The Hacker News — Cyber Security, Hacking, Technology News

BitTorrent, the company which owns the popular file-sharing client uTorrent, has quietly been sold for $140 million in cash to Justin Sun, the founder of blockchain-focused startup TRON.

TRON is a decentralized entertainment and content-sharing platform that uses blockchain and distributed storage technology. It allows users to publish content without having to use third-party platforms such as YouTube or Facebook, and trades in Tronix (TRX) cryptocurrency.

Since BitTorrent is one of the most recognizable brands in the world for decentralized computing and peer-to-peer (P2P) networking, and TRON aims to establish a truly decentralized Internet, BitTorrent would be of great use for Sun to help achieve that goal.

There were reports that the two were in negotiations for at least a month, and just yesterday, Variety reported that BitTorrent Inc. was sold to Sun last week, but the report did not disclose the deal price.

Now, TechCrunch is reporting that TRON's founder has agreed to pay $140 million to acquire BitTorrent, without revealing any further details on how exactly Sun would utilize the company for TRON's business.

Sun first started talking to BitTorrent about a possible acquisition late last year and even signed a letter of intent to acquire the company in January with a 'no-shop' clause, which meant BitTorrent was not allowed to negotiate any other deals while the letter was valid.

BitTorrent reportedly violated the clause and Sun ended up suing the company in January, but the lawsuit was eventually dropped, and Sun created a new company called Rainberry Acquisition Inc.

Around the same time, BitTorrent Inc. renamed its corporate entity to Rainberry Inc., and on the same day, both filed paperwork reflecting a merger.

Neither TRON nor BitTorrent has shared Sun's plans for the future of BitTorrent's technology, but reportedly the move is aimed at shielding TRON's technology from allegations of plagiarism.

Also, the technology can be used in creating a potential network to help TRON mine cryptocurrencies using BitTorrent's P2P architecture and its vast user base of over 170 Million, as its popular µTorrent client was previously caught doing so.

Due to the surge in cryptocurrency prices, not only hackers but also legitimate websites and mobile apps are increasingly using cryptocurrency miners to monetize by levying the CPU power of your PC and phones to mine cryptocurrencies.

However, Apple wants to protect your Mac and iPhone battery from shady cryptocurrency mining apps, and therefore, the company has put restrictions on such apps by disallowing them in its official App Store.

The company has updated the Hardware Compatibility section of its App Store guidelines, which now explicitly restrict iOS and Mac apps and ads from mining cryptocurrency in the background.

"Apps, including any third party advertisements displayed with them, may not run unrelated background processes, such as cryptocurrency mining," the updated guidelines read.

The update reportedly occurred last week, possibly in response to popular Mac app Calendar 2 that bundled a Monero (XMR) miner in with its premium upgrade that unlocked 'advanced' paid features of the scheduling app.

Cryptocurrency mining is not a new concept, but the technology has recently been abused in the past years after hackers found it a great way to make millions of dollars by hijacking computers to secretly perform cryptocurrency mining in the background without users' knowledge or consent.

Due to this cryptocurrency mining has emerged as one of the biggest threats, raising negative sentiments towards this alternative revenue scheme.

However, it seems like Apple guidelines ban any on-device mining that eventually ends up draining Apple devices' batteries by using the device processing power to mine cryptocurrency.

"Apps should not rapidly drain battery, generate excessive heat, or put unnecessary strain on device resources," the guidelines states.

However, as long as the mining process is performed somewhere other than the device, such as a remote server or a cloud provider, Apple doesn't have any problem.

Wallet apps for cryptocurrency are also fine if the developer is enrolled as an organization, as of apps that facilitate transactions or transmissions of cryptocurrencies, since these apps are offered by the exchanges.

In addition, Apple guidelines also state that cryptocurrency apps "may not offer currency for completing tasks, such as downloading other apps, encouraging other users to download, posting to social networks."

Apple is not the first one to ban direct mining. Last month, Google also banned cryptocurrency mining extensions from its Chrome Web store to prevent cryptojacking by extensions that maliciously mine digital currencies without users' awareness.

In late March, Twitter also announced its plan to block cryptocurrency-related ads on its platform, and in January, Facebook banned all ads promoting cryptocurrencies, including Bitcoin and initial coin offerings (ICOs).

Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet.

Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for port 8545 to find insecure geth clients running Ethereum nodes and, at that time, stole 3.96234 units of Ethereum cryptocurrency (Ether).

However, researchers now noticed that another cybercriminal group have managed to steal a total 38,642 Ether, worth more than $20,500,000 at the time of writing, in past few months by hijacking Ethereum wallets of users who had opened their JSON-RPC port 8545 to the outside world.

Geth is one of the most popular clients for running Ethereum node and enabling JSON-RPC interface on it allows users to remotely access the Ethereum blockchain and node functionalities, including the ability to send transactions from any account which has been unlocked before sending a transaction and will stay unlocked for the entire session.
Here's the attackers' Ethereum account address, where all the stolen funds have been collected:

0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464

By simply searching this address on the Internet, we found dozens of forums and websites where users have posted details of similar incidents happened with them, describing about the same account address hackers used to stole their funds from the insecurely configured Ethereum nodes.

