MikroTik cryptojacking still in play with over 400K affected routers

The number of MikroTik routers that have been affected by a malicious malware that mines privacy-centric cryptocurrency Monero (XMR) has risen to 415,000, according to security researchers.

The cryptojacking malware was first discovered in August. According to a Trustwave report, the malware attacked the MikroTik routers after their systems became vulnerable earlier this year in April. Initially, hackers had penetrated 175,000 routers and then expanded to Eastern Europe, where they attacked 25,000 more routers. The hackers were using Coinhive and 15 other malware to mine XMR.

Since it was discovered, Twitter user VriesHd and researchers from Bad Packets have been following the cryptojacking malware. In September, they reported the number of affected MikroTik routers have risen to 280,000. In his recent tweet, VriesHd explains that the numbers have doubled since the initial attacks.

According to VriesHd, the number is derived from checking three possible ways hackers could be abusing MikroTik, although the number could be higher since the data reflects IP addresses known to have been infected with cryptojacking scripts. He noted that it would not surprise him if the actual number totals to somewhere around 350,000 to 400,000.

The researcher further found that the hackers are no longer exclusively using Coinhive; they have been using other mining software like Omine and CoinImp to mine the privacy-centric cryptocurrency.

To protect themselves from the malware, Bad Packets Report security expert Troy MUrsch advises MikroTik router users to download the latest firmware version available for their device. This will prevent the malware from using their routers to mine cryptocurrencies.

VriesHD also points out that internet service providers (ISPs) can also be used to fight the spread of malware by forcing over-the-air updates to the routers.

Cryptojacking cases continue to rise with figures increasing by 500% this year. According to reports, Brazil is the leading country affected by the malicious malware. Research shows that Coinhive has hit the country over 81,000 times in October. India ranks second with 29,000 discovered incidents followed by Indonesia, which has more than 23,000 cryptojacking cases.

The post MikroTik cryptojacking still in play with over 400K affected routers appeared first on CoinGeek.

Read More

Cryptojacking malware hits Make-A-Wish Foundation site

Cybercriminals are at it again, this time setting their sights on a charity foundation.

Last week, researchers at security firm Trustwave reported that they have found a CoinImp crypto mining script has been injected into the official website of Make-A-Wish Foundation. In a blog post, the Trustwave researchers said the malware has been mining cryptocurrencies since May 2018. CoinImp has been using the website visitors’ computing power to mine cryptocurrencies.

Upon further investigation, researchers discovered that the foundation’s website became vulnerable earlier this year when its domain host, Drupal, became vulnerable to CVE-2018-7600, a remote code execution bug popularly known as “Drupalgeddon 2.” Drupal, an open source content management system, claimed that the vulnerability allowed hackers to inject malicious malware into specific websites that had failed to add in their security patch.

The CoinImp miner is based on the JavaScript and is generally used by individuals who secretly want to mine Monero currency using visitor’s phone, tablet or computer.

This particular cryptojacking incident was difficult to find because it used different techniques to avoid detection, according to Trustwave’s Simon Kenin. First, the malware changes the domain name that hosts the JavaScript miner. In addition, the WebSocket proxy also used different domains and IPs to avoid blacklist solutions.

Researchers have warned that Drupal-based websites need to be updated to avoid attacks from these and other malicious malware. Just this spring, the Drupalgeddon 2 bug, Remote Code Execution (RCE) vulnerability in the older versions of Drupal, affected more than 100,000 sites.

Meanwhile, McAfee Labs, an Internet security provider warned the public to watch out for a new cryptojacking malware called WebCobra. The company stated that unlike previous malware, the new cryptojacking malware could not be traced in the victim’s computer. The malware will slow down the user computer and consume a lot of power during its operations.

 

The post Cryptojacking malware hits Make-A-Wish Foundation site appeared first on Coingeek.

Read More

McAfee Labs spots yet another Monero-mining cryptojacking malware

A new Russian malware designed to mine privacy-centric cryptocurrency Monero from unsuspecting user machines has been discovered by researchers at McAfee Labs, the latest coin mining malware to be uncovered in recent weeks.

The malware, known as WebCobra, steals computing power from affected devices, before silently mining for cryptocurrency in the background. Users are often unaware of the effects of the malware until they notice a loss of performance, or a higher-than-expected energy bill.

WebCobra is similar to other malware, according to experts at McAfee Labs, with attacks of this type dubbed “cryptojacking.” These attacks have become increasingly more common in recent months, particularly popular with scammers mining SegWit and Monero.

This latest discovery reveals a new type of malware, which researchers have linked to hackers based in Russia.

While some have suggested cryptojacking is less invasive than other types of hacks, the financial costs of mining some cryptocurrencies, coupled with the significant loss of processing power, mean this is far from a victimless crime.

According to a post by McAfee Labs, the costs for mining a single BTC can run into the tens of thousands of dollars. The report noted, “Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170…”

The researchers said, “We believe this threat arrives via rogue PUP installers. We have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.”

