As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.
David Harley, 15th April 2020
People keep telling me that this is the new ransomware… For the moment, I’m just going to flag things as they come up: maybe with commentary and better organization later. Items will be added with the latest items at the top.
Information Resources
- Heimdal Security: What Is Cryptojacking And How To Avoid This Attack – “Find out what blockchain is, why criminals want Monero coins and how to keep safe” from cryptojacking
- Cornell University Library: a multi-author paper on An Empirical Analysis of Traceability in the Monero Blockchain
- Here are some links to articles that relate to bitcoin from the page Ransomware, Bitcoin, other payment options:
- If you want a comprehensive explanation of how it’s all supposed to work, I recommend Princeton University’s Bitcoin and Cryptocurrency Technologies by Arvind Narayanan, Joseph Bonneau, Edward Felten,Andrew Miller, and Steven Goldfeder, though it’s long and not particularly cheap. (And, ironically, you can’t buy it with bitcoin.) It assumes that ‘…you have a basic understanding of computer science — how computers work, data structures and algorithms, and some programming experience. If you’re an undergraduate or graduate student of computer science, a software developer, an entrepreneur, or a technology hobbyist, this textbook is for you.’ However, it is written using a fairly conversational tone, so it’s certainly worth a look if you’re reasonably IT-literate.
- This primer from Princeton is about 296 pages shorter and more consumer friendly. And here’s Bitcoin’s own FAQ.
- Richard Chirgwin points out that Bitcoiners are just like everybody else: They use rubbish passwords, which may not reassure you.
- Imperva has published an interesting paper on ‘The secret of Cryptowall’s success‘ based Bitcoin wallet analysis.
- Bitcoin Wiki
- Blockchain Blog
- Sophos: Cryptojacking – coming to a server-laptop-phone near you (and how to stop it) – Paul Ducklin’s summary of blockchain and cryptojacking, with particular reference to Android.
News
19th November 2018
The Register: Scumbags cram Make-A-Wish website with coin-mining malware – “Researchers with Trustwave say the (now clean) WorldWish.org site was compromised via a Drupal exploit and seeded with malicious JavaScript that enlisted the CPU cycles of visitor’s machines to covertly generate cryptocurrency.”
18th November 2018
Matthieu Faou for ESET: Supply-chain attack on cryptocurrency exchange gate.io – “Latest ESET research shows just how far attackers will go in order to steal bitcoin from customers of one specific virtual currency exchange”
Brian Krebs: Busting SIM Swappers and SIM Swap Myths – “KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.”
29th October 2018
Lawrence Abrams for Bleeping Computer: Exposed Docker APIs Continue to Be Used for Cryptojacking – “Trend Micro has recently spotted an attacker that is scanning for exposed Docker Engine APIs and utilizing them to deploy containers that download and execute a coin miner. ”
Sophos: Call of Duty players caught up in cryptocurrency theft racket – “According to the Chicago Sun-Times, which has seen the first-hand report from a court filing in Chicago, the FBI alleges that the criminals involved stole more than $3.3 million USD in a variety of cryptocurrencies, including Reputation and Ethereum tokens and that the thieves coerced other Call of Duty players into joining their criminal activities.”
26th October 2018
ZDNet: North Korea blamed for two cryptocurrency scams, five trading platform hacks
” A Group-IB report published last week pinned five of 14 cryptocurrency exchange hacks on Lazarus Group, a codename assigned by the cyber-security industry to North Korea’s military hacking units….In a report published today by threat intel firm Recorded Future, individuals associated with the North Korean regime have also been blamed for running cryptocurrency-related scam.” [sic]
Pierluigi Paganini: Experts presented BOTCHAIN, the first fully functional Botnet built upon the Bitcoin Protocol – “The presentation titled “BOTCHAIN aka The Dark side of Blockchain” includes details about the first fully functional Botnet built upon the Bitcoin Protocol named “BOTCHAIN”.”
24th October 2018
Graham Cluley: Twitter thought Elon Musk’s bizarre tweets were evidence he’d been hacked – “It’s an odd state of affairs when the bogus Elon Musk accounts offering bitcoin giveaways appear more legitimate than the real Elon’s tweets.”
Since there’s been a spate of Bitcoin fraud tweets spoofing his account, offering to sell someone some Bitcoin may have been a tweet too far.
19th October 2018
Bleeping Computer: Researcher Livestreams 51% Attack on Altcoin Blockchain – “A little over a week ago, researcher promised to run a 51% attack on the blockchain of a small cryptocurrency called Einsteinium (EMC2), to show the world how easy the entire process was.”