According to an advisory issued by Ethereum Project three years ago, leaving the JSON-RPC interface on an internet-accessible machine without a firewall policy opens up your cryptocurrency wallet to theft "by anybody who knows your [wallet] address in combination with your IP."

NetLab researchers warned that not only the above-mentioned cybercriminal group but other attackers are also actively scanning the Internet for insecure JSON-RPC interface to steal funds from cryptocurrency wallets.

"If you have honeypot running on port 8545, you should be able to see the requests in the payload. Which has the wallet addresses. And there are quite a few ips scanning heavily on this port now," 360 Netlab tweeted.

Users who have implemented Ethereum nodes are advised only to allow connections to the geth client originating from the local computer, or to implement user-authorization if remote RPC connections need to be enabled.

Security researchers have discovered a series of new vulnerabilities in EOS blockchain platform, one of which could allow remote hackers to take complete control over the node servers running the critical blockchain-based applications.

EOS is an open source smart contract platform, known as 'Blockchain 3.0,' that allows developers to build decentralized applications over blockchain infrastructure, just like Ethereum.

Discovered by Chinese security researchers at Qihoo 360—Yuki Chen of Vulcan team and Zhiniang Peng of Core security team—the vulnerability is a buffer out-of-bounds write issue which resides in the function used by nodes server to parse contracts.

To achieve remote code execution on a targeted node, all an attacker needs to do is upload a maliciously crafted WASM file (a smart contract) written in WebAssembly to the server.
As soon as the vulnerable process parser reads the WASM file, the malicious payload gets executed on the node, which could then also be used to take control over the supernode in EOS network—servers that collect transaction information and pack it into blocks.

"With the out of bound write primitive, we can overwrite the WASM memory buffer of a WASM module instance," the duo explained in their blog post published today. 

"And with the help of our malicious WASM code, we finally achieve arbitrary memory read/write in the nodeos process and bypass the common exploit mitigation techniques such as DEP/ASLR on 64-bits OS. Once successfully exploited, the exploit starts a reverse shell and connects back to the attacker."

Once the attackers gained control over the supernode, they could eventually "pack the malicious contract into the new block and further control all nodes of the EOS network."

Since the super node system can be controlled, the researchers said the attackers can "do whatever they want," including, controlling the virtual currency transactions, and acquiring other financial and privacy data in the EOS network participating node systems, such as an exchange Digital currency, the user's key stored in the wallet, key user profiles, privacy data, and much more.

"What's more, the attacker can turn a node in the EOS network into a member of a botnet, launch a cyber attack or become a free 'miner' and dig up other digital currencies," the researchers told THN.

Researchers have detailed how to reproduce the vulnerability and also released a proof-of-concept exploit, along with a video demonstration, which you can watch on their blog post.

The exploit demonstrated by the 360Vulcan researcher can bypass multiple default security mitigation measures to achieve complete control over the super node running the malicious contract.

The pair responsibly reported the vulnerability to the maintainers of the EOS project, and they have already released a fix for the issue on GitHub.

"In Blockchain networks and digital currency systems, there are many attack surfaces existing in nodes, digital wallets, mining pools and smart contracts. 360 ​​security team has previously discovered and disclosed multiple relevant high risk vulnerabilities,"

The researchers believe the new type of vulnerabilities affect not only EOS alone but also other types of Blockchain platforms and virtual currency applications.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

In an effort to prevent cryptojacking by extensions that maliciously mine digital currencies without users' awareness, Google has implemented a new Web Store policy that bans any Chrome extension submitted to the Web Store that mines cryptocurrency.

Over the past few months, we have seen a sudden rise in malicious extensions that appear to offer useful functionality, while embedding hidden cryptocurrency mining scripts that run in the background without the user's knowledge.

Last month, cryptocurrency miners were even found in a Russian nuclear weapons lab and on thousands of government websites. In January, cryptocurrency mining malware also infected more than half-million PCs.

Until now, only those cryptocurrency mining extensions were allowed on the Chrome Web Store that are solely intended for mining, and explicitly informed users about its working and revenue model.

If the company finds any mining extension developers submitted was not in compliance and secretly mines cryptocurrency using a victim device's computing power, it simply blocks the extension.

Since about 90 percent of the mining extensions developers submitted to the Chrome Web Store failed to comply with the rules, the tech giant decided to ban all browser extensions that mine cryptocurrency (even if it's used for legitimate purposes) from its Web Store.

"Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency," Google says in its Chromium Blog. "Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June."

However, the ban on cryptocurrency mining extensions will not impact other digital currency and blockchain-related extensions, such as Bitcoin price checkers, blockchain browsers, and cryptocurrency wallet managers.

Google noted that its new move is "another step forward in ensuring that Chrome users can enjoy the benefits of extensions without exposing themselves to hidden risks."

Though banning cryptocurrency mining extensions is definitely a great move, the ban may not eliminate the problem as a whole, since attackers have increasingly been developing ways to hide their mining functionality in an extension until after it gets Chrome Web Store approval.

The ban comes less than a month after Google announced its plans to ban advertisements related to cryptocurrency.

Google is not the first one to impose a ban on cryptocurrency-related abuses. Late last month, Twitter announced its plan to block cryptocurrency-related ads on its platform, and in January, Facebook banned all ads promoting cryptocurrencies, including Bitcoin and ICOs.

