Tag Archive for: Monero

Monero (XMR) Price Analysis: Did XMR Drip After Wallet Exploit?


Table of Contents

The Monero community wallet was hit by a major exploit, resulting in the loss of its entire balance of 2,675.73 Monero (XMR), worth almost $460,000. The cause and source of the exploit are currently unidentified. 

The attacker reset the balance of the community wallet in nine separate transactions. 

Late Disclosure By Monero 

According to reports, the hack in question took place on the 1st of September. However, it was disclosed on GitHub after two months, on the 2nd of November, 2023, by Monero developer Luigi, who stated that the community wallet had been completely emptied. The developer also stated that the source of the breach was yet to be identified. 

“The CCS Wallet was drained of 2,675.73 XMR (the entire balance) on the 1st of September, 2023, just before midnight. The hot wallet, used for payments to contributors, is untouched; its balance is ~244 XMR. We have thus far not been able to ascertain the source of the breach.”

However, cybersecurity firm SlowMist stated that it was unlikely the hack was a result of a loophole in the Monero privacy model. Moonstone Research was investigating how the attacker moved the stolen funds. Their analysis revealed some interesting results, and they were able to trace three of the hacker’s transfers.

Monero’s Community Crowdfunding system funds development proposals from members. Monero developer Ricardo’ Fluffypony’ Spagni, the only other individual with access to the wallet seed phrase, noted, 

“This attack is unconscionable, as they’ve taken funds that a contributor might be relying on to pay their rent or buy food.”

According to Luigi, the CSS wallet was set up on an Ubuntu system in 2020, along with a Monero node. 

Details Of The Hack 

Luigi used a hot wallet to make payments to community members. This wallet has been on a Windows 10 Pro desktop since 2017. The hot wallet was funded by the CSS wallet as and when needed. However, on the 1st of September, the CSS wallet was wiped clean in nine transactions. Following the incident, the Monero core team is calling for the General Fund to cover current liabilities. Spagni noted in the GitHub thread, 

“It’s entirely possible that…

Source…

Fake versions of popular apps spreading Monero miner malware for years: report


Check Point Research (CPR), the research team of American-Israeli cybersecurity provider Check Point Software Technologies, has uncovered a Monero mining malware dubbed “Nitrokod” that has been sneakily infecting computers across 11 countries since 2019.

In a report, the research team stated the malware often masqueraded as desktop versions of popular applications such as Google Translate, YouTube Music, and Microsoft Translate. These spoof versions are available on dozens of free software download websites, including Softpedia and Uptodown.

In the case of the fake Google Translate desktop app, on which the team based their findings, the research notes that the Turkish-based entity that operates the digital asset mining malware campaign is counting on the lack of an official desktop app to attract users to the app.

“Most of the programs Nitrokod offers are popular software that do not have an official desktop version. For example, the most popular Nitrokod program is the Google Translate desktop application. Google has not released an official desktop version, making the attackers’ version very appealing,” the report said.

The study found that the malware campaign has remained undetected until now due to how it operates. The malware delays initiating the stealth digital asset mining operation for several weeks after the initial software download. It does this by using a scheduled task mechanism that triggers the malware installation over several days and steps while deleting traces of the installation.

Surprisingly, the hackers do not even have to build fake apps from scratch as they are easily created from the official web pages of the owners using a Chromium-based framework that allows them to spread functional programs.

Monero getting increasingly linked to cyber criminals

Check Point estimates that at least one hundred thousand victims across Israel, Germany, the United Kingdom, the United States, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia, and Poland have been inadvertently mining Monero (XMR) with their CPU.

Meanwhile, this is not the first time malwares that insidiously mine the privacy token have been found infecting machines. In an incident in…

Source…

Monero Mining Malware Finds Success at Top of Google Search


  • Nitrokod is currently featured at the top of Google search results for popular apps, including Translate
  • The malware maliciously mines monero using users’ computer resources, echoing once-prolific CoinHive

An insidious malware campaign targeting users searching for Google applications has infected thousands of computers globally to mine privacy-focused crypto monero (XMR).

You’ve probably never heard of Nitrokod. Israeli-based cyber intelligence firm Check Point Research (CPR) stumbled upon the malware last month. 

In a report on Sunday, the firm said Nitrokod initially masks itself as a free software, having found remarkable success at the top of Google search results for “Google Translate desktop download.”

Also known as cryptojacking, mining malware has been used to infiltrate unsuspecting user’s machines since at least 2017, when they rose to prominence alongside crypto’s popularity.

CPR previously detected well-known cryptojacking malware CoinHive, which also mined XMR, in November of that year. CoinHive was said to be stealing 65% of an end-user’s total CPU resources without their knowledge. Academics calculated the malware was generating $250,000 per month at its peak, with the bulk of it going to less than a dozen individuals.

As for Nitrokod, CPR believes it was deployed by a Turkish-speaking entity sometime in 2019. It operates across seven stages as it moves along its path to avoid detection from typical antivirus programs and system defenses. 

“The malware is easily dropped from software found on top Google search results for legitimate applications,” the firm wrote in its report.

Softpedia and Uptodown were found to be two major sources of fake applications. Blockworks has reached out to Google to learn more about how it filters these kinds of threats.

Image source: Check Point Research

After downloading the application, an installer executes a delayed dropper and continuously updates itself on every restart. On the fifth day, the delayed dropper extracts an encrypted file. 

The file then initiates Nitrokod’s final stages, which sets about scheduling tasks,…

Source…

Data breach extortion. Credential reuse risk. Blackswan zero-days. A Monero cryptojacker. Notes on the ransomware summit.


Attacks, Threats, and Vulnerabilities

Extortionist Hacker Group SnapMC Breaches Networks in Under 30 Minutes (SecurityWeek) Over the past few months, a threat actor has been increasingly breaching enterprise networks to steal data and extort victims, but without disrupting their operations

SnapMC skips ransomware, steals data (NCC Group Research) Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the victim’s operations.

Academics find Meltdown-like attacks on AMD CPUs, previously thought to be unaffected (The Record by Recorded Future) Two academic papers have been published over the past two months detailing new side-channel attacks in AMD processors that have eerily similar consequences to the Meltdown attack disclosed in early 2018, to which AMD CPUs were previously thought to be immune.

How Impersonation Attacks Fool Users (Avanan) Hackers use impersonated messages from reputable brands to fool users. In this case, scammers are impersonating DocuSign.

Once-in-a-decade discovery made by international cyber security company built by former spies (PR Newswire) Field Effect, a global cyber security company, has released details of their discovery of seven 0-day vulnerabilities in Microsoft Windows software and…

Blox Tales: Microsoft Defender Vishing Using AnyDesk (Armorblox) This blog focuses on a Microsoft Defender vishing campaign where attackers tried to get victims to download AnyDesk for an RDP attack.

Heads up: Verizon’s Visible MVNO accounts are getting hacked left and right (AndroidPolice) Users are reporting account hijacks, address changes, and unauthorized purchases

Apparent Verizon Visible hack was credential stuffing attack, says carrier [U] (9to5Mac) Multiple reports of an apparent Verizon Visible hack, with attackers changing shipping addresses, then ordering phones that are charged …

Verizon’s Visible confirms accounts were breached – report (FierceWireless) Some customer accounts for the…

Source…