12th October 2018
Brad Duncan for Palo Alto Unit 42: Fake Flash Updaters Push Cryptocurrency Miners – “…As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”
10th October 2018
Cecilia Pastorino for ESET: Blockchain: What is it, how it works and how it is being used in the market – “A closer look at the technology that is rapidly growing in popularity”
Help Net, citing a report by Webroot: Cryptomining dethrones ransomware as top threat in 2018
3rd October 2018
Lawrence Abrams for Bleeping Computer: Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones
Kaspersky has discovered that [Roaming Mantis Group] is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page.
John E. Dunn for Sophos: Monero fixes major ‘burning bug’ flaw, preventing mass devaluation
“…the developers realised that the apparent non-expert had just confirmed a major flaw in wallets used to transact the controversial and what is reportedly the world’s tenth most popular cryptocurrency.
24th September 2018
Steve Kaaru for Null TX: Hackers Mining Cryptos Using Leaked NSA Surveillance Tools, New Report Reveals – “The report revealed that cryptojacking incidences have spiked by over 450 percent in 2018, attributing the increased incidences to an NSA tool that was leaked in late 2017 which has been used by North Korean and Russian hackers in the past to infiltrate strategic targets. ”
The article is based on a report from the Cyber Threat Alliance THEY’RE DRINKING YOUR MILKSHAKE: CTA’S JOINT ANALYSIS ON ILLICIT CRYPTOCURRENCY MINING
Alyza Sebenius for Bloomberg: Hackers Are Targeting Bitcoin With a Leaked NSA Software Tip, Report Says
Lukas Stefanko for ESET: Fake finance apps on Google Play target users from around the world – “Cybercrooks use bogus apps to phish six online banks and a cryptocurrency exchange…the apps have impersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland, and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the impersonated legitimate services.”
18th September 2018
Palo Alto: Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows – “Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers that we have named XBash. We can tie this malware to the Iron Group, a threat actor group known for ransomware attacks in the past.”
Tomáš Foltýn for ESET: One in three UK orgs hit by cryptojacking in previous month, survey finds – “Conversely, only a little over one-third of IT executives believe that their systems have never been hijacked to surreptitiously mine digital currencies”
Trend Micro took a little time out from snarfing customer data to issue a report that tells us of “a noticeable shift away from highly visible ransomware to a more discreet detection: cryptocurrency mining. Unseen Threats, Imminent Losses Phil Muncaster notes, based on that report, that Cryptomining Malware Soars 956% in a Year and also cites a report from Checkpoint which “warned last month that the number of global organizations affected by cryptojacking rose from just under 21% in the second half of 2017 to 42% in 1H 2018, with cyber-criminals making an estimated $2.5bn over the past six months.”
Graham Cluley: Cryptominers killing cryptominers to squeeze more out of your CPU
“As security researcher Xavier Mertens describes, a newly-encountered malicious miner for the Monero cryptocurrency is working hard to kill any potential competitors it encounters for system resources, using an ever-expanding list.”
Kaspars Osis for ESET: Kodi add-ons launch cryptomining campaign – “ESET researchers have discovered several third-party add-ons for the popular open-source media player Kodi being used to distribute Linux and Windows cryptocurrency-mining malware”
Commentary from Bleeping Computer: Malicious Kodi Add-ons Install Windows & Linux Coin Mining Trojans – “Security researchers discovered a campaign that infects machines running Kodi via a legitimate add-on that has been altered by cybercriminals looking to mine the onero cryptocurrency with the resources of Kodi users.”
Danny Bradbury for Sophos: Blockchain hustler beats the house with smart contract hack – “A wily hacker has scored a thousand dollar cryptocurrency jackpot … by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain …. Unlike Bitcoin, which uses a blockchain to record the transfer of digital currency, EOS and Ethereum both enable people to run computer programs. These programs are called smart contracts, and instead of running in one place they run on many computers connected to the blockchain.” Fascinating article.
31st August 2018
ZDNet: Bitfi finally gives up claim cryptocurrency wallet is unhackable – ‘On Twitter, the company posted a statement which said the company had hired external help in the form of a “Security Manager” who is “confirming vulnerabilities that have been identified by researchers.” “Effective immediately, we will be removing the “Unhackable” claim from our branding which has caused a significant amount of controversy,” the company added.’
Commentary by John Leyden for The Register: C’mon, if you say your device is ‘unhackable’, you’re just asking for it: Bitfi retracts edgy claim – “John McAfee-backed crypto-coin wallet eats humble pie”
Talos: Rocke: The Champion of Monero Miners – “Rocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners.”
ThreatPost: New Threat Actor ‘Rocke’: A Rising Monero Cryptomining Menace – “Researchers at Cisco Talos, who discovered the threat actor they call “Rocke”, said they have been tracking the adversary since April as it continues to plant various Monero miners on vulnerable systems. … “Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines,” the research team said in a post Thursday.”