Nothing comes for free, especially online.

Would you be okay with allowing a few paid services to mine cryptocurrencies using your system instead of paying the subscription fee?

Most free websites and services often rely on advertising revenue to survive, but now there is a new way to make money—using customers’ computer to generate virtual currencies.

It was found that a scheduling app, dubbed Calendar 2, was embracing cryptocurrency mining in exchange for free access to its app premium features, but the developer has to take it down from the Apple App Store following reports that it's not working as intended.

Cryptocurrency mining is not a new concept, but the technology has recently exploded after hackers found it a great way to make millions of dollars by hijacking computers to secretly perform cryptocurrency mining in the background without users' knowledge or consent.

Due to this cryptocurrency mining has emerged as one of the biggest threats in recent months, raising negative sentiments towards this alternative revenue scheme.

However, it seems that Apple has no problem with this alternative if app developers take user's consent to mine cryptocurrencies.

Developed by Qbix, Calendar 2 includes more features than the regular Calendar app that comes bundled with macOS, and cost $0.99 per month or $17.99 one-time fees via in-app purchases.

However, the app recently included a default feature that unlocks 'advanced' paid features of Calendar 2 by allowing the app to mine the digital currency known as Monero (XMR) for its developer in the background.

But unfortunately, the app contains two serious bugs: one that kept the Monero miner running, even if users tried to opt-out of the default setting, and a second issue that caused the miner to consume more CPU duty cycle than originally intended.

"It ate 200% CPU until I found it and killed it. I didn't expect a miner infection from an App Store vendor. Wow. It runs the xmr-stak Monero miner," one user on Twitter reported.

In response to the reports, Qbix founder Gregory Magarshak acknowledged the issues and decided to remove the mining function from his app, citing some issues with the miner's source code, the feature's buggy launch and a personal dislike for "proof of work" computing.

Even though the miner is removed from Calendar 2, it's unclear whether the cryptocurrency mining within apps breaches App Store terms of service, as Calendar 2's method of openly embracing mining in exchange of paid services is new to the Mac App Store.

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a blogpost on Securelist.

Here's How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named "photo_high_re*U+202E*gnp.js" in a message to a Telegram user, the file's name rendered on the users' screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

"As a result, users downloaded hidden malware which was then installed on their computers," Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: "at the time of publication, the zero-day flaw has not since been observed in messenger's products."

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners

During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim's PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram's local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

"After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools," the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as "all the exploitation cases that [the researchers] detected occurring in Russia," and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies.

Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors' computers to mine cryptocurrency for attackers.

The cryptocurrency mining script injection found on over 4,000 websites, including those belonging to UK's National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner's Office (ICO), Queensland legislation, as well as the US government's court system.

Users who visited the hacked websites immediately had their computers' processing power hijacked, also known as cryptojacking, to mine cryptocurrency without their knowledge, potentially generating profits for the unknown hacker or group of hackers.

It turns out that hackers managed to hijack a popular third-party accessibility plugin called "Browsealoud," used by all these affected websites, and injected their cryptocurrency-mining script into its code.

Browsealoud is a popular third-party browser plugin that helps blind and partially-sighted users access the web by converting site text to audio.

The script that was inserted into the compromised Browsealoud software belongs to CoinHive—a browser-based Monero mining service that offers website administrators to earn revenue by utilizing CPU resources of visitors.

The mining software was found in more than 4,200 websites, including The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), UK NHS services, Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

The full list of affected websites can be found here.

After UK-based infosec consultant Scott Helme raised the alarm about this hack when one of his friends mentioned getting anti-virus alerts on a UK Government website, BrowseAloud’s operator Texthelp took down its site to resolve the issue.

Here’s what Texthelp's chief technology officer Martin McKay said in a blog post:

"In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours."

"Texthelp has in place continuously automated security tests for Browsealoud - these tests detected the modified file, and as a result, the product was taken offline."

This action eventually removed Browsealoud from all websites immediately, addressing the security issue without its customers having to take any action.

The company also assured that "no customer data has been accessed or lost," and that its customers will receive a further update as soon as the security investigation gets completed.

Two days ago when infosec bods claimed to have uncovered what's believed to be the first case of a SCADA network (a water utility) infected with cryptocurrency-mining malware, a batch of journalists accused other authors of making fear-mongering headlines, taunting that the next headline could be about cryptocurrency-miner detected in a nuclear plant.

It seems that now they have to run a story themselves with such headlines on their website because Russian Interfax News Agency yesterday reported that several scientists at Russia's top nuclear research facility had been arrested for mining cryptocurrency with "office computing resources."

The suspects work as engineers at the Russian Federation Nuclear Center facility—also known as the All-Russian Research Institute of Experimental Physics—which works on developing nuclear weapons.

The center is located in Sarov, Sarov is still a restricted area with high security. It is also the birthplace of the Soviet Union's first nuclear bomb.

In 2011, the Russian Federation Nuclear Center switched on a new supercomputer with a capacity of 1 petaflop, making it the twelfth most powerful in the world at the time.

