cryptocurrency | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2017-3506 (CVSS score: 7.4), the issue concerns an operating system (OS) command injection vulnerability that could be exploited to obtain unauthorized access to susceptible servers and take complete control. "Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document," CISA said. While the agency did not disclose the nature of attacks exploiting the vulnerability, the China-based cryptojacking group known as the 8220 Gang (aka Water Sigbin) has a history of leveraging it since early last year to co-opt unpatched devices into a crypto-mining bot...

Fake web browser updates are being used to deliver remote access trojans (RATs) and information stealer malware such as BitRAT and Lumma Stealer (aka LummaC2). "Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware," cybersecurity firm eSentire said in a new report. "In April 2024, we observed FakeBat being distributed via similar fake update mechanisms." The attack chain commences when prospective targets visits a booby-trapped website that contains JavaScript code designed to redirect users to a bogus browser update page ("chatgpt-app[.]cloud"). The redirected web page comes embedded with a download link to a ZIP archive file ("Update.zip") that's hosted on Discord and downloaded automatically to the victim's device. It's worth pointing out that threat actors often use Discord as an attack vector, with a recent analysis from Bitdefender uncovering m...

The threat actors behind the RedTail cryptocurrency mining malware have added a recently disclosed security flaw impacting Palo Alto Networks firewalls to its exploit arsenal. The addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis techniques, according to findings from web infrastructure and security company Akamai. "The attackers have taken a step forward by employing private crypto-mining pools for greater control over mining outcomes despite the increased operational and financial costs," security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik said in a technical report shared with The Hacker News. The infection sequence discovered by Akamai exploits a now-patched vulnerability in PAN-OS tracked as CVE-2024-3400 (CVSS score: 10.0) that could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. A successful exploitatio...

The U.S. Department of Justice (DoJ) on Wednesday said it dismantled what it described as "likely the world's largest botnet ever," which consisted of an army of 19 million infected devices that was leased to other threat actors to commit a wide array of offenses. The botnet, which has a global footprint spanning more than 190 countries , functioned as a residential proxy service known as 911 S5 . A 35-year-old Chinese national, YunHe Wang, was arrested in Singapore on May 24, 2024, for creating and acting as the primary administrator of the illegal platform from 2014 to July 2022. Wang has been charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, Wang faces a maximum penalty of 65 years in prison. The Justice Department said the botnet was used to carry out cyber attacks, financial fraud, identity theft, child exploitation, harassment, bo...

Cybersecurity researchers have warned of a new malicious Python package that has been discovered in the Python Package Index (PyPI) repository to facilitate cryptocurrency theft as part of a broader campaign. The package in question is pytoileur , which has been downloaded 316 times as of writing. Interestingly, the package author, who goes by the name PhilipsPY, has uploaded a new version of the package (1.0.2) with identical functionality after a previous version (1.0.1) was yanked by PyPI maintainers on May 28, 2024. According to an analysis released by Sonatype, the malicious code is embedded in the package's setup.py script, allowing it to execute a Base64-encoded payload that's responsible for retrieving a Windows binary from an external server. "The retrieved binary, 'Runtime.exe,' is then run by leveraging Windows PowerShell and VBScript commands on the system," security researcher Ax Sharma said . Once installed, the binary establishes persiste...

An Indian national has pleaded guilty in the U.S. over charges of stealing more than $37 million by setting up a website that impersonated the Coinbase cryptocurrency exchange platform. Chirag Tomar, 30, pleaded guilty to wire fraud conspiracy, which carries a maximum sentence of 20 years in prison and a $250,000 fine. He was arrested on December 20, 2023, upon entering the country. "Tomar and his co-conspirators engaged in a scheme to steal millions in cryptocurrency from hundreds of victims located worldwide and in the United States, including in the Western District of North Carolina," the Department of Justice (DoJ) said last week. The website, created around June 2021, was named "CoinbasePro[.]com" in an effort to masquerade as Coinbase Pro and deceive unsuspecting users into believing that they were accessing the legitimate version of the virtual currency exchange. It's worth noting that Coinbase discontinued the offering in favor of Advanced Trade ...

A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro. "The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks," Recorded Future's Insikt Group  said  in a report. The cybersecurity firm, which is tracking the activity under the moniker GitCaught, said the campaign not only highlights the misuse of authentic internet services to orchestrate cyber attacks, but also the reliance on multiple malware variants targeting Android, macOS, and Windows to increase the success rate. Attack chains entail the use of fake profile...

