#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

cryptocurrency | Breaking Cybersecurity News | The Hacker News

New S1deload Malware Hijacking Users' Social Media Accounts and Mining Cryptocurrency

New S1deload Malware Hijacking Users' Social Media Accounts and Mining Cryptocurrency

Feb 23, 2023 Cryptocurrency / Malware
An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems' resources to mine cryptocurrency. Bitdefender is calling the malware  S1deload Stealer  for its use of  DLL side-loading techniques  to get past security defenses and execute its malicious components. "Once infected, S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency, and propagates the malicious link to the user's followers," Bitdefender researcher Dávid ÁCS  said . Put differently, the goal of the campaign is to take control of the users' Facebook and YouTube accounts and rent out access to raise view counts and likes for videos and posts shared on the platforms. More than 600 unique users are estimate
Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers

Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers

Feb 20, 2023 Cyber Crime / Cryptocurrency
Norwegian police agency Økokrim has announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency stolen by the Lazarus Group in March 2022 following the Axie Infinity Ronin Bridge hack. "This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods," the Oslo-based crime-fighting unit  said  in a statement. The development comes more than 10 months after the U.S. Treasury Department  implicated  the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge. Then in September 2022, the U.S. government  announced  the recovery of more than $30 million worth of cryptocurrency, representing 10% of the stolen funds. Økokrim said it worked with international law enforcement partners to pursue and piece together the money trail, thereby making it more difficult for criminal actors to carry out money laundering activities. "This is money th
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware

Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware

Feb 15, 2023 Cryptocurrency / Ransomware
A new financially motivated campaign that commenced in December 2022 has seen the unidentified threat actor behind it deploying a novel ransomware strain dubbed MortalKombat and a clipper malware known as Laplas. Cisco Talos  said  it "observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389." The attacks, per the cybersecurity company, primarily focuses on individuals, small businesses, and large organizations located in the U.S., and to a lesser extent in the U.K., Turkey, and the Philippines. The starting point that kicks off the multi-stage attack chain is a phishing email bearing a malicious ZIP file that's used as a pathway to deliver either the clipper or the ransomware. In addition to using cryptocurrency-themed email lures impersonating CoinPayments, the threat actor is also known to erase infection markers in an attempt to cover its tracks. MortalKombat, first detected in January 2023, is capable
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Python Developers Beware: Clipper Malware Found in 450+ PyPI Packages!

Python Developers Beware: Clipper Malware Found in 450+ PyPI Packages!

Feb 14, 2023 Cryptocurrency / Software Security
Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with  clipper malware . Software supply chain security company Phylum, which  spotted the libraries , said the ongoing activity is a follow-up to a campaign that was initially disclosed in November 2022. The initial vector entails using  typosquatting  to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others. "After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session," Phylum  said  in a report published last year. "When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker's address." This is achieved by creating a Chromium web browser extension in the Window
Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users

Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users

Feb 11, 2023 Cryptocurrency / Malware
Suspected Russian threat actors have been targeting Eastern European users in the crypto industry with fake job opportunities as bait to install information-stealing malware on compromised hosts. The attackers "use several highly obfuscated and under-development custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer," Trend Micro researchers Aliakbar Zahravi and Peter Girnus  said  in a report this week. Enigma is said to be an altered version of Stealerium, an open source C#-based malware that acts as a stealer, clipper, and keylogger. The intricate infection journey starts with a rogue RAR archive file that's distributed via phishing or social media platforms. It contains two documents, one of which is a .TXT file that includes a set of sample interview questions related to cryptocurrency. The second file is a Microsoft Word document that, while serving as a decoy, is tasked with launching the first-stage Enigma loader,
Russian Hacker Pleads Guilty to Money Laundering Linked to Ryuk Ransomware

Russian Hacker Pleads Guilty to Money Laundering Linked to Ryuk Ransomware

Feb 08, 2023 Cryptocurrency / Endpoint Security
A Russian national on February 7, 2023, pleaded guilty in the U.S. to money laundering charges and for attempting to conceal the source of funds obtained in connection with Ryuk ransomware attacks. Denis Mihaqlovic Dubnikov, 30, was  arrested  in Amsterdam in November 2021 before he was extradited from the Netherlands in August 2022. He is awaiting sentencing on April 11, 2023. "Between at least August 2018 and August 2021, Dubnikov and his co-conspirators laundered the proceeds of Ryuk ransomware attacks on individuals and organizations throughout the United States and abroad," the Department of Justice (DoJ)  said . Dubnikov and his accomplices are said to have engaged in various criminal schemes designed to obscure the trail of the ill-gotten proceeds. According to DoJ, a chunk of the 250 Bitcoin ransom paid by a U.S. company in July 2019 after a Ryuk attack was sent to Dubnikov in exchange for about $400,000. The crypto was subsequently converted to Tether and trans
New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers

