Cryptocurrency/Crypto-mining News and Resources

People keep telling me that this is the new ransomware… For the moment, I’m just going to flag things as they come up: maybe with commentary and better organization later. Items will be added with the latest items at the top.

Information Resources

  • Heimdal Security: What Is Cryptojacking And How To Avoid This Attack – “Find out what blockchain is, why criminals want Monero coins and how to keep safe” from cryptojacking
  • Cornell University Library: a multi-author paper on An Empirical Analysis of Traceability in the Monero Blockchain
  • Here are some links to articles that relate to bitcoin from the page Ransomware, Bitcoin, other payment options:
    • If you want a comprehensive explanation of how it’s all supposed to work, I recommend Princeton University’s Bitcoin and Cryptocurrency Technologies by Arvind Narayanan, Joseph Bonneau, Edward Felten,Andrew Miller, and Steven Goldfeder, though it’s long and not particularly cheap. (And, ironically, you can’t buy it with bitcoin.) It assumes that ‘…you have a basic understanding of computer science — how computers work, data structures and algorithms, and some programming experience. If you’re an undergraduate or graduate student of computer science, a software developer, an entrepreneur, or a technology hobbyist, this textbook is for you.’ However, it is written using a fairly conversational tone, so it’s certainly worth a look if you’re reasonably IT-literate.
    • This primer from Princeton is about 296 pages shorter and more consumer friendly. And here’s Bitcoin’s own FAQ.
    • Richard Chirgwin points out that Bitcoiners are just like everybody else: They use rubbish passwords, which may not reassure you.
    • Imperva has published an interesting paper on ‘The secret of Cryptowall’s success‘ based Bitcoin wallet analysis.
    • Bitcoin Wiki
    • Blockchain Blog

News

11th July 2018

Sophos: The Pirate Bay is plundering your CPU for cryptocash, again – “Popular file sharing site The Pirate Bay seems to have returned to its old tricks again by mining cryptocurrency in visitors’ browsers without telling them.” Graham Cluley: The Pirate Bay is cryptomining for Monero with your CPU again

The Hacker News: New Virus Decides If Your Computer Good for Mining or Ransomware – “Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.”

The Register: Japanese cryptominer slapped with suspended sentence – “Said to have netted only £34…”

Sophos: Think that bitcoins and a VPN keep you anonymous? Think again… – “A security lapse by a VPN operator can therefore be very worrying news indeed, and that’s what popular online cybercurrency wallet service MyEtherWallet (MEW) is warning about right now…Hola is a free VPN that essentially shares out participating users’ browser connections out amongst the community in order to get around geoblocks.”

5th July 2018

Pierluigi Paganini: Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation – “Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.”

Paul Ducklin for Sophos: Serious Security: How to cut-and-paste your way to Bitcoin riches – “Whether it’s cryptocurrency addresses, payment card details, ID numbers or other snippets of personal information, malware that sneakily changes data in the clipboard as you work online can trick you into paying the wrong people.”

29th June 2018

FireEye: RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique

The Register: – How polite: Fun-bucks coin miners graciously ease off CPU pounding “…according to Johannes Ullrich, head of research at SANS, who today pointed out that malicious mining apps are scaling down activity and employing built-in encryption to make them harder for antivirus packages to detect.”

27th June 2018

The Register: Top banker batters Bitcoin for sucky scalability, security – “Australia’s Reserve Bank sees no need for national cryptocurrencies, for now”

Sophos: Why Bitcoin’s about to give up one of its closely guarded secrets – “…the Bitcoin Core developers are finally set to unveil the not-as-secret-as-it-should-be private key that allows them to send messages to everyone on the entire Bitcoin network.”

Trend Micro: Cryptocurrency-Mining Bot Targets Devices With Running SSH Service via Potential Scam Site – “Through social engineering, users are tricked into installing the miner that directly funnels profit (in the form of Monero and Ethereum coins, in this case)…”

22nd June 2018

Carl Sigler (Trustwave) for Help Net Security: Why cybercriminals are turning to cryptojacking for easy money. While another article cites a Morphisec report: Banking Trojans and cryptojacking on the rise.

