Tag Archive for: cryptojacking

Ukrainian Police Arrest Cryptojacking Hacker

/in


The Ukrainian National Police said on Friday that they had arrested a hacker in the southern city of Mykolaiv in connection with a sophisticated scheme to hijack cloud computers to mine cryptocurrencies, a ploy known as “cryptojacking.”

Ukraine HackerUkrainian police seized electronic devices, SIM and bank card from the suspected hacker. (Photo: Національна поліція України, License)Over the last two years, the 29-year-old suspect allegedly managed to mine nearly US$2 million in cryptocurrencies. The authorities did not release either the suspect’s name or the name of the U.S. company whose server was allegedly misused.

The suspect is accused of infecting that server with malware, known as a “miner virus” — malicious software that steals a computer’s resources to generate cryptocurrency, allowing the hacker to steal money and transfer it to controlled electronic wallets.

According to the police, the suspect hacked 1,500 accounts belonging to the unnamed company’s clients, using a technique known as brute force—self-developed software for automatic password selection.

He then used the compromised accounts to gain access to the cloud computing provider, secretly infecting the company’s server with the malicious software.

The suspect used its computational power to mine cryptocurrencies, allowing him to avoid paying for server time and power.

The stolen computer time typically cost more than the profits mined, so that compromised account holders were left with substantial cloud bills.

During the search of the suspect’s home, the police seized “computer equipment, bank and SIM cards, electronic media, and other evidence of illegal activity.”

The investigation into the case continues, with authorities targeting potential accomplices of the suspect and examining his possible connections with a pro-Russian hacker group, according to Ukrainian police.

Europol, the European Union Agency for Law Enforcement Cooperation, which supported the operation, said that the arrest followed “months of intensive collaboration between Ukrainian authorities, Europol and a cloud provider, who worked tirelessly to identify and locate the individual behind the…

Source…

AWS cryptojacking campaign abuses less-used services to hide

/in


To remain undetected for longer in cloud environments, attackers have started to abuse less-common services that don’t get a high level of security scrutiny. This is the case of a recently discovered cryptojacking operation, called AMBERSQUID, that deploys cryptocurrency mining malware on AWS Amplify, AWS Fargate, and Amazon SageMaker instead of the more obvious Amazon Elastic Compute Cloud (Amazon EC2).

“The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances,” researchers from security firm Sysdig said in a report. “Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service.”

How the AMBERSQUID cryptojacking campaign works

The Sysdig researchers came across the cryptojacking campaign while scanning 1.7 million Linux container images hosted on Docker Hub for malicious payloads. One container showed indicators of cryptojacking when executed and further analysis revealed several similar containers uploaded by different accounts since May 2022 that download cryptocurrency miners hosted on GitHub. Judging by the comments used in the malicious scripts inside the containers, the researchers believe the attackers behind the campaign are from Indonesia.

When deployed on AWS using stolen credentials, the malicious Docker images execute a series of scripts, starting with one that sets up various AWS roles and permissions. One of the created roles is called AWSCodeCommit-Role and is given access to AWS Amplify service, a service that lets developers build, deploy and host full-stack web and mobile applications on AWS. This role also gets access to AWS CodeCommit, a managed source-code repository service, and AWS CloudWatch, an infrastructure monitoring and data visualization service.

A second role that is created by the container scripts is called sugo-role, and this role has full access to SageMaker, another AWS service that allows data scientists to build, train, and deploy machine-learning models. A third created role is…

Source…

Cryptojacking added to updated RapperBot DDoS botnet

/in


Threat actors behind the RapperBot botnet have updated the malware to include the XMRig Monero miner in an effort to exfiltrate cryptocurrency from IoT devices running on Intel x64 architectures as part of a campaign that began in January, BleepingComputer reports.

FortiGuard Labs researchers discovered that the updated RapperBot botnet has employed various means to evade detection, including the integration and obfuscation of miner code with double-layer XOR encoding, command-and-control server-based mining configuration receipt, and randomized request sizes and intervals.

Further analysis revealed that aside from having the capability to conduct and terminate distributed denial-of-service attacks even though no DDoS commands have been sent to the examined samples, RapperBot also has the ability to end itself and other child processes.

Since its emergence last June, RapperBot has already been updated to include DoS commands and a Telnet self-propagation mechanism, indicating the rapid evolution and feature expansion of the botnet malware.

Source…

New cryptojacking malware can hack in Kubernetes clusters using this easy trick

/in


Dero is a relatively new cryptocurrency that places a strong emphasis on privacy. It utilizes directed acyclic graph (DAG) technology, which allows it to make the claim that its transactions are completely anonymous. The combination of anonymity and a greater rewards ratio makes it potentially attractive for cryptojacking organizations in comparison to Monero, which is the coin that is most often used by attackers or groups conducting miner operations. CrowdStrike has discovered the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. 

A cryptojacking operation using Monero was also discovered; this operation is aware of the Dero effort and is actively competing with it. The Monero campaign mines XMR on the host by elevating their privileges via the usage of DaemonSets and mounting the host as the root user.

Attackers specifically targeted Kubernetes clusters running on non-standard ports by scanning for and locating exposed vulnerable Kubernetes clusters that had the authentication setting —anonymous-auth=true. This setting enables anonymous access to the Kubernetes API and was the target of the attackers’ attention. It is possible for a user with adequate access to mistakenly expose a secure Kubernetes API on the host where kubectl is operating by performing the “Kubectl proxy” command. This is a less apparent approach to expose the secure Kubernetes cluster without authentication. The Kubernetes control plane application programming interface does not provide anonymous access out of the box in Kubernetes. Nevertheless, since the choice to make secure-by-default the default was delayed, and there are a variety of ways in which Kubernetes might be inadvertently exposed, there is still a legacy of exposed systems on the internet.

After the first engagement with the Kubernetes API, the attacker will next install a Kubernetes DaemonSet with the name “proxy-api.” On every node in the Kubernetes cluster, the DaemonSet installs a pod that contains malicious code. This makes it easier for attackers to operate a cryptojacking operation by simultaneously using the resources of all of the nodes in the network. The mining efforts that are…

Source…