New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers

Feb 02, 2023 Database Security / Cryptocurrency
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an "elusive and severe threat" dubbed HeadCrab since early September 2021. "This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," Aqua security researcher Asaf Eitani  said  in a Wednesday report. A significant concentration of infections has been recorded in China, Malaysia, India, Germany, the U.K., and the U.S. to date. The origins of the threat actor are presently unknown. The findings come two months after the cloud security firm shed light on a Go-based malware codenamed  Redigo  that has been found compromising Redis servers. The attack is designed to target Redis servers that are exposed to the internet, followed by issuing a  SLAVEOF command  from another Redis server that's already under the adversary's control. In
FBI Says North Korean Hackers Behind $100 Million Horizon Bridge Crypto Theft

FBI Says North Korean Hackers Behind $100 Million Horizon Bridge Crypto Theft

Jan 24, 2023 Cryptocurrency / Cyber Crime
The U.S. Federal Bureau of Investigation (FBI) on Monday confirmed that North Korean threat actors were responsible for the theft of $100 million in cryptocurrency assets from  Harmony Horizon Bridge  in June 2022. The law enforcement agency attributed the hack to the  Lazarus Group  and APT38 (aka BlueNoroff, Copernicium, and Stardust Chollima), the latter of which is a North Korean state-sponsored threat group that specializes in financial cyber operations. The FBI further stated the Harmony intrusion leveraged an attack campaign dubbed  TraderTraitor  that was disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in April 2022. The modus operandi entailed utilizing social engineering tricks to deceive employees of cryptocurrency companies into downloading rogue applications as part of a seemingly benign recruitment effort. "On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of
Bitzlato Crypto Exchange Founder Arrested for Aiding Cybercriminals

Bitzlato Crypto Exchange Founder Arrested for Aiding Cybercriminals

Jan 19, 2023 Cryptocurrency / Money Laundering
The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of Anatoly Legkodymov (aka Gandalf and Tolik), the cofounder of Hong Kong-registered cryptocurrency exchange Bitzlato, for allegedly processing $700 million in illicit funds. The 40-year-old Russian national, who was arrested in Miami, was charged in a U.S. federal court with "conducting a money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements," the DoJ  said . According to court documents, Bitzlato is said to have advertised itself as a virtual currency exchange with minimal identification requirements for its users, breaking the rules requiring the vetting of customers. This lack of know your customer (KYC) enforcement led to the service becoming a "haven for criminal proceeds" and facilitating transactions worth more than $700 million on the Hydra darknet marketplace prior
BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection

BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection

Dec 27, 2022 Cyber Attack / Windows Security
BlueNoroff , a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web ( MotW ) protections. This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today. "BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said , adding the new attack procedure was flagged in its telemetry in September 2022. Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region. It's worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by
Cryptocurrency Mining Campaign Hits Linux Users with Go-based CHAOS Malware

Cryptocurrency Mining Campaign Hits Linux Users with Go-based CHAOS Malware

Dec 12, 2022 Server Security / Linux
A cryptocurrency mining attack targeting the Linux operating system also involved the use of an open source remote access trojan (RAT) dubbed  CHAOS . The threat, which was spotted by Trend Micro in November 2022, remains virtually unchanged in all other aspects, including when it comes to terminating competing malware, security software, and deploying the Monero (XMR) cryptocurrency miner. "The malware achieves its persistence by altering  /etc/crontab file , a UNIX task scheduler that, in this case, downloads itself every 10 minutes from Pastebin," researchers David Fiser and Alfredo Oliveira  said . This step is succeeded by downloading next-stage payloads that consist of the XMRig miner and the Go-based CHAOS RAT. The cybersecurity firm said that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and new infections continue to happen. The CHAOS RAT, once downloaded and launched, transmits d
Microsoft Alerts Cryptocurrency Industry of Targeted Cyberattacks