The U.S. Department of Justice (DoJ) has charged two arrested Chinese nationals for allegedly orchestrating a pig butchering scam that laundered at least $73 million from victims through shell companies. The individuals, Daren Li, 41, and Yicheng Zhang, 38, were arrested in Atlanta and Los Angeles on April 12 and May 16, respectively. The foreign nationals have been "charged for leading a scheme to launder funds to the tune of at least $73 million tied to an international crypto investment scam," Deputy Attorney General Lisa Monaco  said . Prosecutors have accused Li, Zhang, and their co-conspirators of managing an international syndicate that laundered the funds obtained via cryptocurrency investment scams. As part of the fraudulent operation, victims are said to have been tricked into transferring millions of dollars to U.S. bank accounts that were opened in the name of various shell companies. "A network of money launderers then facilitated the transfer of those...

The cryptojacking group known as  Kinsing  has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet. The  findings  come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019. Kinsing (aka  H2Miner ), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was  first documented  by TrustedSec in January 2020. In recent years, campaigns involving the Golang-based malware have weaponized  various flaws  in  Apache ActiveMQ ,  Apache Log4j ,  Apache NiFi ,  Apache Tomcat ,  Atlassian Confluence ,  Citrix ,  Liferay Portal ,  Linux ,  Openfire ,  Oracle W...

A malware botnet called  Ebury  is estimated to have compromised 400,000 Linux servers since 2009, out of which more than 100,000 were still compromised as of late 2023. The findings come from Slovak cybersecurity firm ESET, which characterized it as one of the most advanced server-side malware campaigns for financial gain. "Ebury actors have been pursuing monetization activities [...], including the spread of spam, web traffic redirections, and credential stealing," security researcher Marc-Etienne M.Léveillé  said  in a deep dive analysis. "[The] operators are also involved in cryptocurrency heists by using AitM and credit card stealing via network traffic eavesdropping, commonly known as server-side web skimming." Ebury was first documented over a decade ago as part of a campaign codenamed  Operation Windigo  that targeted Linux servers to deploy the malware, alongside other backdoors and scripts like Cdorked and Calfbot to redirect web traffic and ...

A Dutch court on Tuesday sentenced one of the co-founders of the now-sanctioned Tornado Cash cryptocurrency mixer service to 5 years and 4 months in prison. While the name of the defendant was  redacted in the verdict , it's known that Alexey Pertsev, a 31-year-old Russian national, had been  awaiting trial  in the Netherlands on money laundering charges. Pertsev, one of the developers of Tornado Cash, was  arrested  in Amsterdam in August 2022 days after the U.S. Treasury Department  sanctioned  the service for allowing malicious actors such as the Lazarus Group to launder and cash out their proceeds. In addition to the imprisonment, the defendant is expected to forfeit cryptocurrency assets worth €1.9 million (~$2.05 million) and a Porsche car that had been previously seized. "The defendant declared that it was never his intention to break the law or to facilitate criminal activities," a su...

A Russian operator of a now-dismantled BTC-e cryptocurrency exchange has  pleaded guilty  to money laundering charges from 2011 to 2017. Alexander Vinnik, 44, was charged in January 2017 and taken into custody in Greece in July 2017. He was subsequently  extradited  to the U.S. in August 2022. Vinnik and his co-conspirators have been accused of owning and managing BTC-e, which allowed its criminal customers to trade in Bitcoin with high levels of anonymity. BTC-e is said to have facilitated transactions for cybercriminals worldwide, receiving illicit proceeds from numerous computer intrusions and hacking incidents, ransomware scams, identity theft schemes, corrupt public officials, and narcotics distribution rings. The crypto exchange received more than $4 billion worth of bitcoin over the course of its operation, according to the U.S. Department of Justice (DoJ). It also processed over $9 billion-worth of transactions and served over on...

A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the  REvil ransomware group  orchestrated more than 2,500 ransomware attacks and demanded ransom payments in cryptocurrency totaling more than $700 million. "The co-conspirators demanded ransom payments in cryptocurrency and used cryptocurrency exchangers and mixing services to hide their ill-gotten gains," the U.S. Department of Justice (DoJ)  said . "To drive their ransom demands higher, Sodinokibi/REvil co-conspirators also publicly exposed their victims' data when victims would not pay ransom demands." Vasinskyi was  extradited  to the U.S. in March 2022 following his arrest in Poland in October 2021. REvil, prior to formally going offline in late 2021, was responsible ...

The U.S. Department of Justice (DoJ) on Wednesday  announced  the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds. To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business from 2015 through February 2024. Rodriguez and Hill face a maximum sentence of 25 years in prison each. Rodriguez, the CEO of the company, and CTO Hill intentionally designed Samourai to help "criminals to engage in large-scale money laundering and sanctions evasion," while ostensibly marketing as a privacy-oriented service, the DoJ said. Samourai laundered money from illegal dark web marketplaces, including Silk Road and Hydra, as well as spear-phishing schemes and sca...

A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed  Kimsuky , which is also known as Black Banshee, Emerald Sleet, and TA427. "GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker's DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others," Avast  said . The intricate and elaborate infection chain, at its core, leverages a security shortcoming in the update mechanism of Indian antivi...