GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions (EDRs) and thwart detection in what's called a Bring Your Own Vulnerable Driver (BYOVD) attack. Elastic Security Labs is tracking the campaign under the name REF4578 and the primary payload as GHOSTENGINE. Previous research from Chinese

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

The cryptojacking group known as Kinsing has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet. The findings come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining

Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets. The email messages come with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the infection sequence, Fortinet

From PDFs to Payload: Bogus Adobe Acrobat Reader Installers Distribute Byakugan Malware

Bogus installers for Adobe Acrobat Reader are being used to distribute a new multi-functional malware dubbed Byakugan. The starting point of the attack is a PDF file written in Portuguese that, when opened, shows a blurred image and asks the victim to click on a link to download the Reader application to view the content. According to Fortinet FortiGuard Labs, clicking the URL

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

A critical security flaw has been disclosed in a popular WordPress plugin called Ultimate Member that has more than 200,000 active installations. The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw. In an advisory published last week, WordPress

New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts. "This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir said in a technical report. The cryptojacking attack is facilitated

DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe. The agency attributed the campaign to a threat actor it calls UAC-0027. DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March

Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called Commando Cat. "The campaign deploys a benign container generated using the Commando project," Cado security researchers Nate Bill and Matt Muir said in a new report published today. "The attacker escapes this container and runs multiple payloads on the

29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services

A 29-year-old Ukrainian national has been arrested in connection with running a “sophisticated cryptojacking scheme,” netting them over $2 million (€1.8 million) in illicit profits. The person, described as the “mastermind” behind the operation, was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider

8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. "This vulnerability allows remote authenticated

GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0)

Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers

Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service (DDoS) botnet dubbed OracleIV. "Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named 'oracleiv_latest' and containing Python malware compiled as an ELF executable

EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. "As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and

New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities

A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig 

Silentbob Campaign: Cloud-Native Environments Under Attack

Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments. "This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials

Beware bad passwords as attackers co-opt Linux servers into cybercrime

Did you prevent password-only logins on your SSH servers? On ALL of them? Are you sure about that?

New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report shared with The

New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic

The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. Crypters are a type of software that can encrypt,

New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack. "Underpinning this campaign was the use of transfer[.]sh," Cado Security said in a report shared with The Hacker News. "It's possible that it's an attempt at evading detections based on other common code

Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL

The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week. Kinsing has a storied history of

New Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Instances

A new cryptojacking campaign has been uncovered targeting vulnerable Docker and Kubernetes infrastructures as part of opportunistic attacks designed to illicitly mine cryptocurrency. Cybersecurity company CrowdStrike dubbed the activity Kiss-a-dog, with its command-and-control infrastructure overlapping with those associated with other groups like TeamTNT, which are known to strike misconfigured

Why Crypto Winter is No Excuse to Let Your Cyber Defenses Falter

Don’t let the ongoing “crypto winter” lull you into a false sense of cybersecurity. Even as cryptocurrencies lose value — and some crypto companies file for bankruptcy — cryptojacking still poses an urgent threat to enterprises across industries, from financial services to healthcare to industry 4.0 and beyond.  Broadly speaking, cryptojacking is defined as the unauthorized and illegitimate use

Capital One identity theft hacker finally gets convicted

It took three years, but the Capital One cracker was convicted in the end. Don't get caught out in a data breach of your own!

INTERPOL Collaboration Reduces Cryptojacking by 78%

Cybercriminals are often seen as having the upper hand over the “white hat” community. After all, they’re anonymous, can launch attacks from virtually anywhere in the world, and usually have the element of surprise. But there’s one secret weapon the good guys have: Collaboration. That’s why Trend Micro has always prioritized its partnerships with law enforcement, academia, governments and other cybersecurity businesses.

We’re proud to have contributed to yet another successful collaborative operation with INTERPOL Global Complex for Innovation (IGCI) in Singapore that’s helped to reduce the number of users infected by cryptomining malware by 78%.

Cryptomining On The Rise

Also known as cryptojacking, these attacks have become an increasingly popular way for cybercriminals to make money.

Why?

Because victims don’t know they’ve been infected. The malware sits on their machine in the background mining for digital currency 24/7/365. Increasingly, hackers have taken to launching sophisticated attacks against enterprise IT systems and cloud servers to increase their mining and earning potential. But many still target home computer systems like routers, as these are often left relatively unprotected. Stitch enough of these devices together in a botnet and they have a ready-made cash cow.

That’s why cryptojacking remained the most detected threat in the first half of 2019 in terms of file-based threat components, according to our data.

Unlike serious data breaches, phishing attacks, ransomware and banking Trojans, cryptojacking doesn’t have major impact on the victim. They don’t lose sensitive personal data, there’s no risk of follow-on identity fraud and they’re not extorted for funds by being locked out of their PC.

However, it’s not without consequences: Cryptomining malware can slow your home network to a crawl while running up serious energy bills. It may even bring your home computers to a premature end. Also, there’s always the risk with any kind of malware infection that hackers may switch tactics and use their footprint on your home machines to launch other attacks in the future.

Enter Operation Goldfish Alpha

That’s why we were keen to offer our assistance to INTERPOL during this year’s Operation Goldfish Alpha. Thanks to our broad global visibility into attack trends and infection rates, we were able to articulate the scale of the cryptojacking threat and key mitigation steps, at a pre-operation meeting with ASEAN law enforcement officers in June.

A few months later, we developed and disseminated a key Cryptojacking Mitigation and Prevention guidance document. It details how a vulnerability in MikroTik routers had exposed countless users in the region to the risk of compromise by cryptomining malware. The document explains how to scan for this flaw using Trend Micro HouseCall for Home Networks, and how HouseCall can be used to detect and delete the Coinhive JavaScript that hackers were using to mine for digital currency on infected PCs.

Spectacular Success

Over the five months of Operation Goldfish Alpha, experts from national Computer Emergency Response Teams (CERTs) and police across 10 countries in the region worked to locate the infected routers, notify the victims and use our guidance document to patch the bugs and kick out the hackers.

Having helped to identify over 20,000 routers in the region that were hacked in this way, we’re delighted to say that by November, the number had reduced by at least 78%.

That’s the value of partnerships between law enforcement and private cybersecurity companies: They combine the power of investigative policing with the detailed subject matter expertise, visibility and resources of industry experts like us. We’ll continue to lend a hand wherever we can to make our connected, digital world a safer place.

The post INTERPOL Collaboration Reduces Cryptojacking by 78% appeared first on .