The Register: Cryptojacking isn’t a path to riches – payout is a lousy $5.80 a day – “Hackers shouldn’t quit their day scams if they want to eat…Cryptojacking, the hijacking of computing resources to mine cryptocurrency, turns out to be both relatively widespread and not particularly profitable, according to a paper published by code boffins from Braunschweig University of Technology in Germany.” The paper is here.
28th August 2018
Bleeping Computer: Atlas Quantum Cryptocurrency Investment Platform Suffers Data Breach – “Atlas Quantum said the hacker (or hackers) did not steal any funds from users’ accounts.”
26th August 2018
Ars Technica: Bitcoin and ether are both down more than two-thirds from their peaks – “The value of ether has fallen 9 percent over the last 24 hours.”
24th August 2018
Brian Krebs: Alleged SIM Swapper Arrested in California – “Authorities in Santa Clara, Calif. have arrested and charged a 19-year-old area man on suspicion hijacking mobile phone numbers as part of a scheme to steal large sums of bitcoin and other cryptocurrencies. The arrest is the third known law enforcement action this month targeting “SIM swappers,” individuals who specialize in stealing wireless phone numbers and hijacking online financial and social media accounts tied to those numbers.”
Commentary from CoinTelegraph.
SecureList: Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
Commentary by The Register: Nork hackers Lazarus brought back to life by AppleJeus to infect Macs for the first time – “Malware with polished website spotted stealing crypto-coins from traders”
21st August 2018
Next Web: Arrested BitConnect kingpin is connected to yet another cryptocurrency scam – “Something is cooking up in the Indian state of Gujarat”
17th August 2018
Trend Micro’s article Malware Targeting Bitcoin ATMs Pops Up in the Underground not only talks about the very interesting ATM malware Trend has analysed, but gives some useful background about Bitcoin ATMs, indicating that criminals are extending their activities beyond cryptomining.
Brian Krebs: Hanging Up on Mobile in the Name of Security – “An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.” The reason being, in this case at least, that mobile providers are too often tricked by scammers into transferring a victims’ service to a new SIM card and mobile phone in the possession of the scammer, not the victim.
An interesting article by William Suberg for CoinTelegraph: Researchers Reveal Network of 15K Crypto-Related Scam Bots on Twitter “New research published today, Aug. 6, has shed light on the infamous phenomenon of cryptocurrency-related Twitter accounts advertising fake “giveaways,” revealing a network of at least 15,000 scam bots.”
2nd August 2018
Graham Cluley: Steam game Abstractism pulled after cryptomining accusations
The Register: ‘Unhackable’ Bitfi crypto-currency wallet maker will be shocked to find fingernails exist – “A crypto-currency wallet heavily promoted as “unhackable” – complete with endorsements from the security industry’s loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week.”
Bleeping Computer: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers – “Security researchers have unearthed a massive cryptojacking campaign that targets MikroTik routers and changes their configuration to inject a copy of the Coinhive in-browser cryptocurrency mining script in some parts of users’ web traffic.” Lengthy analysis by Trustwave: Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?
27th July 2018
John Leyden for The Register: Criminal mastermind injects malicious script into Ethereum tracker. Their message? ‘1337’ – “The Etherscan incident could have been far worse. Rather than a cheeky pop-up, a more mendacious mind might just have easily used the same flaw to run a crypto-mining scam.”
SecureList (Kaspersky): A mining multitool – “Symbiosis of PowerShell and EternalBlue for cryptocurrency mining… The creators of PowerGhost … started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.”
Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.
11th July 2018
Sophos: The Pirate Bay is plundering your CPU for cryptocash, again – “Popular file sharing site The Pirate Bay seems to have returned to its old tricks again by mining cryptocurrency in visitors’ browsers without telling them.” Graham Cluley: The Pirate Bay is cryptomining for Monero with your CPU again
The Hacker News: New Virus Decides If Your Computer Good for Mining or Ransomware – “Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.”
The Register: Japanese cryptominer slapped with suspended sentence – “Said to have netted only £34…”
Sophos: Think that bitcoins and a VPN keep you anonymous? Think again… – “A security lapse by a VPN operator can therefore be very worrying news indeed, and that’s what popular online cybercurrency wallet service MyEtherWallet (MEW) is warning about right now…Hola is a free VPN that essentially shares out participating users’ browser connections out amongst the community in order to get around geoblocks.”
5th July 2018
Pierluigi Paganini: Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation – “Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.”