According to Russian media reports, the engineers had tried to use one of Russia's most powerful supercomputers housed in the Federal Nuclear Center to mine Bitcoins.

The suspects were caught red-handed while attempting to connect the lab's supercomputer to the internet, which was supposed to be offline to ensure security, the nuclear center's security department was alerted.

Once caught, the engineers were handed over to the Federal Security Service (FSB).

"There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining," Tatyana Zalesskaya, head of the Institute's press service, told Interfax news agency. 

"Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them," Zalesskaya added, without revealing the exact number of employees detained.

The Federal Security Service (FSB) has yet to issue a statement on the arrests and criminal charges.

Cryptocurrency has gained tremendous popularity over the past year. Mining a single Bitcoin is not an ice cakewalk, as it requires an enormous amount of computational power and huge amounts of energy.

According to media reports, Russia is becoming a hotbed of cryptocurrency mining due to its low-cost energy reserves. One Russian businessman, Alexey Kolesnik, reportedly also bought two power stations exclusively to generate electricity for Bitcoin-mining data centers.

Coincheck, a Tokyo-based cryptocurrency exchange, has suffered what appears to be the biggest hack in the history of cryptocurrencies, losing $532 million in digital assets (nearly $420 million in NEM tokens and $112 in Ripples).

In 2014, Mt Gox, one of the largest bitcoin exchange at that time, filed for bankruptcy after admitting it had lost $450 million worth of Bitcoins.

Apparently, the cryptocurrency markets reacted negatively to the news, which resulted in 5% drop in Bitcoin price early this morning.

In a blog post published today, the Tokyo-based cryptocurrency exchange confirmed the cyber heist without explaining how the tokens were stolen, and abruptly froze most of its services, including deposits, withdrawals and trade of almost all cryptocurrencies, except Bitcoin.

Coincheck also said the exchange had even stopped deposits into NEM cryptocurrencies, which resulted in 16.5% drop in NEM coin value, as well as other deposit methods including credit cards.

During a late-night press conference at the Tokyo Stock Exchange, Coincheck Inc. co-founder Yusuke Otsuka also said that over 500 million NEM tokens (then worth around $420 million) were taken from Coincheck's digital wallets on Friday, but the company didn’t know how the tokens went missing, according to new source Asahi.

The digital-token exchange has already reported the incident to the law enforcement authorities and to Japan's Financial Services Agency to investigate the cause of the missing tokens.

"We will report on the damage situation and cause of the case, measures to prevent recurrence, but first we would like you to take every possible measure to protect our customers," said Executives of the Financial Services Agency (translated).

This incident marks yet another embarrassing hack in the world of digital currency technology, once again reminding us that the volatility in cryptocurrency prices is not going away anytime soon.

So far, the exchange has not provided any official statement regarding the cause of this hack. We will keep you updated about this incident. Stay Tuned!

CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]

Pavel Lerner, a prominent Russian blockchain expert and known managing director of one of the major crypto-exchanges EXMO, has allegedly been kidnapped by "unknown" criminals in the Ukranian capital of Kiev.

According to Ukraine-based web publication Strana, Lerner, 40-year-old citizen of Russia, was kidnapped on December 26 when he was leaving his office in the center of town (located on the Stepan Bandera Avenue).

Unknown kidnappers in dark clothes and balaclavas dragged Lerner in their black Mercedes-Benz Vito brand (state number AA 2063 MT) car and drove away in an unknown direction.

The information comes from an anonymous source in Ukrainian law enforcement agencies, though multiple investigations are currently underway to find out why and by whom Lerner was kidnapped.

Lerner is a recognized IT specialist in Ukraine who led a number of startups related to blockchain technology development and mining operations.

Lerner is also the managing director of EXMO, a major UK-based cryptocurrency exchange founded in 2013 and well-known with Russians for accepting ruble payments.

Law enforcers in Kiev have begun an investigation and are currently conducting search operation, working out all possible leads in the case which is described as the kidnapping.

EXMO's representatives confirmed media reports in a statement to a local crypto journal BitNovosti and appealed for any information that could lead to the finding of Lerner.

The company representatives also assured its customers that EXMO operations were not affected by the incident and that Lerner did not have direct access to any cryptocurrency account or other personal data.

"We are doing everything possible to speed up the search of Pavel Lerner. Any information regarding his whereabouts is very much appreciated," PR-department of EXMO said. 

"Despite the situation, the exchange is working as usual. We also want to stress that nature of Pavel’s job at EXMO doesn’t assume access either to storages or any personal data of users. All users funds are absolutely safe."

Lerner case has been considered to be yet another case involving a Russian national with cryptocurrency background.

In July this year, Alexander Vinnik, a 38-year-old Russian citizen and operator of cryptocurrency exchange BTC-e, was detained in Northern Greece at the request of US law enforcement authorities. The Greece court in October also ruled to extradite Vinnik to the United States.

The US authorities accused Vinnik of crimes related to the hack of Mt. Gox, which was shut down in 2014 following a massive series of mysterious robberies, which totaled at least $375 million in Bitcoin.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

If you receive a video file (packed in zip archive) sent by someone (or your friends) on your Facebook messenger — just don't click on it.

