People keep telling me that this is the new ransomware… For the moment, I’m just going to flag things as they come up: maybe with commentary and better organization later. Items will be added with the latest items at the top.
[March 18th 2018]
- PETER KÁLNAI and MICHAL POSLUŠNÝ for ESET (posted 14th March): Dangerous malware stealing bitcoin hosted on Download.com for years
- McAfee: McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime
- Patrick Wardle: A Surreptitious Cryptocurrency Miner in the Mac App Store? > a free calender app possesses more than meets the eye!
- Graham Cluley: Calendar 2 app pulled from Mac App Store after cryptomining controversy – “APPLE APPROVED MISBEHAVING CRYPTOMINING FEATURE.”
[March 13th 2018]
- Tomáš Foltýn for ESET: Cryptocurrency exchange announces bounty on hackers
“Binance is offering a $250,000 USD equivalent bounty to anyone who supplies information that leads to the legal arrest of the hackers involved in the attempted hacking incident on Binance on March 7th, 2018,”
- Sophos: Cryptomining isn’t going to make you rich
“…a new calculation based on a real-world case study has suggested a more surprising problem – cryptomining might not be profitable enough in the first place.”
- Microsoft: Invisible resource thieves: The increasing threat of cryptocurrency miners
[March 12th 2018]
(1) Paul Ducklin for Sophos: Cryptomining versus cryptojacking – what’s the difference?
(2) Bleeping Computer tells us: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours
ZDNet is even more enthusiastic: Windows security: Microsoft fights massive cryptocoin miner malware outbreak – “Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.”
Other players in the security industry were more restrained (as per the entry for March 8th below), notably myself, Sean Sullivan and Luis Corrons, quoted in an article by Kevin Townsend: Microsoft Detects Massive Dofoil Attack. Kevin didn’t quote me in full, so here’s (most of) what I said:
I don’t read that article as actually saying that Defender detected that particular campaign and no-one else did/does (which isn’t the case: note that some of the hashes in the figures show a VirusTotal score), or claiming that Microsoft actually disrupted the campaign, or even that it was the first product to detect this particular iteration of Dofoil or the Coinminer it’s delivering. If there’s a suggestion that detection by other products was tested, I missed it.
If it gives the impression that this detection ‘proves’ that all such attacks will be detected by Defender, well, that’s what AV products (often) do, but the phrase ‘hostage to fortune’ springs to mind. But the way I read it, Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do.
Do the Defender team have an unfair advantage? Well, I guess they have direct access to the OS developers, but spotting behavioural anomalies is bread-and-butter lab work, and incorporating such detection into cloud protection and machine learning is standard stuff. And I’m sure most labs value good knowledge of OS processes.
[March 8th 2018]
Microsoft: Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Rather self-congratulatory – sounds as if Microsoft stopped a campaign all by itself and Windows Defender is The Answer to crypto-mining and world hunger, but still…
[March 7th 2018]
- ESET: Cryptojacking: the result of the “cryptocurrency rush”
- Kaspersky: Mining is the new black
- Commentary from John Leyden for The Register: CryptoLurker hacker crew skulk about like cyberspies, earn $$$
- Palo Alto/Unit 42: Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency
- SANS/Internet Storm Center: The Crypto Miners Fight For CPU Cycles
- Commentary from The Register: Miner vs miner: Attack script seeks out and destroys competing currency crafters – “There is no honour among CPU thieves”
- Wall Street Journal: Cryptocurrency Firms Targeted in SEC Probe
“Regulator issues subpoenas to parties engaged in booming market for initial coin offerings”
[March 5th 2018]
- Lisa Vaas for Sophos: Bill Gates: Cryptocurrencies killing people in “fairly direct way”. As she notes, Gates has not always been so sceptical, but he does have a point.
- Cited in that article: Bitcoin Transactions Aren’t as Anonymous as Everyone Hoped “Web merchants routinely leak data about purchases. And that can make it straightforward to link individuals with their Bitcoin purchases, say cybersecurity researchers.” Citing in its turn research from Steven Goldfeder et al: When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies.
- The Register: Bitcoin heist with a twist: This time it’s servers that were stolen – “Icelandic cops cuff 11 on suspicion of data centre robberies”
[March 1st 2018]
- Josh Grunzweig for Palo Alto/Unit 42: Monero Miners Continue to Plague Users via Russian BitTorrent Site – “The latest identified threat comes in the form of a Russian BitTorrent site that is covertly distributing malware, primarily mining the Monero cryptocurrency, to its users.”
- (IN)Secure Magazine issue 57 includes an article by Zoran Lalic on ‘A deep dive into blockchain and Bitcoin’ as well as news on crypto-mining and other security issues.
[28th February 2018]
- Lukas Stefanko for ESET: Cryptocurrency scams on Android: do you know what to watch out for?
- Ana Dascalescu for Heimdal: What Is Cryptojacking And How To Avoid This Attack “Find out what blockchain is, why criminals want Monero coins and how to keep safe from cryptojacking”
- Sophos: Apple co-founder Steve Wozniak scammed by Bitcoin fraudster “News of the incident emerged at a conference in India, where ‘The Woz’ described losing seven Bitcoins (currently worth $70,000) to a fraudster who paid for them using a credit card but then issued a chargeback.”