Paul Ducklin for Sophos: Serious Security: How to cut-and-paste your way to Bitcoin riches – “Whether it’s cryptocurrency addresses, payment card details, ID numbers or other snippets of personal information, malware that sneakily changes data in the clipboard as you work online can trick you into paying the wrong people.”
29th June 2018
FireEye: RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique
The Register: – How polite: Fun-bucks coin miners graciously ease off CPU pounding “…according to Johannes Ullrich, head of research at SANS, who today pointed out that malicious mining apps are scaling down activity and employing built-in encryption to make them harder for antivirus packages to detect.”
27th June 2018
The Register: Top banker batters Bitcoin for sucky scalability, security – “Australia’s Reserve Bank sees no need for national cryptocurrencies, for now”
Sophos: Why Bitcoin’s about to give up one of its closely guarded secrets – “…the Bitcoin Core developers are finally set to unveil the not-as-secret-as-it-should-be private key that allows them to send messages to everyone on the entire Bitcoin network.”
Trend Micro: Cryptocurrency-Mining Bot Targets Devices With Running SSH Service via Potential Scam Site – “Through social engineering, users are tricked into installing the miner that directly funnels profit (in the form of Monero and Ethereum coins, in this case)…”
22nd June 2018
Carl Sigler (Trustwave) for Help Net Security: Why cybercriminals are turning to cryptojacking for easy money. While another article cites a Morphisec report: Banking Trojans and cryptojacking on the rise.
Trend Micro: Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware
ESET: South Korea’s largest cryptocurrency exchange hacked – “Bithumb has claimed that $31.5 million worth of virtual coins were stolen by hackers”
20th June 2018
GB Hackers: Bithump Hacked – Hackers Steal $31 Million Worth Cryptocurrency
The Register: At last, a use for Intel’s SGX – locking AI and blockchain, says Intel – “Bias-enabling algorithms and smart contract tech no one quite trusts now easier to secure”
Also from The Register: Hot new application for blockchain: How does botnet control sound? – “It could happen, warns researcher” (to be precise, Omer Zohar in a presentation at BSides Tel Aviv, called Unblockable Chains – Is Blockchain the ultimate malicious infrastructure?).
Pierluigi Paganini: Android-based devices Amazon Fire TV and Fire Stick hit by cryptomining malware
15th June 2018
On this site: Cryptomining – it’s off to scam we go – three links to dubious cryptomining stories and another regarding market manipulation.
8th June 2018
Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”
Help Net Security, summarizing Checkpoint: Cryptomining malware digs into nearly 40% of organizations worldwide – “Check Point published its latest Global Threat Index for May 2018, revealing that the Coinhive cryptominer impacted 22% of organizations globally – up from 16% in April, an increase of nearly 50%.” Interesting pointers as to the prevalence of specific malware.
1st June 2018
Trend Micro: Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner
30th May 2018
ESET: UNICEF now using cryptocurrency mining for fundraising – “So far in 2018, the NGO has launched two charity campaigns with the aim of raising funds through cryptocurrency mining.”
Technode: Qihoo 360 discovers high-risk security issues in EOS, says 80% digital wallets have problems – “Blockchain platform EOS is facing a series of high-risk security vulnerabilities, according to Chinese cybersecurity company Qihoo 360 […] EOS is a blockchain-based, decentralized system that enables the development, hosting, and execution of commercial-scale decentralized applications (dApps) on its platform.”
26th May 2018
(1) Malwarebytes put up an interesting analysis of a new Mac Cryptominer: New Mac cryptominer uses XMRig.
Cryptomining malware targeting Mac users isn’t something we hear a lot about, but in his article Thomas Reed points out that: “Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate.”
Commentary from Pierluigi Paganini: Many users reported in the past few weeks their Macs have been infected with a new Monero Miner
(2) Help Net Security reports on How security pros see the future of cryptocurrencies and cryptomining: “Data gathered by Lastline at RSA Conference 2018 reveals security professionals’ perspectives on the future of cryptocurrencies and cryptomining, response to ransomware attacks, and security impact of IoT devices.”
(3) Help Net: How a URL shortener allows malicious actors to hijack visitors’ CPU power – “URL shorteners are often used by malware peddlers and attackers to trick users into following a link they otherwise wouldn’t. But Coinhive’s URL shortener carries an added danger: your CPU power can be surreptitiously hijacked to mine Monero.”
(4) Interesting analysis, also from Help Net: Crypto Me0wing attacks: Kitty cashes in on Monero
(5) ZDnet: Verge blockchain comes under attack, again – It seems the same attack vector used to steal cryptocurrency reserves only just over a month ago is at fault.