Researchers from security firm Trend Micro are warning users of a new cryptocurrency mining bot which is spreading through Facebook Messenger and targeting Google Chrome desktop users to take advantage of the recent surge in cryptocurrency prices.

Dubbed Digmine, the Monero-cryptocurrency mining bot disguises as a non-embedded video file, under the name "video_xxxx.zip" (as shown in the screenshot), but is actually contains an AutoIt executable script.

Once clicked, the malware infects victim's computer and downloads its components and related configuration files from a remote command-and-control (C&C) server.

Digimine primarily installs a cryptocurrency miner, i.e. miner.exe—a modified version of an open-source Monero miner known as XMRig—which silently mines the Monero cryptocurrency in the background for hackers using the CPU power of the infected computers.

Besides the cryptocurrency miner, Digimine bot also installs an autostart mechanism and launch Chrome with a malicious extension that allows attackers to access the victims' Facebook profile and spread the same malware file to their friends' list via Messenger.

Since Chrome extensions can only be installed via official Chrome Web Store, "the attackers bypassed this by launching Chrome (loaded with the malicious extension) via command line."

"The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video" Trend Micro researchers say.

"The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components."

It's noteworthy that users opening the malicious video file through the Messenger app on their mobile devices are not affected.

Since the miner is controlled from a C&C server, the authors behind Digiminer can upgrade their malware to add different functionalities overnight.

Digmine was first spotted infecting users in South Korea and has since spread its activities to Vietnam, Azerbaijan, Ukraine, Philippines, Thailand, and Venezuela. But since Facebook Messenger is used worldwide, there are more chances of the bot being spread globally.

When notified by Researchers, Facebook told it had taken down most of the malware files from the social networking site.

Facebook Spam campaigns are quite common. So users are advised to be vigilant when clicking on links and files provided via the social media site platform.

The North Korean hacking group has turned greedy.

Security researchers have uncovered a new widespread malware campaign targeting cryptocurrency users, believed to be originated from Lazarus Group, a state-sponsored hacking group linked to the North Korean government.

Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 million heists from the Bangladesh Bank, and the latest — WannaCry.

The United States has officially blamed North Korea for global WannaCry ransomware attack that infected hundreds of thousands of computers across more than 150 countries earlier this year.

In separate news, security experts have blamed Lazarus group for stealing bitcoins worth millions from the South Korean exchange Youbit, forcing it to shut down and file for bankruptcy after losing 17% of its assets.

Researchers from security firm Proofpoint have published a new report, revealing a connection between Lazarus Group and a number of multistage cyber attacks against cryptocurrency users and point-of-sale systems.

"The group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies," the researchers said. "The Lazarus Group’s arsenal of tools, implants, and exploits is extensive and under constant development."

After analyzing a large number of spear phishing emails with different attack vectors from multiple spear phishing campaigns, researchers discovered a new PowerShell-based reconnaissance implant from Lazarus Group arsenal, dubbed PowerRatankba.

Encryption, obfuscation, functionality, decoys, and command-and-control servers used by PowerRatankba closely resembles the original Ratankba implant developed by Lazarus Group.

The PowerRatankba implant is being spread using a massive email campaign through the following attack vectors:

• Windows executable downloader dubbed PowerSpritz
• Malicious Windows Shortcut (LNK) files
• Several malicious Microsoft Compiled HTML Help (CHM) files
• Multiple JavaScript (JS) downloaders
• Macro-based Microsoft Office documents
• Backdoored popular cryptocurrency applications hosted on fake websites

"During our research, we discovered that long-term sandboxing detonations of PowerRatankba not running cryptocurrency related applications were never infected with a Stage2 implant. This may indicate that the PowerRatankba operator(s) were only interested in infecting device owners with an obvious interest in various cryptocurrencies," reads the 38-page-long report [PDF] published by Proofpoint.

Once installed, Gh0st RAT allows cybercriminals to steal credentials for cryptocurrency wallets and exchanges.

It's notable that PowerRatankba and Gh0st RAT don't exploit any zero-day vulnerability; instead, Lazarus Group relies on mixed programming practices, like C&C communication over HTTP, use of Spritz encryption algorithm and the Base64-encoded custom encryptor.

"It is already well-known that Lazarus Group has targeted and successfully breached several prominent cryptocurrency companies and exchanges," the researchers say. "From these breaches, law enforcement agencies suspect that the group has amassed nearly $100 million worth of cryptocurrencies based on their value today."

Besides stealing cryptocurrencies, the group was also found infecting SoftCamp point-of-sale (POS) terminals, largely deployed in South Korea, using RatankbaPOS malware for stealing credit card data.

Since RatankbaPOS was sharing same C&C server as the PowerRatankba implant, it is believed that both the implants are linked to Lazarus Group.

The explosive growth in cryptocurrency values has motivated not only traders but also hackers to invest all their time and resources in making digital wealth.

More details about the new malware campaigns run by Lazarus Group can be found in the in-depth report [PDF], titled "North Korea Bitten by Bitcoin Bug—Financially motivated campaigns reveal a new dimension of the Lazarus Group," published by PowerPoint on Wednesday.

Due to the recent surge in cryptocurrency prices, not only hackers but also legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of your PC to mine Bitcoin or other cryptocurrencies.