[27th February 2018]
- John Leyden for The Register: Opt-in cryptomining script Coinhive ‘barely used’ say researchers. Malwarebytes says that few sites are using the opt-in version of Coinhive (as does Troy Mursch), but Coinhive reckons that “a third of cryptomining-using websites get their users’ consent.”
- Pierluigi Paganini: Evrial: The Latest Malware That Steals Bitcoins Using the Clipboard
- Sophos: Unsecured AWS led to cryptojacking attack on LA Times
- HelpNet: Cryptojacking is the new malware
- Bleeping Computer: Hacker Returns $26 Million Worth of Ethereum Back to Hacked Company “A hacker has returned over $26,2 million worth of Ethereum to CoinDash, the company it obtained the funds from in July 2017.”
- An interesting resource, maybe: APWG’s Cryptocurrency Anti-Phishing Working Group
[24th February 2018]
[23rd February 2018]
- CyberAdapt: What is crypto currency, how does it work, and how can we protect? (HT to Ken Bechtel!)
- Lisa Vaas for Sophos: Bitcoin exchange founder charged with covering up hack
“Jon Montroll, 37, of Saginaw, Texas, the operator of a now-defunct cryptocurrency investment platform … [has] … been charged with lying to cover the fact that hackers made off with more than 6,000 of his customers’ Bitcoins.
- ITNews: US arrests operator of shuttered bitcoin investment platform – “BitFunder boss allegedly lied about hack.”
[22nd February 2018]
- The Register: Guys, you’re killing us! LA Times homicide site hacked to mine crypto-coins on netizens’ PCs
“The newspaper’s IT staffers left at least one of the publication’s Amazon Web Services S3 cloud storage buckets wide open to anyone on the internet to freely change, update, and tamper.”
- Graham Cluley for Tripwire: LA Times homicide website throttles cryptojacking attack
- The Register: Blockchain nears peak hype: UK politicos to probe crypto-coin – Digi currencies falling under glare of Treasury committee. [Hopefully they’ll bear security somewhat in mind…]
- Sophos: Tesla cryptojacked by currency miners. Commentary on an article from Redlock: Lessons from the Cryptojacking Attack at Tesla
[18th February 2018]
- CoinTelegraph: FCC Officially Warns Brooklyn BTC Miner Of ‘Harmful Interference’ To T-Mobile
“The U.S. Federal Communications Commission (FCC) has sent an official notice, dated Feb. 15, to a resident of Brooklyn, New York, Victor Rosario, citing that his Bitcoin (BTC) miner was causing harmful interference to T-Mobile’s broadband network.”
- Heimdal: Coinhive Injections Are An Understated Threat Against Home And Corporate Users
- Check Point: Jenkins Miner: One of the Biggest Mining Operations Ever Discovered
“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server…” [See also The Register: Year-old vuln turns Jenkins servers into Monero mining slaves – “The hip world of continuous integration meets the dark world of crypto-jacking”]
[16th February 2018] FireEye: CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
Bleeping Computer: Using the Chrome Task Manager to Find In-Browser Miners
[15th February 2018]: Help Net Security summarizes commentary from Check Point. Cryptomining malware continues to drain enterprise CPU power.
“In January, crypto-mining malware continued to be the most prevalent with Coinhive retaining its most wanted spot impacting 23% of organizations, followed by Fireball in second and Rig Exploit Kit in third impacting 17% of organizations.”
And here’s Check Point’s blog article: January’s Most Wanted Malware: Cryptomining Malware Continues to Cripple Enterprise CPU Power
“Check Point researchers also discovered three different variants of cryptomining malware in its top 10 most prevalent ranking, with Coinhive ranking first, impacting more than one-in-five organizations.”
Help Net Security/Radiflow: When crypto-mining malware hits a SCADA network
[14th February 2018]
Two links from Sophos:
- When crooks mine cryptocoins, but you pay [Naked Security Podcast 1]
- Bitcoin mining to zap more energy than households in Iceland this year
- Plus another about yet another cryptocurrency exit scam:
- Cryptocurrency startup LoopX exit scams with $4.5M in ICO
Catalin Cimpanu for Bleeping Computer: Bitmessage Zero-Day Used in Attacks That Steal Bitcoin Wallet Files
Graham Cluley: Salon website gives you a choice: turn off your ad blocker or let us mine cryptocurrencies – IT WANTS TO USE YOUR COMPUTER’S RESOURCES TO MAKE THEM MONEY.
“Yup, Salon is giving you a choice. If you don’t want to disable your ad blocker, maybe you’ll feel comfortable letting it run code from Coinhive which will gobble up your computer’s resources to mine some Monero cryptocurrency.”
Browsealoud compromise (injection of Coinhive): partial but lengthy list of affected sites.
12th February 2018. Bleeping Computer: U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked
“Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4,275 sites affected, this included government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk.”
“If undetected by a user’s security solution or content- or ad-blocker, the script ran in the background unbeknown to the user until the webpage was closed. A number of the affected websites, including that of the ICO, were also offline for hours in the aftermath of the attack.”
[9th February 2018] BBC: Russian nuclear scientists arrested for ‘Bitcoin mining plot’
“Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.”
[8th February 2018] Zeljka Zorz for Help Net: When crypto-mining malware hits a SCADA network
“Industrial cybersecurity vendor Radiflow […] has recently discovered Monero-mining malware on five servers of a water utility company located in Europe. These servers included […] the control server of the physical processes of the company.