20th May 2018
US Securities and Exchange Commission: The SEC Has an Opportunity You Won’t Want to Miss: Act Now! – “The SEC set up a website, HoweyCoins.com, that mimics a bogus coin offering to educate investors about what to look for before they invest in a scam. Anyone who clicks on “Buy Coins Now” will be led instead to investor education tools and tips from the SEC and other financial regulators.” Commentary from Sophos: Don’t invest! The ICO scam that doesn’t want your money
ZDNet: Brutal cryptocurrency mining malware crashes your PC when discovered – “…the cybersecurity firm said the cryptomining malware aims to infect PCs in order to steal processing power for the purpose of mining the Monero cryptocurrency.”
Help Net Security: 25% of companies affected by cloud cryptojacking
12th May 2018
- Graham Cluley: Cryptomining with JavaScript in an Excel spreadsheet
- David Bisson for Tripwire: Devs Find Fake Version of Bitcoin Wallet Stealing Users’ Seeds
- The Register: That Drupal bug you were told to patch weeks ago? Cryptominers hope you haven’t bothered – “Cryptocoin malware outfit takes aim at ‘Drupalgeddon’ bug”
5th May 2018
Help Net Security: Organizations should not overestimate the short-term benefits of blockchain
3rd May 2018
Catalin Cimpanu for Bleeping Computer: New MassMiner Malware Targets Web Servers With an Assortment of Exploits
The Register: Whoa, Gartner drops a truth bomb: Blockchain is overhyped and top IT bods don’t want it – “Didn’t you know it’s panacea to all corporate woes, bro?!”
Gad Naveh for Help Net: Dig this: The future of crypto-mining botnets
Trend Micro: Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground
1st May 2018
- Trend Micro: FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation
- Commentary from The Register: Bitcoin hijackers found at least one sucker for scam Chrome extension – Victim of ‘FacexWorm’ malware clicked on random link from Facebook Messenger
Coin Telegraph: Scammers Hijack Verified Twitter Account To Steal Crypto By Posing As Telegram CEO
27th April 2018
The Register: Power spike leads Chinese police to 600-machine mining rig – “Six Bitcoiners cuffed for electricity heist”
25th April 2018
Graham Cluley for ESET: Ethereum cryptocurrency wallets raided after Amazon’s internet domain service hijacked
Help Net Security: Exfiltrating private keys from air-gapped cold wallets
Fortinet: Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner
Bill Harris for Recode: Bitcoin is the greatest scam in history “It’s a colossal pump-and-dump scheme, the likes of which the world has never seen.” Harsh!
23rd April 2018
360 Core Security: Attackers Fake Computational Power to Steal Cryptocurrencies from Mining Pools “Recently, we detected a new type of attack which targets some equihash mining pools.”
21st April 2018
(1|) Help Net: Cryptominers displace ransomware as the number one threat. Summarizes a report from Comodo and also observes: “Another surprising finding: Altcoin Monero became the leading target for cryptominers’ malware, replacing Bitcoin.” Maybe not that surprising: see Cameron Camp’s article for ESET – Monero cryptocurrency: Malware’s rising star
(2) The Next Web: Crypto YouTuber hacked out of $2 million during a livestream. That’s going to undermine his influence on casual investors…
(3) Trend Micro: Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner
15th April 2018
- F5: WINDOWS IIS 6.0 CVE-2017-7269 IS TARGETED AGAIN TO MINE ELECTRONEUM – “Last year, ESET security researchers reported that the same IIS vulnerability was abused to mine Monero, and install malware to launch targeted attacks against organizations by the notorious “Lazarus” group.”
- The Register: Tried checking under the sofa? Indian BTC exchange Coinsecure finds itself $3.5m lighter. “Indian Bitcoin exchange Coinsecure has mislaid 438.318 BTC belonging to its customers.”
- Help Net Security: 2.5 billion crypto mining attempts detected in enterprise networks – “The volume of cryptomining transactions has been steadily growing since Coinhive came out with its browser-based cryptomining service in September 2017.” This is commentary on an earlier article from Zscaler: Cryptomining is here to stay in the enterprise.
12th April 2018:
- Help Net Security commenting on Zscaler research – 2.5 billion crypto mining attempts detected in enterprise networks. Zscaler’s article is here: Cryptomining is here to stay in the enterprise
- Zscaler: njRAT pushes Lime ransomware and Bitcoin wallet stealer
[9th April 2018] John E. Dunn for Sophos: Hacker mines up to $1 million in Verge after exploiting major bug
[5th April 2018] Kaspersky Threat Post: RAROG TROJAN ‘EASY ENTRY’ FOR NEW CRYPTOMINING CROOKS, REPORT WARNS
[4th April 2018] Palo Alto Unit 42: Smoking Out the Rarog Cryptocurrency Mining Trojan – “Rarog has been seen primarily used to mine the Monero cryptocurrency, however, it has the capability to mine others.”