Just last week, researchers from AdGuard discovered that some popular video streaming and ripper sites including openload, Streamango, Rapidvideo, and OnlineVideoConverter hijacks CPU cycles from their over hundreds of millions of visitors for mining Monero cryptocurrency.

Now, researchers from Moscow-based cyber security firm Kaspersky Lab have uncovered a new strain of Android malware lurking in fake anti-virus and porn applications, which is capable of performing a plethora of nefarious activities—from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks.

Dubbed Loapi, the new Android Trojan can perform so many more malicious activities at a time that can exploit a handset to the extent that within just two days of infection it can cause the phone's battery to bulge out of its cover.

Described as a "jack-of-all-trades" by the researchers, Loapi has a modular architecture that lets it conduct a variety of malicious activities, including mining the Monero cryptocurrency, launching DDoS attacks, bombarding infected users with constant ads, redirecting web traffic, sending text messages, and downloading and installing other apps.

Loapi Destroyed An Android Phone In Just 2 Days

According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for "popular antivirus solutions and even a famous porn site."

A screenshot in the Kaspersky blog suggests that Loapi impersonates as at least 20 variations of adult-content apps and legitimate antivirus software from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others.

Upon installation, Loapi forces the user to grant it 'device administrator' permissions by looping a pop-up until a victim clicks yes, which gives the malicious app the same power over your smartphone that you have.

This highest level privilege on a device would also make the Loapi malware ideal for user espionage, though this capability is not yet present in the malware, the Kaspersky researchers think this can be included in the future.

Loapi Malware Aggressively Fights to Protect Itself

Researchers also said the malware "aggressively fights any attempts to revoke device manager permissions" by locking the screen and closing phone windows by itself.

Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.

By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.

"Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device," the researchers concluded.

Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.

Bitcoin is breaking every record—after gaining 20% jump last week, Bitcoin price just crossed the $14,800 mark in less than 24 hours—and there can be no better reason for hackers to put all of their efforts to steal skyrocketing cryptocurrency.

NiceHash, the largest Bitcoin mining marketplace, has been hacked, which resulted in the theft of more than 4,700 Bitcoins worth over $57 million (at the time of breach).

And guess what? You'll be surprised to know that the stolen BTC now worth over $70 million—in less than 24 hours.

Founded in 2014, NiceHash is a cloud-based crypto-mining marketplace that connects people from all over the world to rent out their spare computing power to other in order to create new coins.

On Wednesday, several NiceHash users reported that their BTC wallets had been emptied, which was later confirmed by NiceHash after its service went offline claiming to be undergoing maintenance.

At the time of writing, the NiceHash service is still offline with a post on its website, confirming that "there has been a security breach involving NiceHash website," and that hackers stole the contents of the NiceHash Bitcoin wallet.
The company did not provide any further details about the security incident, but it did say that NiceHash has paused its operations for next 24 hours while it figures out exactly how many numbers of BTC were swiped from its website and how it was taken.

Although NiceHash has not confirmed the number of bitcoins stolen from its virtual wallet, some of its customers have circulated a wallet address that suggests around 4,736 BTC—worth more than $70 million based on today's price—in total were drained from the company's wallet.

NiceHash has initiated an investigation into the matter, and has reported the incident to the "relevant authorities and law enforcement" and has been "co-operating with them as a matter of urgency."

The company also assured its customers that it is "fully committed to restoring the NiceHash service with the highest security measures at the earliest opportunity," but it's still unclear how the company will manage to settle everything if it is unable to compensate the total loss.

"We understand that you will have a lot of questions, and we ask for patience and understanding while we investigate the causes and find the appropriate solutions for the future of the service. We will endeavor to update you at regular intervals," the company says.

Following the security incident, NiceHash is recommending its customers to change their passwords—both on NiceHash and other services, if they are using the same credentials.

NiceHash is the latest cryptocurrency company to suffer a significant blow in recent months. Another major hack took place last month due to a flaw in Parity's wallet that caused over $160 million in ETH (Ether) to be frozen, while nearly $32 million in ETH was stolen by hackers in July.

Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser.

Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor's PC to mine Bitcoin or other cryptocurrencies.

After the world's most popular torrent download website, The Pirate Bay, caught secretly using Coinhive, a browser-based cryptocurrency miner service, on its site last month, thousands of other websites also started using the service as an alternative monetization model to banner ads.

However, websites using such crypto-miner services can mine cryptocurrencies as long as you're on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining.

Unfortunately, this is not the case anymore.

Security researchers from anti-malware provider Malwarebytes have found that some websites have discovered a clever trick to keep their cryptocurrency mining software running in the background even when you have closed the offending browser window.

How Does This Browser Technique Work?

According to a blog post published Wednesday morning by Malwarebytes, the new technique works by opening a hidden pop-under browser window that fits behind the taskbar and hides behind the clock on your Microsoft's Windows computer.

From there (hidden from your view), the website runs the crypto-miner code that indefinitely generates cryptocurrency for the person controlling the site while eating up CPU cycles and power from your computer until and unless you notice the window and close it.
Researchers say this technique is a lot harder to identify and able to bypass most ad-blockers because of how cleverly it hides itself. The crypto-miner runs from a crypto-mining engine hosted by Amazon Web Servers.