Trend Micro: Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware

ESET: South Korea’s largest cryptocurrency exchange hacked – “Bithumb has claimed that $31.5 million worth of virtual coins were stolen by hackers”

20th June 2018

GB Hackers: Bithump Hacked – Hackers Steal $31 Million Worth Cryptocurrency

The Register: At last, a use for Intel’s SGX – locking AI and blockchain, says Intel – “Bias-enabling algorithms and smart contract tech no one quite trusts now easier to secure”

Also from The Register: Hot new application for blockchain: How does botnet control sound? – “It could happen, warns researcher” (to be precise, Omer Zohar in a presentation at BSides Tel Aviv, called Unblockable Chains – Is Blockchain the ultimate malicious infrastructure?).

Pierluigi Paganini: Android-based devices Amazon Fire TV and Fire Stick hit by cryptomining malware

15th June 2018

On this site: Cryptomining – it’s off to scam we go – three links to dubious cryptomining stories and another regarding market manipulation.

8th June 2018

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Help Net Security, summarizing Checkpoint: Cryptomining malware digs into nearly 40% of organizations worldwide – “Check Point published its latest Global Threat Index for May 2018, revealing that the Coinhive cryptominer impacted 22% of organizations globally – up from 16% in April, an increase of nearly 50%.” Interesting pointers as to the prevalence of specific malware.

1st June 2018

Trend Micro: Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner

30th May 2018

ESET: UNICEF now using cryptocurrency mining for fundraising – “So far in 2018, the NGO has launched two charity campaigns with the aim of raising funds through cryptocurrency mining.”

Technode: Qihoo 360 discovers high-risk security issues in EOS, says 80% digital wallets have problems – “Blockchain platform EOS is facing a series of high-risk security vulnerabilities, according to Chinese cybersecurity company Qihoo 360 […] EOS is a blockchain-based, decentralized system that enables the development, hosting, and execution of commercial-scale decentralized applications (dApps) on its platform.”

26th May 2018

(1) Malwarebytes put up an interesting analysis of a new Mac Cryptominer: New Mac cryptominer uses XMRig.

Cryptomining malware targeting Mac users isn’t something we hear a lot about, but in his article Thomas Reed points out that: “Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate.”

Commentary from Pierluigi Paganini: Many users reported in the past few weeks their Macs have been infected with a new Monero Miner

(2) Help Net Security reports on How security pros see the future of cryptocurrencies and cryptomining: “Data gathered by Lastline at RSA Conference 2018 reveals security professionals’ perspectives on the future of cryptocurrencies and cryptomining, response to ransomware attacks, and security impact of IoT devices.”

(3) Help Net: How a URL shortener allows malicious actors to hijack visitors’ CPU power – “URL shorteners are often used by malware peddlers and attackers to trick users into following a link they otherwise wouldn’t. But Coinhive’s URL shortener carries an added danger: your CPU power can be surreptitiously hijacked to mine Monero.”

(4) Interesting analysis, also from Help Net: Crypto Me0wing attacks: Kitty cashes in on Monero

(5) ZDnet: Verge blockchain comes under attack, again – It seems the same attack vector used to steal cryptocurrency reserves only just over a month ago is at fault.

20th May 2018

US Securities and Exchange Commission: The SEC Has an Opportunity You Won’t Want to Miss: Act Now! – “The SEC set up a website, HoweyCoins.com, that mimics a bogus coin offering to educate investors about what to look for before they invest in a scam. Anyone who clicks on “Buy Coins Now” will be led instead to investor education tools and tips from the SEC and other financial regulators.” Commentary from Sophos: Don’t invest! The ICO scam that doesn’t want your money

ZDNet: Brutal cryptocurrency mining malware crashes your PC when discovered – “…the cybersecurity firm said the cryptomining malware aims to infect PCs in order to steal processing power for the purpose of mining the Monero cryptocurrency.”