[April 4th 2018]
John Leyden for The Register: Badmins: Magento shops brute-forced to scrape card deets and install cryptominers
[3rd April 2018]
- Daniel Nelson (AVP) for Infosecurity Magazine: The Tesla Hack is a Serious Cryptojacking Warning
- Heimdal Security: What Is Cryptojacking And How To Avoid This Attack – “Find out what blockchain is, why criminals want Monero coins and how to keep safe” from cryptojacking
- The Hacker News: Google Bans Cryptocurrency Mining Extensions From Chrome Web Store
- Pierluigi Paganini: HiddenMiner Android Cryptocurrency miner can brick your device
- The Register: Floyd Mayweather-endorsed cryptocoin startup knocked out by fraud allegations – “Centra Tech raised more than $30m from investors”
- John Callahan of Viridium for Help Net: Using biometrics to protect crypto currency
[March 31st 2018]
Help Net: Crypto mining runs rampant in higher education: Is it students?
[March 29th 2018]
- Sophos: Unmasking Monero: stripping the currency’s privacy protection – commentary on the following.
- Cornell University Library: a multi-author paper on An Empirical Analysis of Traceability in the Monero Blockchain
[March 28th 2018]
- ESET: Monero cryptocurrency: Malware’s rising star
- Trend Labs: Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure. “So far, it’s affecting users in India and China, but it won’t be a surprise if it spreads beyond both countries.”
- Sophos: Cryptocurrency clampdown! Twitter bans ICO ads to combat scammers – “Twitter is to ban advertisers from pushing Initial Coin Offerings (ICOs) or selling tokens on its platform.”
[March 26th 2018]
- Brian Krebs: Who and What Is Coinhive?
- Help Net Security: Phishing, malware, and cryptojacking continue to increase in sophistication
[March 23rd 2018]
- Minerva Labs: GhostMiner: Cryptomining Malware Goes Fileless
- Zeljka Zorz for Help Net: Malware leverages web injects to empty users’ cryptocurrency accounts
[March 22nd 2018]
- Science Alert: Bitcoin Could Become Illegal Almost Everywhere, After Shocking Discovery in The Blockchain – “…this vast trove of data is irrevocably tainted with unremovable links to illegal child pornography…”
- Sophos: Bitcoin’s blockchain tainted with links to child abuse imagery
- Trend Micro: Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
- Brian Krebs: 15-Year-old Finds Flaw in Ledger Crypto Wallet
[March 20th 2018]
Sam Biddle for The Intercept: THE NSA WORKED TO “TRACK DOWN” BITCOIN USERS, SNOWDEN DOCUMENTS REVEAL. ‘Classified documents provided by whistleblower Edward Snowden show that the National Security Agency indeed worked urgently to target Bitcoin users around the world — and wielded at least one mysterious source of information to “help track down senders and receivers of Bitcoins…”’
Thomas Claburn for The Register: Bitcoin’s blockchain: Potentially a hazardous waste dump of child abuse, malware, etc: “Boffins warn of legal risks from arbitrary data distribution”. Summarizes this academic paper “A Quantitative Analysis of the Impact of Arbitrary Blockchain Content on Bitcoin“.
[March 18th 2018]
- PETER KÁLNAI and MICHAL POSLUŠNÝ for ESET (posted 14th March): Dangerous malware stealing bitcoin hosted on Download.com for years
- McAfee: McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime
- Patrick Wardle: A Surreptitious Cryptocurrency Miner in the Mac App Store? > a free calender app possesses more than meets the eye!
- Graham Cluley: Calendar 2 app pulled from Mac App Store after cryptomining controversy – “APPLE APPROVED MISBEHAVING CRYPTOMINING FEATURE.”
[March 13th 2018]
- Tomáš Foltýn for ESET: Cryptocurrency exchange announces bounty on hackers
“Binance is offering a $250,000 USD equivalent bounty to anyone who supplies information that leads to the legal arrest of the hackers involved in the attempted hacking incident on Binance on March 7th, 2018,” - Sophos: Cryptomining isn’t going to make you rich
“…a new calculation based on a real-world case study has suggested a more surprising problem – cryptomining might not be profitable enough in the first place.” - Microsoft: Invisible resource thieves: The increasing threat of cryptocurrency miners
[March 12th 2018]
(1) Paul Ducklin for Sophos: Cryptomining versus cryptojacking – what’s the difference?
(2) Bleeping Computer tells us: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours
ZDNet is even more enthusiastic: Windows security: Microsoft fights massive cryptocoin miner malware outbreak – “Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.”