"This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself," Jérôme Segura, Malwarebytes' Lead Malware Intelligence Analyst, says in the post. "Closing the browser using the "X" is no longer sufficient."

To keep itself unidentified, the code running in the hidden browser always takes care of the maximum CPU usage and maintains threshold to a medium level.

You can also have a look at the animated GIF image that shows how this clever trick works.

This technique works on the latest version of Google's Chrome web browser running on the most recent versions of Microsoft's Windows 7 and Windows 10.

How to Block Hidden Cryptocurrency Miners

If you suspect your computer CPU is running a little harder than usual, just look for any browser windows in the taskbar. If you find any browser icon there, your computer is running a crypto-miner. Now simply, kill it.

More technical users can run Task Manager on their computer to ensure there is no remnant running browser processes and terminate them.

Since web browsers themselves currently are not blocking cryptocurrency miners neither does the integrated Windows Defender antivirus software, you can use antivirus programs that automatically block cryptocurrency miners on web pages you visit.

For this, you can contact your antivirus provider to check if they do.

Alternatively, you can make use of web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners for you, and regularly update themselves with new mining scripts that come out.

Created by developer Rafael Keramidas, No Coin is an open source extension that blocks Coin Hive and other similar cryptocurrency miners and is available for Google Chrome, Mozilla Firefox, and Opera.

No Coin currently does not support Microsoft Edge, Apple Safari, and Internet Explorer. So, those using one of these browsers can use an antimalware program that blocks cryptocurrency miners.

Again some bad news for cryptocurrency users.

Tether, a Santa Monica-based start-up that provides a dollar-backed cryptocurrency tokens, has claimed that its systems have been hacked by an external attacker, who eventually stole around $31 million worth of its tokens.

With a market capitalization of $673 million, Tether is the world's first blockchain-enabled platform to allow the traditional currency to be used like digital currency.

Tether serves as a proxy for the US dollar, Euro (and soon Japanese yen) that can be sent between exchanges including Bitfinex, Poloniex, Omni, GoCoin and other markets.

According to an announcement on the company's official website posted today, the unknown hacker stole the tokens (worth $30,950,010) from the Tether Treasury wallet on November 19 and sent them to an unauthorized Bitcoin address.

The stolen tokens will not be redeemed, but the company is in the process of attempting token recovery in order to prevent them from entering the broader cryptocurrency market.

The attacker is holding stolen funds at the following bitcoin address:

16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r

So, in case, you receive any USDT (that's what Tether calls its platform's USD currency; 1USDT=1USD) "tokens from the above address, or from any downstream address that receives these tokens, do not accept them, as they have been flagged and will not be redeemable by Tether for USD," the company warned.

Bitcoin price dropped as much as 5.4 percent, the most since November 13.

To prevent the stolen coins from moving from the attacker's address, the company has temporarily suspended its back-end wallet service and also provided a new version of its software.

"Accordingly, any and all exchanges, wallets, and other Tether integrators should install this software immediately in order to prevent loss: https://github.com/tetherto/omnicore/releases/tag/0.2.99.s," the company said.

The Tether Team has also ensured that Tether issuances have not been affected by this attack, and all of its tokens remain fully backed by assets in the Tether reserve.

Instead, the only tokens that won't be redeemed at this moment are those stolen from Tether treasury yesterday. However, these tokens will be returned to treasury once the software enhancements are in place.

Tether is also undertaking a thorough investigation of the incident in an attempt to prevent similar attacks in the future.

This incident is the latest in a long list of attacks against the cryptocurrency markets. Just last week, about $300 million worth of Ether from dozens of Ethereum wallets was permanently locked up after someone triggered a flaw in Parity multi-sig wallets.

As of today — 1 Bitcoin = $7300 USD (Approx 471,000 INR)

At the beginning of this year, 1 Bitcoin was approximately equal to $1000, and now it has surged to a new height, marking its market capitalization at over $124 billion.

Is it really too late to invest in Bitcoin or other cryptocurrencies like Ethereum?

For those wondering if they have missed the money-making boat, the answer is—NO, it's never too late to invest.

In case you are new to cryptocurrency trading, we have a simple step-by-step guide on our deal store that explains how to invest in cryptocurrencies.

However, the blockchain, the revolutionary technology behind Bitcoin and other digital currencies, is not always about cryptocurrencies.

Though it is a decentralized public database which ensures that all transactions are properly conducted and recorded, Blockchains can be used for a wide variety of applications, such as for digital identity management, smart assets, digital voting, distributed cloud storage, and so on.

While Bitcoin has long been dominant in the cryptocurrency market, the second largest cryptocurrency—Ethereum—offers much faster data processing than Bitcoin.

Moreover, Bitcoin was designed to be used as a currency only, whereas the Ethereum blockchain facilitates the development of all sorts of next-generation decentralized applications.

Organisations are recognizing Ethereum potential to make processes more efficient and secure, and programmers are opting for Ethereum development.

Also, since Ethereum technology is still in the early adopter stage, you can get in at ground level and become proficient before it blows up.

How to Become An Ethereum Developer?

So are you considering to learn blockchain technology and Ethereum development?

