#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

crypto mining | Breaking Cybersecurity News | The Hacker News

Category — crypto mining
Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks

Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks

Oct 22, 2024 Docker Security / Cloud Security
Bad actors have been observed targeting Docker remote API servers to deploy the SRBMiner crypto miner on compromised instances, according to new findings from Trend Micro. "In this attack, the threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host," researchers Abdelrahman Esmail and Sunil Bharti said in a technical report published today. "The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities." It all starts with the attacker conducting a discovery process to check for public-facing Docker API hosts and the availability of HTTP/2 protocol upgrades in order to follow up with a connection upgrade request to the h2c protocol (i.e., HTTP/2 sans TLS encryption). The adversary also proceeds to check for gRPC methods that are designed to carry out various tasks
Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining

Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining

Jul 26, 2024
Cybersecurity researchers are sounding the alarm over an ongoing campaign that's leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining. Cloud security firm Wiz is tracking the activity under the name SeleniumGreed . The campaign, which is targeting older versions of Selenium (3.141.59 and prior), is believed to be underway since at least April 2023 . "Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands," Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska said . "By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and abused for malicious purposes." Selenium Grid, part of the Selenium automated testing framework, enables parallel execution of tests across multiple workloads, different bro
Enterprise Identity Threat Report 2024: Unveiling Hidden Threats to Corporate Identities

Enterprise Identity Threat Report 2024: Unveiling Hidden Threats to Corporate Identities

Oct 31, 2024Identity Security / Browser Security
In the modern, browser-centric workplace, the corporate identity acts as the frontline defense for organizations. Often referred to as "the new perimeter", the identity stands between safe data management and potential breaches. However, a new report reveals how enterprises are often unaware of how their identities are being used across various platforms. This leaves them vulnerable to data breaches, account takeovers, and credential theft. The "Enterprise Identity Threat Report 2024" ( download here ) is based on exclusive data available only to the LayerX Browser Security platform. This data derives from LayerX's unique visibility into every user action in the browser, across industries. It provides a detailed analysis of emerging risks and uncovered hidden threats. To register to a live webinar to cover the key findings in this report, Click here . Below is a deeper dive into some of the report's most critical findings: 1. The Greatest Risk Comes from 2% of Users Security profe
RedTail Crypto-Mining Malware Exploiting Palo Alto Networks Firewall Vulnerability

RedTail Crypto-Mining Malware Exploiting Palo Alto Networks Firewall Vulnerability

May 30, 2024 Vulnerability / Cryptocurrency
The threat actors behind the RedTail cryptocurrency mining malware have added a recently disclosed security flaw impacting Palo Alto Networks firewalls to its exploit arsenal. The addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis techniques, according to findings from web infrastructure and security company Akamai. "The attackers have taken a step forward by employing private crypto-mining pools for greater control over mining outcomes despite the increased operational and financial costs," security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik said in a technical report shared with The Hacker News. The infection sequence discovered by Akamai exploits a now-patched vulnerability in PAN-OS tracked as CVE-2024-3400 (CVSS score: 10.0) that could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. A successful exploitatio
cyber security

AWS EKS Security Best Practices [Cheat Sheet]

websiteWiz.ioCloud Security / Kubernetes
Unlock this one-stop resource for mastering EKS security best practices and safeguarding your cloud-native applications.
10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet

10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet

Apr 09, 2024 Botnet / Crypto Mining
A threat group of suspected Romanian origin called  RUBYCARP  has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks. The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News. "Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks," the cloud security firm said . "This group communicates via public and private IRC networks." Evidence  gathered  so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw , which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net. "These phishing emails often lure victims into revealing sensitive i
29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services

29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services

Jan 13, 2024 Cryptojacking / Cloud Security
A 29-year-old Ukrainian national has been arrested in connection with running a "sophisticated cryptojacking scheme," netting them over $2 million (€1.8 million) in illicit profits. The person, described as the "mastermind" behind the operation, was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following "months of intensive collaboration." "A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs," Europol  said , adding it shared the intelligence with the Ukrainian authorities. The Cyber Police of Ukraine, in a separate announcement, said the suspect "infected the servers of a well-known American company with a miner virus" at least since 2021, using custom brute-force tools to infiltrate 1,500 accounts of the firm. "Using the compromised accounts, the hacker gained access to the management of the service," the a
Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks

Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks

Jan 12, 2024 Cryptocurrency / Malware
Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attacker's use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag  said  in an analysis published earlier this week. "The malware deletes contents of specific directories and modifies system configurations to evade detection." The infection chain targeting Hadoop leverages a misconfiguration in the YARN's (Yet Another Resource Negotiator)  ResourceManager , which is responsible for tracking resources in a cluster and scheduling applications. Specifically, the misconfiguration can be exploited by an unauthenticated, remote threat actor to execute arbitrary code by means of a crafted HTTP request, subject to the privileges of the user on the node where the code is executed. The
NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

Jan 10, 2024 Server Security / Cryptocurrency
A new Mirai-based botnet called  NoaBot  is being used by threat actors as part of a crypto mining campaign since the beginning of 2023. "The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims," Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News. Mirai , which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being  InfectedSlurs , which is capable of mounting distributed denial-of-service (DDoS) attacks. There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as  P2PInfect , which recently received an update to target routers and IoT devices. This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely at
8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

Dec 19, 2023 Cryptojacking / Cyber Threat
The threat actors associated with the  8220 Gang  have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is  CVE-2020-14883  (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. "This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with  CVE-2020-14882  (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials," Imperva  said  in a report published last week. The 8220 Gang has a history of  leveraging known security flaws  to distribute cryptojacking malware. Earlier this May, the group was spotted utilizing another shortcoming in Oracle WebLogic servers (CVE-2017-3506, CVSS score: 7.4) to rope the devices into a crypto mining botnet. Recent attack chains documented by Imperva entail t
DarkGate and PikaBot Malware Resurrect QakBot's Tactics in New Phishing Attacks

DarkGate and PikaBot Malware Resurrect QakBot's Tactics in New Phishing Attacks

Nov 20, 2023 Threat Analysis / Malware
Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. "These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery," Cofense  said  in a report shared with The Hacker News. "The malware families used also follow suit to what we would expect QakBot affiliates to use." QakBot, also called QBot and Pinkslipbot, was  shut down  as part of a coordinated law enforcement effort codenamed Operation Duck Hunt earlier this August. The use of DarkGate and PikaBot in these campaigns is not surprising as they can both act as conduits to deliver additional payloads to compromised hosts, making them both an attractive option for cybercriminals. PikaBot's parallels to QakBot were  previously highlighted  by Zscaler in its analysis of the malw
Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation

Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation

Nov 08, 2023 Cloud Security / Cryptocurrency
Cybersecurity researchers have developed what's the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft  Azure Automation  service without racking up any charges. Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victim's environment without attracting any attention. "While this research is significant because of its potential impact on cryptocurrency mining, we also believe it has serious implications for other areas, as the techniques could be used to achieve any task that requires code execution on Azure," security researcher Ariel Gamrian  said  in a report shared with The Hacker News. The study mainly set out to identify an "ultimate crypto miner" that offers unlimited access to computational resources, while simultaneously requiring little-to-no maintenance, is cost-free, and undetectable. That's where Azure Automation comes in.
Cybercriminals Weaponizing Legitimate Advanced Installer Tool in Crypto-Mining Attacks

Cybercriminals Weaponizing Legitimate Advanced Installer Tool in Crypto-Mining Attacks

Sep 09, 2023 Malware / Hacking
A legitimate Windows tool used for creating software packages called Advanced Installer is being abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021. "The attacker uses  Advanced Installer  to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses Advanced Installer's Custom Actions feature to make the software installers execute the malicious scripts," Cisco Talos researcher Chetan Raghuprasad  said  in a technical report. The nature of the applications trojanized indicates that the victims likely span architecture, engineering, construction, manufacturing, and entertainment sectors. The software installers predominantly use the French language, a sign that French-speaking users are being singled out. This  campaign  is strategic in that these industries rely on computers with high Graphics Processing Unit (GPU) power for t
Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead

Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead

Aug 23, 2023 Malware / Cybersecurity
Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security's p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for an upcoming (spoiler: now launched) campaign targeting various cloud services. While last week Aqua Security published a blog detailing this under-development campaign's stages related to infected Docker images, today  Permiso p0 Labs  and  SentinelLabs  are releasing joint research highlighting the incremental updates to the cloud credential harvesting malware samples systematically collected by monitoring the attacker's infrastructure. So get out of your seats and enjoy this scrum meeting stand-up dedicated to sharing knowledge about this actors campaign and the tooling they will use to steal more cloud credentials. If you like IDA scree
Expert Insights / Articles Videos
Cybersecurity Resources