Microsoft Alerts Cryptocurrency Industry of Targeted Cyberattacks

Dec 07, 2022 Cryptocurrency / Threat Intelligence
Cryptocurrency investment companies are the target of a developing threat cluster that uses Telegram groups to seek out potential victims. Microsoft's Security Threat Intelligence Center (MSTIC) is tracking the activity under the name  DEV-0139 , and builds upon a recent report from Volexity that attributed the same set of attacks to North Korea's  Lazarus Group . "DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members," the tech giant  said . The adversary subsequently impersonated another cryptocurrency investment company and invited the victim to join a different Telegram chat group under the pretext of asking for feedback on the trading fee structure used by exchange platforms across VIP tiers. It's worth pointing out that the  VIP program  is  designed  to  reward   high-volume traders  with exclusive trading fee incentives and discount
Malware Authors 'Accidentally' Crash KmsdBot Cryptocurrency Mining Botnet

Malware Authors 'Accidentally' Crash KmsdBot Cryptocurrency Mining Botnet

Dec 01, 2022 Threat Intelligence / Botnet
An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as KmsdBot has led to it being accidentally taken down by the threat actors themselves. KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to  brute-force systems  with weak SSH credentials. The botnet strikes both Windows and Linux devices spanning a wide range of microarchitectures with the primary goal of deploying mining software and corralling the compromised hosts into a DDoS bot. Some of the major targets included gaming firms, technology companies, and luxury car manufacturers. Akamai researcher Larry W. Cashdollar, in a new update, explained how commands sent by the malware operators to carry out a DDoS attack against the bitcoin[.]com website inadvertently neutralized the malware. "Interestingly, after one single improperly formatted command, the bot stopped sending commands," Cashdollar  said . "It&#
Hackers Using Trending TikTok 'Invisible Challenge' to Spread Malware

Hackers Using Trending TikTok 'Invisible Challenge' to Spread Malware

Nov 29, 2022
Threat actors are capitalizing on a popular TikTok challenge to trick users into downloading information-stealing malware, according to new research from Checkmarx. The trend, called  Invisible Challenge , involves applying a filter known as  Invisible Body  that just leaves behind a silhouette of the person's body. But the fact that individuals filming such videos could be undressed has led to a nefarious scheme wherein the attackers post TikTok videos with links to rogue software dubbed "unfilter" that purport to remove the applied filters. "Instructions to get the 'unfilter' software deploy  WASP stealer malware  hiding inside malicious Python packages," Checkmarx researcher Guy Nachshon  said  in a Monday analysis. The WASP stealer (aka W4SP Stealer) is a malware that's designed to steal users' passwords, Discord accounts, cryptocurrency wallets, and other sensitive information. The TikTok videos posted by the attackers, @learncyber an
This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos

This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos

Nov 22, 2022
A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX . Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack. ViperSoftX, which first  came to light  in February 2020, was characterized by  Fortinet  as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware's use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst  Colin Cowie  earlier this year. "This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others," Avast researcher Jan Rubín  said
Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware

Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware

Nov 22, 2022
A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of multiple campaigns designed to steal sensitive information from compromised hosts. "These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," cybersecurity firm SEKOIA  said . First advertised on Russian cybercrime forums in April 2022 by a threat actor calling themselves Cheshire, Aurora was offered as a commodity malware for other threat actors, describing it as a "multi-purpose botnet with stealing, downloading and remote access capabilities." In the intervening months, the malware has been scaled down to a stealer that can harvest files of interest, data from 40 cryptocurrency wallets, and applications like Telegram. Aurora also comes with a loader that can deploy
U.S. Authorities Seize Domains Used in 'Pig butchering' Cryptocurrency Scams

U.S. Authorities Seize Domains Used in 'Pig butchering' Cryptocurrency Scams

Nov 22, 2022
The U.S. Justice Department (DoJ) on Monday  announced  the takedown of seven domain names in connection to a "pig butchering" cryptocurrency scam. The fraudulent scheme, which operated from May to August 2022, netted the actors over $10 million from five victims, the DoJ said. Pig butchering, also called Sha Zhu Pan, is a type of scam in which swindlers lure unsuspecting investors into sending their crypto assets. The criminals encounter potential victims on dating apps, social media sites, and through SMS messages. These individuals initiate fake relationships in an attempt to build trust, only to trick them into making a cryptocurrency investment on a bogus platform. But upon transferring the funds to wallet addresses supposedly provided by these domains, the digital currencies are said to have been immediately moved through an array of private wallets and swapping services to conceal the trail. "Once the money is sent to the fake investment app, the scammer van
Cybersecurity Resources