Help Net Security: 25% of companies affected by cloud cryptojacking

12th May 2018

5th May 2018

Help Net Security: Organizations should not overestimate the short-term benefits of blockchain

3rd May 2018

Catalin Cimpanu for Bleeping Computer: New MassMiner Malware Targets Web Servers With an Assortment of Exploits

The Register: Whoa, Gartner drops a truth bomb: Blockchain is overhyped and top IT bods don’t want it – “Didn’t you know it’s panacea to all corporate woes, bro?!”

Gad Naveh for Help Net: Dig this: The future of crypto-mining botnets

Trend Micro: Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground

1st May 2018

Coin Telegraph: Scammers Hijack Verified Twitter Account To Steal Crypto By Posing As Telegram CEO

27th April 2018

The Register: Power spike leads Chinese police to 600-machine mining rig – “Six Bitcoiners cuffed for electricity heist”

25th April 2018

Graham Cluley for ESET: Ethereum cryptocurrency wallets raided after Amazon’s internet domain service hijacked

Help Net Security: Exfiltrating private keys from air-gapped cold wallets

Fortinet: Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner

Bill Harris for Recode: Bitcoin is the greatest scam in history “It’s a colossal pump-and-dump scheme, the likes of which the world has never seen.” Harsh!

23rd April 2018

360 Core Security: Attackers Fake Computational Power to Steal Cryptocurrencies from Mining Pools “Recently, we detected a new type of attack which targets some equihash mining pools.”

21st April 2018

(1|) Help Net: Cryptominers displace ransomware as the number one threat. Summarizes a report from Comodo and also observes: “Another surprising finding: Altcoin Monero became the leading target for cryptominers’ malware, replacing Bitcoin.” Maybe not that surprising: see Cameron Camp’s article for ESET – Monero cryptocurrency: Malware’s rising star

(2) The Next Web: Crypto YouTuber hacked out of $2 million during a livestream. That’s going to undermine his influence on casual investors…

(3) Trend Micro: Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner

15th April 2018

12th April 2018:

 

[9th April 2018] John E. Dunn for Sophos: Hacker mines up to $1 million in Verge after exploiting major bug

[5th April 2018] Kaspersky Threat Post: RAROG TROJAN ‘EASY ENTRY’ FOR NEW CRYPTOMINING CROOKS, REPORT WARNS

[4th April 2018] Palo Alto Unit 42: Smoking Out the Rarog Cryptocurrency Mining Trojan – “Rarog has been seen primarily used to mine the Monero cryptocurrency, however, it has the capability to mine others.”

[April 4th 2018]

John Leyden for The Register: Badmins: Magento shops brute-forced to scrape card deets and install cryptominers

[3rd April 2018]

[March 31st 2018]

Help Net: Crypto mining runs rampant in higher education: Is it students?

[March 29th 2018]

[March 28th 2018]

[March 26th 2018]

[March 23rd 2018]

[March 22nd 2018]

[March 20th 2018]

Sam Biddle for The Intercept: THE NSA WORKED TO “TRACK DOWN” BITCOIN USERS, SNOWDEN DOCUMENTS REVEAL. ‘Classified documents provided by whistleblower Edward Snowden show that the National Security Agency indeed worked urgently to target Bitcoin users around the world — and wielded at least one mysterious source of information to “help track down senders and receivers of Bitcoins…”’

Thomas Claburn for The Register: Bitcoin’s blockchain: Potentially a hazardous waste dump of child abuse, malware, etc: “Boffins warn of legal risks from arbitrary data distribution”. Summarizes this academic paper “A Quantitative Analysis of the Impact of Arbitrary Blockchain Content on Bitcoin“.

[March 18th 2018]

[March 13th 2018]

[March 12th 2018]

(1) Paul Ducklin for Sophos: Cryptomining versus cryptojacking – what’s the difference?

