Search This Blog

Showing posts with label Cryptomining News. Show all posts

Malware Targets Weblog Servers And Dockers APIs For Cryptomining

Malicious malware known as Kinsing is using both recently discovered and legacy vulnerabilities in Oracle WebLogic Server to boost cryptocurrency mining malware. 
  
It was discovered by Trend Micro, that a financially-motivated cyber attack group behind the malware was making use of the vulnerability to run Python scripts that could disable Operating System (OS) security features such as Security-Enahnced Linux (SELinux), and many more. 
 
Kinsing malware has a history of acquiring vulnerable servers to co-opt into botnet devices such as Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence vulnerability (CVE-2022-26134). The malware has also reportedly been involved in campaign container environments via misconfigured open Docker Daemon API ports instigating crypto mining and spreading the malware to other containers am host devices. 
 
In the latest wave of attacks, the malicious actor weaponized a two-year-old Remote Code Execution (RCE) bug, dubbed CVE-2020-14882 (CVSS score 9.8), against unpatched vulnerabilities to seize control of the servers and cause harm to the victims through malicious payloads. 
 
The exploitation of the bug further involved deploying a shell script responsible for various actions, such as removing the var/log/syslog/systemlog, disabling security functions and cloud service agents from conglomerates like Alibaba and Tencent – killing competing crypto mining processes.  
 
It is then followed by the shell script downloading the Kinsing malware from a remote server, along with taking steps to ensure persistence through a cron job. 
 
“The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform plethora of malicious activities on the affected systems” Trend Micro said. “This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.”
 
TeamTNT malwares makes comeback
 
Researchers at Aqua Security, a cloud-native security company, have linked three new attacks to another “vibrant” cryptojacking group called "TeamTNT", which eventually stopped functioning in November 2021.  
 
“TeamTNT has been scanning for microconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to C2 server”, stated Aqua Security researcher Assaf Morag. 

The attack chain appears to be designed to crack SECP256K1 encryption, which if successful could give the malicious actor the ability to compute the keys for each cryptocurrency wallet. Thus, using high but illegal processing power of its targets to run the ECDLP solver and acquire the key. The other two attacks carried out by the threat group involve exploiting exposed Redis servers and misconfigured Docker API to provide cryptominers and Tsunami binaries. 
 
The targeting of Docker REST APIs by TeamTNTs has been well-documented over the past years. But in an operational security blunder observed by Trend Micro, credentials connected with two of the attacker-controlled DockerHub accounts have been uncovered. 

The accounts namely 'alpineos' and 'sandeep078' are said to have been used to distribute numerous malicious payloads like rootkits, Kubernetes exploits kits, credential stealers, XMTig Monero miners, and even the Kingsing malware. 
 
“The account alpineos was used in exploitation attempts on out honeypots three times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” stated Nitesh Surana, a researcher at Trend Micro. 
 
As estimated by Trends Micro, alpineos image has been downloaded more than 150,000 times. This further notified Docker about these accounts. 
 
The cybersecurity platform recommends organizations configure the exposed RESR API with TLS to steer clear of the adversary-in-the-middle (AiTM) attacks, along with using credential stores and helpers to host user credentials.

In-Browser Cryptomining Service, 'Coinhive' to Shut Down on March 8, 2019



Coinhive, an in-browser Monero cryptocurrency miner which was designed to provide web developers a JavaScript will be terminating its operations soon.  

Officials at Coinhive put the news forth in a blog post on February 26 where they cited various reasons for their decision of shutting down all their operations. The post suggested that following a 50 percent drop in hash rate, Cryptocurrency service, Coinhive decided to discontinue its operations on March 8, 2019.  

Referencing from the blog post, "The drop in hash rate (over 50%) after the last Monero hard fork hit us hard," the company said. "So did the 'crash' of the crypto currency market with the value of XMR depreciating over 85% within a year."

"This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive," said the officials.

The project which no longer is economically viable was launched in September 2017 as an alternative to traditional banner ads.

Before Coinhive’s in-browser Monero mining stops working on March 8, the registered users will be made dashboards accessible until April 30 so that they can withdraw funds from their respective accounts.

The digital currency mining service, despite the consistent efforts of the team never become one of the major websites in the league. Moreover, it was subjected to heavy criticism for skyrocketing the CPU usage inside browsers. 

Afterward, it went on becoming immensely popular among cybercriminals for cryptojacking and recently a report from Kaspersky Labs suggested that cryptojacking left behind ransomware and became the biggest cybersecurity threat. 

Referencing from the announcement made by the company,

“Some of you might have anticipated this; some of you will be surprised. The decision has been made. We will discontinue our service on March 8, 2019. It has been a blast working on this project over the past 18 months, but to be completely honest, it isn’t economically viable anymore.”

“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the “crash” of the cryptocurrency market with the value of XMR depreciating over 85% within a year. This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive.”