading in internal networks using an EternalBlue exploit, and earned nine thousand Monero this way (approx. two million dollars). However, the first miner that used the EternalBlue exploit was Adylkuzz. In our previous research we described another miner family – Winder – that has used an extra service to restore a miner when it was being deleted by an AV product. That botnet earned a half million dollars.

Sophisticated techniques

This year we are observing the next trend – threat actors behind miners have begun to use malware techniques from targeted attacks. Our latest discovery is the “hollow” miner that uses a process-hollowing technique.

In this case the infection vector is a PUA module. A victim may have just wanted to download a legitimate application, but instead they downloaded a PUA with a miner installer inside. This miner installer drops the legitimate Windows utility msiexec with a random name, which downloads and executes a malicious module from the remote server. In the next step it installs a malicious scheduler task which drops the miner’s body. This body executes the legitimate system process and uses a process-hollowing technique (legitimate process code is changed to malicious). Also, a special flag, system critical flag, is set to this new process. If a victim tries to kill this process, the Windows system will reboot. So, it is a challenge for security solutions to deal with such malicious behavior and detect the threat properly.

Infection chain

Process hollowing example

Using such sophisticated technique, botnets earned over seven million dollars during the second half of 2017.

Also this year, we found one threat group that has been targeting big organizations with the main purpose to utilize their computer resources for mining. After getting into a corporate network they get access to the domain controller, and as a result they use domain policies to launch malicious code. In this particular case, actors executed malicious PowerShell script on each endpoint and server inside the corporate network.

Malicious powershell script

This script has the following logic:

  • After launching, it checks if this endpoint belongs to specific accounts, i.e. senior levels or information security officers. If it is true, then the script won’t execute the miner.
  • This script also checks current date and time information. It will execute the malicious miner in non-working time.
So what’s next?

Should we expect a further evolution in this class of malware? For sure. Moreover, we will see a spread in malware that uses new blockchain technologies. One of the recent and very promising technologies is the blockchain-based proof-of-space (PoSpace) concept.

Unlike proof-of-work (PoW) used in general mining botnets, a PoSpace algorithm needs a hard disk space. Therefore, a new type of miners based on this algorithm will be aiming first of all at big data servers.

On the one hand, monetization in this case is like that in usual malware miners with a PoW algorithm. On the other, this technology can provide cybercriminals with another profit. The blockchain on the PoS algorithm is a very big decentralized anonymous data center that can be used to spread malware or illegal content. As a result, it can bring more damage. Data will be encrypted and no one will know where it is physically stored.

Mining scheme based on proof-of-concept algorithm

To protect your network against such threats we advise you:

  • Conduct a security audit on a regular basis
  • Use security solutions on endpoints and servers

Kaspersky Lab products detect such threats with various verdicts.

  • PDM:Trojan.Win32.Generic
  • not-a-virus:RiskTool.Win32.BitCoinMiner
  • HEUR:Trojan.Win32.CoinMiner

Cryptocurrency miners go nuclear, RSA blunder, Winner back in court, and plenty more

The Register - Anti-Virus - 4 Březen, 2018 - 19:34
The ups and downs of security this week

Roundup  Here's a quick summary of infosec news from this week, beyond what we've already covered.…

Kategorie: Viry a Červi
Syndikovat obsah