Other players in the security industry were more restrained (as per the entry for March 8th below), notably myself, Sean Sullivan and Luis Corrons, quoted in an article by Kevin Townsend: Microsoft Detects Massive Dofoil Attack. Kevin didn’t quote me in full, so here’s (most of) what I said:
I don’t read that article as actually saying that Defender detected that particular campaign and no-one else did/does (which isn’t the case: note that some of the hashes in the figures show a VirusTotal score), or claiming that Microsoft actually disrupted the campaign, or even that it was the first product to detect this particular iteration of Dofoil or the Coinminer it’s delivering. If there’s a suggestion that detection by other products was tested, I missed it.
If it gives the impression that this detection ‘proves’ that all such attacks will be detected by Defender, well, that’s what AV products (often) do, but the phrase ‘hostage to fortune’ springs to mind. But the way I read it, Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do.
Do the Defender team have an unfair advantage? Well, I guess they have direct access to the OS developers, but spotting behavioural anomalies is bread-and-butter lab work, and incorporating such detection into cloud protection and machine learning is standard stuff. And I’m sure most labs value good knowledge of OS processes.
[March 8th 2018]
Microsoft: Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Rather self-congratulatory – sounds as if Microsoft stopped a campaign all by itself and Windows Defender is The Answer to crypto-mining and world hunger, but still…
[March 7th 2018]
- ESET: Cryptojacking: the result of the “cryptocurrency rush”
- Kaspersky: Mining is the new black
- Commentary from John Leyden for The Register: CryptoLurker hacker crew skulk about like cyberspies, earn $$$
- Palo Alto/Unit 42: Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency
- SANS/Internet Storm Center: The Crypto Miners Fight For CPU Cycles
- Commentary from The Register: Miner vs miner: Attack script seeks out and destroys competing currency crafters – “There is no honour among CPU thieves”
- Wall Street Journal: Cryptocurrency Firms Targeted in SEC Probe
“Regulator issues subpoenas to parties engaged in booming market for initial coin offerings”
[March 5th 2018]
- Lisa Vaas for Sophos: Bill Gates: Cryptocurrencies killing people in “fairly direct way”. As she notes, Gates has not always been so sceptical, but he does have a point.
- Cited in that article: Bitcoin Transactions Aren’t as Anonymous as Everyone Hoped “Web merchants routinely leak data about purchases. And that can make it straightforward to link individuals with their Bitcoin purchases, say cybersecurity researchers.” Citing in its turn research from Steven Goldfeder et al: When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies.
- The Register: Bitcoin heist with a twist: This time it’s servers that were stolen – “Icelandic cops cuff 11 on suspicion of data centre robberies”
[March 1st 2018]
- Josh Grunzweig for Palo Alto/Unit 42: Monero Miners Continue to Plague Users via Russian BitTorrent Site – “The latest identified threat comes in the form of a Russian BitTorrent site that is covertly distributing malware, primarily mining the Monero cryptocurrency, to its users.”
- (IN)Secure Magazine issue 57 includes an article by Zoran Lalic on ‘A deep dive into blockchain and Bitcoin’ as well as news on crypto-mining and other security issues.
[28th February 2018]
- Lukas Stefanko for ESET: Cryptocurrency scams on Android: do you know what to watch out for?
- Ana Dascalescu for Heimdal: What Is Cryptojacking And How To Avoid This Attack “Find out what blockchain is, why criminals want Monero coins and how to keep safe from cryptojacking”
- Sophos: Apple co-founder Steve Wozniak scammed by Bitcoin fraudster “News of the incident emerged at a conference in India, where ‘The Woz’ described losing seven Bitcoins (currently worth $70,000) to a fraudster who paid for them using a credit card but then issued a chargeback.”
[27th February 2018]
- John Leyden for The Register: Opt-in cryptomining script Coinhive ‘barely used’ say researchers. Malwarebytes says that few sites are using the opt-in version of Coinhive (as does Troy Mursch), but Coinhive reckons that “a third of cryptomining-using websites get their users’ consent.”
- Pierluigi Paganini: Evrial: The Latest Malware That Steals Bitcoins Using the Clipboard
- Sophos: Unsecured AWS led to cryptojacking attack on LA Times
- HelpNet: Cryptojacking is the new malware
- Bleeping Computer: Hacker Returns $26 Million Worth of Ethereum Back to Hacked Company “A hacker has returned over $26,2 million worth of Ethereum to CoinDash, the company it obtained the funds from in July 2017.”
- An interesting resource, maybe: APWG’s Cryptocurrency Anti-Phishing Working Group
[24th February 2018]
CNBC: Secretive Chinese bitcoin mining company may have made as much money as Nvidia last year
[23rd February 2018]
- CyberAdapt: What is crypto currency, how does it work, and how can we protect? (HT to Ken Bechtel!)