(2) Bleeping Computer tells us: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours
ZDNet is even more enthusiastic: Windows security: Microsoft fights massive cryptocoin miner malware outbreak – “Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.”
Other players in the security industry were more restrained (as per the entry for March 8th below), notably myself, Sean Sullivan and Luis Corrons, quoted in an article by Kevin Townsend: Microsoft Detects Massive Dofoil Attack. Kevin didn’t quote me in full, so here’s (most of) what I said:

I don’t read that article as actually saying that Defender detected that particular campaign and no-one else did/does (which isn’t the case: note that some of the hashes in the figures show a VirusTotal score), or claiming that Microsoft actually disrupted the campaign, or even that it was the first product to detect this particular iteration of Dofoil or the Coinminer it’s delivering. If there’s a suggestion that detection by other products was tested, I missed it.

If it gives the impression that this detection ‘proves’ that all such attacks will be detected by Defender, well, that’s what AV products (often) do, but the phrase ‘hostage to fortune’ springs to mind. But the way I read it, Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do. 

Do the Defender team have an unfair advantage? Well, I guess they have direct access to the OS developers, but spotting behavioural anomalies is bread-and-butter lab work, and incorporating such detection into cloud protection and machine learning is standard stuff. And I’m sure most labs value good knowledge of OS processes. 

[March 8th 2018]

Microsoft: Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Rather self-congratulatory – sounds as if Microsoft stopped a campaign all by itself and Windows Defender is The Answer to crypto-mining and world hunger, but still…

[March 7th 2018]

[March 5th 2018]

[March 1st 2018]

[28th February 2018]

[27th February 2018]

[24th February 2018]

CNBC: Secretive Chinese bitcoin mining company may have made as much money as Nvidia last year

[23rd February 2018]

[22nd February 2018]

[18th February 2018]

[16th February 2018] FireEye: CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Bleeping Computer: Using the Chrome Task Manager to Find In-Browser Miners

[15th February 2018]: Help Net Security summarizes commentary from Check Point. Cryptomining malware continues to drain enterprise CPU power.

“In January, crypto-mining malware continued to be the most prevalent with Coinhive retaining its most wanted spot impacting 23% of organizations, followed by Fireball in second and Rig Exploit Kit in third impacting 17% of organizations.”

And here’s Check Point’s blog article: January’s Most Wanted Malware: Cryptomining Malware Continues to Cripple Enterprise CPU Power

“Check Point researchers also discovered three different variants of cryptomining malware in its top 10 most prevalent ranking, with Coinhive ranking first, impacting more than one-in-five organizations.”

Help Net Security/Radiflow: When crypto-mining malware hits a SCADA network

[14th February 2018]

Two links from Sophos:

Catalin Cimpanu for Bleeping Computer: Bitmessage Zero-Day Used in Attacks That Steal Bitcoin Wallet Files

Graham Cluley: Salon website gives you a choice: turn off your ad blocker or let us mine cryptocurrencies – IT WANTS TO USE YOUR COMPUTER’S RESOURCES TO MAKE THEM MONEY.
“Yup, Salon is giving you a choice. If you don’t want to disable your ad blocker, maybe you’ll feel comfortable letting it run code from Coinhive which will gobble up your computer’s resources to mine some Monero cryptocurrency.”

Browsealoud compromise (injection of Coinhive): partial but lengthy list of affected sites.

12th February 2018. Bleeping Computer: U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked
“Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4,275 sites affected, this included government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk.”

ESET: US and UK government websites hijacked to mine cryptocurrency on visitors’ machines

“If undetected by a user’s security solution or content- or ad-blocker, the script ran in the background unbeknown to the user until the webpage was closed. A number of the affected websites, including that of the ICO, were also offline for hours in the aftermath of the attack.”

[9th February 2018] BBC: Russian nuclear scientists arrested for ‘Bitcoin mining plot’
“Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.”

[8th February 2018] Zeljka Zorz for Help Net: When crypto-mining malware hits a SCADA network
“Industrial cybersecurity vendor Radiflow […] has recently discovered Monero-mining malware on five servers of a water utility company located in Europe. These servers included […] the control server of the physical processes of the company.

Advertisements