These types of crypto mining scams have risen by as much as 500% in 2018 so far, leading to an intervention from Google to block obfuscated code from its Chrome Web Store, in a bid to stem the tide of attacks.

As crypto mining malware like WebCobra continues to become more sophisticated, it is likely that more systems will be unwittingly compromised by this type of cryptojacking attack.

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Cash (BCH) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BCH is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

The post McAfee Labs spots yet another Monero-mining cryptojacking malware appeared first on Coingeek.

Read More

Canadian university shuts down network after cryptojacking attack

The St. Francis Xavier University, located in Nova Scotia, Canada, has found itself targeted by a cryptocurrency mining malware—also known as cryptojacking—forcing the institution to shut down its entire network.

On Monday, GlobalNews.ca reported that the university shuttered its operation for four days last week while its administration looks for ways to remove the malware. The cryptojacking attack started last November 1 when the malware infiltrated the university’s network, and began mining an unknown cryptocurrency using the educational institution’s processing power. Upon detecting the malware, officials shut down its entire network which has caused things to come to a standstill.

The University released an official statement on November 4, explaining that the attack has not caused any harm to members of the university and no sensitive information had been stolen. The university added that it would restore its network once its IT experts are done fixing the security breach. Some services, however, have been restored, including access to email, Wi-Fi, debit transactions, the school’s online course system, shared storage space and drives on the St. FX network, according to St. Francis Xavier University.

To protect themselves from possible harm, the university asked all members from their facility to change their password.

Miners have resulted in cryptojacking activities to avoid the high cost that comes with cryptocurrency mining. This has caused unsuspecting computer users, both personal and industrial, to suffer this cost on behalf of the miners. Crytojackers use malware to penetrate computers or networks that have high processing powers. The user through ads and extensions installs most of the malware unknowingly.

Once installed the malware helps the cryptojackers to mine currencies using the users processing power and electricity. To mine more coins, some miners have targeted large institutions like the St. Francis Xavier University to access the largely available power. They are also targeting government websites with high traffic to mining their coins.

These cryptojackers are making vast sums of money from their operations. To avoid being detected by the authorities, cryptocjackers are developing new ways to prevent their malware from being notices. Last month, some miners were using fake Adobe flash update which they used as Trojan horses to install crypto mining software into user computers.

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Cash (BCH) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BCH is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

The post Canadian university shuts down network after cryptojacking attack appeared first on Coingeek.

Read More

25 apps hosting cryptojacking scripts found on Google Play Store

SophosLabs claims to have identified at least 25 Android apps published on the official Google Play Store containing scripts that facilitate cryptojacking activities on users’ computers.

In its report, the company noted that the apps in question have “been downloaded and installed more than 120,000 times.”

The report comes some two months after Google announced that it would no longer allow apps that mine cryptocurrency on devices. According to SophosLabs, the malicious malware were included in different applications—from educational to gaming and utility apps.

Out of the 25 apps, 22 were found to have an implementation of Coinhive’s code. The Coinhive script allows hackers to mine privacy-centric coin, Monero (XMR), without the knowledge of the device’s user. Meanwhile, Lighton and Mobeleader were discovered to have been hosting crypto mining scripts on their servers “presumably to thwart firewalls or parental controls/reputation services that might block Coinhive’s domain by default.”

Another app called A Paintbox for Kids was also found to have been running Xmrig, which was described as an open source CPU miner that can mine not just XMR but several other cryptocurrencies as well.

Source: SophosLabs

According to SophosLabs report, apps containing the cryptojacking malware include Trance Droid by Happy Appys; Palkar by Palpostr.com; LHDS Vendors published by Taste of Life Group; Mobeleader from Abser Technologies; Helper for Knight Game from Evgeny Solovyov; and Dizi Fragmanları İzle from Oguzhan Kivrak.

The report also identified apps Game Viet 2048 from Thanhtu Media, Afterlife: RPG Clicker CCG by Levius LLC, Dominoes Games from Fun Board Games, A Paintbox For Kids by Uwe, Tapbugs and Dreamspell apps by Riccotz, Info Guru Pendidikan by Cakrawala Pengetahuan, and Lighton by Buyguard.

Meanwhile, 11 apps from Gadgetium were also found to contain an HTML page with a Coinhive-based miner. The apps were “preparation apps for standardized tests given in the U.S., exams such as the ACT, GRE, or SAT,” according to SophosLabs.

Google has clamped down on cryptocurrency activities that it deemed were harmful to customers. Earlier this year, Google banned the advertisement of cryptocurrencies and their related products. During this period, other platforms like Facebook and Twitter also banned cryptocurrency advertisements on their platforms. In April, some of Google’s platform like the Chrome Web Store banned cryptocurrency mining extensions.

Recently, it was reported that Google is planning to soften its stance on cryptocurrency. Google announced that it was going to update its crypto ads policy, as part of its bid to work more closely with regulated institutions in the United States and Japan.

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Cash (BCH) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BCH is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

The post 25 apps hosting cryptojacking scripts found on Google Play Store appeared first on Coingeek.