- Lisa Vaas for Sophos: Bitcoin exchange founder charged with covering up hack
“Jon Montroll, 37, of Saginaw, Texas, the operator of a now-defunct cryptocurrency investment platform … [has] … been charged with lying to cover the fact that hackers made off with more than 6,000 of his customers’ Bitcoins. - ITNews: US arrests operator of shuttered bitcoin investment platform – “BitFunder boss allegedly lied about hack.”
[22nd February 2018]
- The Register: Guys, you’re killing us! LA Times homicide site hacked to mine crypto-coins on netizens’ PCs
“The newspaper’s IT staffers left at least one of the publication’s Amazon Web Services S3 cloud storage buckets wide open to anyone on the internet to freely change, update, and tamper.” - Graham Cluley for Tripwire: LA Times homicide website throttles cryptojacking attack
- The Register: Blockchain nears peak hype: UK politicos to probe crypto-coin – Digi currencies falling under glare of Treasury committee. [Hopefully they’ll bear security somewhat in mind…]
- Sophos: Tesla cryptojacked by currency miners. Commentary on an article from Redlock: Lessons from the Cryptojacking Attack at Tesla
[18th February 2018]
- CoinTelegraph: FCC Officially Warns Brooklyn BTC Miner Of ‘Harmful Interference’ To T-Mobile
“The U.S. Federal Communications Commission (FCC) has sent an official notice, dated Feb. 15, to a resident of Brooklyn, New York, Victor Rosario, citing that his Bitcoin (BTC) miner was causing harmful interference to T-Mobile’s broadband network.” - Heimdal: Coinhive Injections Are An Understated Threat Against Home And Corporate Users
- Check Point: Jenkins Miner: One of the Biggest Mining Operations Ever Discovered
“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server…” [See also The Register: Year-old vuln turns Jenkins servers into Monero mining slaves – “The hip world of continuous integration meets the dark world of crypto-jacking”]
[16th February 2018] FireEye: CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
Bleeping Computer: Using the Chrome Task Manager to Find In-Browser Miners
[15th February 2018]: Help Net Security summarizes commentary from Check Point. Cryptomining malware continues to drain enterprise CPU power.
“In January, crypto-mining malware continued to be the most prevalent with Coinhive retaining its most wanted spot impacting 23% of organizations, followed by Fireball in second and Rig Exploit Kit in third impacting 17% of organizations.”
And here’s Check Point’s blog article: January’s Most Wanted Malware: Cryptomining Malware Continues to Cripple Enterprise CPU Power
“Check Point researchers also discovered three different variants of cryptomining malware in its top 10 most prevalent ranking, with Coinhive ranking first, impacting more than one-in-five organizations.”
Help Net Security/Radiflow: When crypto-mining malware hits a SCADA network
[14th February 2018]
Two links from Sophos:
- When crooks mine cryptocoins, but you pay [Naked Security Podcast 1]
- Bitcoin mining to zap more energy than households in Iceland this year
- Plus another about yet another cryptocurrency exit scam:
- Cryptocurrency startup LoopX exit scams with $4.5M in ICO
Catalin Cimpanu for Bleeping Computer: Bitmessage Zero-Day Used in Attacks That Steal Bitcoin Wallet Files
Graham Cluley: Salon website gives you a choice: turn off your ad blocker or let us mine cryptocurrencies – IT WANTS TO USE YOUR COMPUTER’S RESOURCES TO MAKE THEM MONEY.
“Yup, Salon is giving you a choice. If you don’t want to disable your ad blocker, maybe you’ll feel comfortable letting it run code from Coinhive which will gobble up your computer’s resources to mine some Monero cryptocurrency.”
Browsealoud compromise (injection of Coinhive): partial but lengthy list of affected sites.
12th February 2018. Bleeping Computer: U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked
“Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4,275 sites affected, this included government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk.”
ESET: US and UK government websites hijacked to mine cryptocurrency on visitors’ machines
“If undetected by a user’s security solution or content- or ad-blocker, the script ran in the background unbeknown to the user until the webpage was closed. A number of the affected websites, including that of the ICO, were also offline for hours in the aftermath of the attack.”
[9th February 2018] BBC: Russian nuclear scientists arrested for ‘Bitcoin mining plot’
“Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.”
[8th February 2018] Zeljka Zorz for Help Net: When crypto-mining malware hits a SCADA network
“Industrial cybersecurity vendor Radiflow […] has recently discovered Monero-mining malware on five servers of a water utility company located in Europe. These servers included […] the control server of the physical processes of the company.