The Hacker News is making things easier for you by providing you an amazing deal on "The Complete Ethereum Blockchain Mastery Bundle," at a discount of 95 percent.

The Complete Ethereum Blockchain Mastery Bundle includes four online courses:

1. Ethereum Blockchain Developer: Build Projects Using Solidity—This course will help you get your hands on development practice with solidity and successfully build a complex, real-world, Ethereum-based distributed app using core development tools such as Mist, Geth & Ethereum Studio.

2. Blockchain Technology: A Guide To The Blockchain Ecosystem—This course will help you understand the blockchain ecosystem and the technology that surrounds it.

3. Ethereum Developer: Build A Decentralized Blockchain App—This course will help you build your own decentralized blockchain application.

4. Ethereum Developer Masterclass: Build Real-World Projects—This is the last course in The Complete Ethereum Blockchain Mastery Bundle that will help you launch an initial coin offering (ICO) and at the same time will help you build a decentralized exchange on the blockchain.


At THN Deals Store, you can get all of the above four courses offered in The Complete Ethereum Blockchain Mastery Bundle for just $29 (after 95% discount on its actual price $610).

So, what are you waiting for?

Sign up for The Complete Ethereum Blockchain Mastery Bundle now.

Last month the popular torrent website The Pirate Bay caused some uproar by adding a Javascript-based cryptocurrency miner to its site with no opt-out option, utilizing visitors' CPU power to mine Monero coins in an attempt to gain an extra source of revenue.

Now D-Link has been caught doing the same, although there's high chance that its website has been hacked.

D-Link's official website for Middle East (www.dlinkmea.com) has been found secretly adding a JavaScript-based cryptocurrency miner, according to a blog post published by security firm Seekurity on Tuesday.

Seekurity team was made aware of the issue after Facebook user Ahmed Samir reported that visiting on D-Link Middle East website caused his web browser utilizing a "super high CPU" power usage.

As shown in the screenshot below, a separate domain was loaded using a hidden iFrame for each page view, which included the cryptocurrency mining script.
Five days after Seekurity team reported the issue to D-Link, the company took down the website and redirected it to D-Link USA website (us.dlink.com), without responding to the security firm.

Since the company redirected the whole website to another domain instead of just removing a single line of hidden iFrame code, there are high chances that D-Link has recently been a victim of cyber attack.

Anyways, cryptocurrency mining has become a competitive revenue stream these days, and it is trending among hackers as well.

So, it would be no surprise if hackers compromise popular websites and embed their cryptocurrency miners to harness visitor's system computing power in an attempt to mine digital coins.

Just yesterday it was reported that more than 200 of the top 100,000 websites on the web were found hosting suspicious code from CoinHive and JSEcoin, two popular cryptocurrency mining services, forcing their visitors to run miner code on their computers unknowingly.

If you are using a good antivirus solution, like Malwarebytes and Kaspersky, then you are protected, as most security solutions have already started blocking cryptocurrency mining scripts to prevent their customers from unauthorized mining and extensive CPU usage.

When yesterday I was reporting about the sudden outbreak of another global ransomware attack 'Bad Rabbit,' I thought what could be worse than this?

Then late last night I got my answer with a notification that Coinhive has been hacked — a popular browser-based service that offers website owners to embed a JavaScript to utilise their site visitors' CPUs power to mine the Monero cryptocurrency for monetisation.

Reportedly an unknown hacker managed to hijack Coinhive's CloudFlare account that allowed him/her to modify its DNS servers and replace Coinhive's official JavaScript code embedded into thousands of websites with a malicious version.

https://coin-hive[.]com/lib/coinhive.min.js

Hacker Reused Leaked Password from 2014 Data Breach

Apparently, hacker reused an old password to access Coinhive's CloudFlare account that was leaked in the Kickstarter data breach in 2014.

"Tonight, Oct. 23th at around 22:00 GMT our account for our DNS provider (Cloudflare) has been accessed by an attacker. The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server." Coinhive said in a blog post today.

"This third-party server hosted a modified version of the JavaScript file with a hardcoded site key."

As a result, thousands of sites using coinhive script were tricked for at least six hours into loading a modified code that mined Monero cryptocurrency for the hacker rather than the actual site owners.

"We have learned hard lessons about security and used 2FA [Two-factor authentication] and unique passwords for all services since, but we neglected to update our years old Cloudflare account."

Your Web-Browsers Could Be Mining Cryptocurrencies Secretly for Strangers

Coinhive gained media attention in last weeks after world's popular torrent download website, The Pirate Bay, caught secretly using this browser-based cryptocurrency miner on its site.

Immediately after that more than thousands of other websites also started using Coinhive as an alternative monetisation model by utilising their visitors' CPU processing power to mine digital currencies.

Even hackers are also using Coinhive like services to make money from compromised websites by injecting a script secretly.

Well, now the company is also looking ways to reimburse its users for the lost revenue due to breach.

How to Block Websites From Hijacking Your CPU to Mine Cryptocoins

Due to concerns mentioned above, some Antivirus products, including Malwarebytes and Kaspersky, have also started blocking Coinhive script to prevent their customers from unauthorised mining and extensive CPU usage.

You can also install, No Coin Or minerBlock, small open source browser extensions (plug-ins) that block coin miners such as Coinhive.