Read More

Researchers discover new crypto malware-killing botnet

A new botnet which sets out to specifically kill a type of crypto mining malware has been discovered by security researchers at Qihoo 360Netlab.

Known as Fbot, the botnet appears to be based on derivative software from Mirai, an application generally used in DDoS attacks. However, in this case, the DDoS module has been deactivated, with the botnet instead searching for cryptojacking malware before replacing its code, thereby neutering its bad effects.

In particular, the botnet searches for instances of the com.ufo.miner, a variation on the Android based ADB.Miner for privacy-centric altcoin Monero.

According to the Qihoo team, the botnet distributes itself by searching for open ports, before uninstalling the com.ufo.miner software where present. The botnet effectively installs itself over the malware, destroys its malicious code, and then self-destructs, according to a report published by the researchers.

The botnet is also linked to a domain name which is only accessible through EmerDNS, rather than the standard DNS system. This means it becomes harder to detect, with those scanning only traditional DNS names unable to access its records.

“The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names),” according to the Qihoo 360Netlab blog post.

It comes at a time when the numbers of cryptojacking and malware attacks have reached record highs, with the last few months seeing particularly elevated activity around these types of crypto scams.

Cryptojacking malware is now so prevalent that it has been identified across the systems of several large businesses and government agencies, as well as the countless individuals affected worldwide. According to security researchers, incidents of cryptojacking have increased by 956% over the last year.

This has even prompted Firefox to announce their latest browser will automatically detect and block cryptojacking scripts, in a bid to fight against this surge in their use.

At this stage, it remains unclear whether the botnet was created with the intention of cleaning up malware, or whether it has been launched by rival scammers to clear out competing malware.

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Cash (BCH) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BCH is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

The post Researchers discover new crypto malware-killing botnet appeared first on Coingeek.

Read More

Researchers discover new crypto malware-killing botnet

A new botnet which sets out to specifically kill a type of crypto mining malware has been discovered by security researchers at Qihoo 360Netlab.

Known as Fbot, the botnet appears to be based on derivative software from Mirai, an application generally used in DDoS attacks. However, in this case, the DDoS module has been deactivated, with the botnet instead searching for cryptojacking malware before replacing its code, thereby neutering its bad effects.

In particular, the botnet searches for instances of the com.ufo.miner, a variation on the Android based ADB.Miner for privacy-centric altcoin Monero.

According to the Qihoo team, the botnet distributes itself by searching for open ports, before uninstalling the com.ufo.miner software where present. The botnet effectively installs itself over the malware, destroys its malicious code, and then self-destructs, according to a report published by the researchers.

The botnet is also linked to a domain name which is only accessible through EmerDNS, rather than the standard DNS system. This means it becomes harder to detect, with those scanning only traditional DNS names unable to access its records.

“The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names),” according to the Qihoo 360Netlab blog post.

It comes at a time when the numbers of cryptojacking and malware attacks have reached record highs, with the last few months seeing particularly elevated activity around these types of crypto scams.

Cryptojacking malware is now so prevalent that it has been identified across the systems of several large businesses and government agencies, as well as the countless individuals affected worldwide. According to security researchers, incidents of cryptojacking have increased by 956% over the last year.

This has even prompted Firefox to announce their latest browser will automatically detect and block cryptojacking scripts, in a bid to fight against this surge in their use.

At this stage, it remains unclear whether the botnet was created with the intention of cleaning up malware, or whether it has been launched by rival scammers to clear out competing malware.

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Cash (BCH) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BCH is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

The post Researchers discover new crypto malware-killing botnet appeared first on Coingeek.

Read More

Future Firefox browsers to block cryptojacking malware

Mozilla, the company behind popular web browser Firefox, is gearing up to automatically block malware scripts, including those that “silently mine cryptocurrencies” in future versions of Firefox.

Last week, Mozilla announced that it will soon implement an initiative to “protect users by blocking tracking while also offering a clear set of controls to give our users more choice over what information they share with sites.” The company cited Ghostery study, which noted that 55.4% of the total time required to load an average website is usually spent loading third-party trackers. For the users with slower networks, the loading time is even worse.

“Deceptive practices that invisibly collect identifiable user information or degrade user experience are becoming more common. For example, some trackers fingerprint users — a technique that allows them to invisibly identify users by their device properties, and which users are unable to control,” according to Mozilla. “Other sites have deployed cryptomining scripts that silently mine cryptocurrencies on the user’s device. Practices like these make the web a more hostile place to be. Future versions of Firefox will block these practices by default.”

This is the reason why Mozilla’s future web browsers will be equipped with a new feature—found in Firefox Nightly—which will block trackers that slow down page loads. This feature will be tested using a shield study starting September, and if the approach performs well, Mozilla plans to start blocking slow-loading trackers by default in Firefox 63.

The company has already stripped cookies and blocked storage access from third-party tracking content, a feature that Firefox Nightly users can already test out. If all goes according to plan, Mozilla said it will bring the protective feature to all Firefox 65 users.

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Cash (BCH) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BCH is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

The post Future Firefox browsers to block cryptojacking malware appeared first on Coingeek.

Read More
Top