#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

cryptojacking | Breaking Cybersecurity News | The Hacker News

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

May 22, 2024 Cryptojacking / Malware
Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions (EDRs) and thwart detection in what's called a Bring Your Own Vulnerable Driver ( BYOVD ) attack. Elastic Security Labs is tracking the campaign under the name REF4578 and the primary payload as GHOSTENGINE. Previous research from Chinese cybersecurity firm Antiy Labs has codenamed the activity as HIDDEN SHOVEL. "GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner," Elastic researchers Salim Bitam, Samir Bousseaden, Terrance DeJesus, and Andrew Pease said . "This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRig miner." It all starts with an executable file ("Tiworker.exe"), which is used to run a PowerShell script that retrieves an obfuscated Power
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

May 17, 2024 Cryptojacking / Malware
The cryptojacking group known as  Kinsing  has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet. The  findings  come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019. Kinsing (aka  H2Miner ), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was  first documented  by TrustedSec in January 2020. In recent years, campaigns involving the Golang-based malware have weaponized  various flaws  in  Apache ActiveMQ ,  Apache Log4j ,  Apache NiFi ,  Apache Tomcat ,  Atlassian Confluence ,  Citrix ,  Liferay Portal ,  Linux ,  Openfire ,  Oracle WebLogic Server , and  SaltStack  to breach vulnerable systems. Other methods have also invol
Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Apr 09, 2024 Malware / Cryptojacking
Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as  Venom RAT , Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets. The email messages come with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the infection sequence, Fortinet FortiGuard Labs  said  in a technical report. The modus operandi is notable for the use of the BatCloak malware obfuscation engine and ScrubCrypt to deliver the malware in the form of obfuscated batch scripts. BatCloak , offered for sale to other threat actors since late 2022, has its foundations in another tool called Jlaive. Its primary function is to load a next-stage payload in a manner that circumvents traditional detection mechanisms. ScrubCrypt, a crypter that was  first documented  by Fortinet in March 2023 in connection with a cryptojacking campaign orchestrated by the 8220 Gang, is asse
cyber security

Webinar: How to streamline security reviews with Trust Center

websiteVantaCompliance / Security Audit
Learn how Vanta Trust Center can help provide real-time evidence for passing controls and automate responses to security questionnaires.
Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

May 20, 2024Software Security / Vulnerability
All developers want to create secure and dependable software. They should feel proud to release their code with the full confidence they did not introduce any weaknesses or anti-patterns into their applications. Unfortunately, developers are not writing their own code for the most part these days. 96% of all software contains some open-source components, and open-source components make up between  70% and 90% of any given piece of modern software . Unfortunately for our security-minded developers, most modern vulnerabilities come from those software components.  As new vulnerabilities emerge and are publicly reported as  Common Vulnerabilities and Exposures  (CVEs), security teams have little choice but to ask the developer to refactor the code to include different versions of the dependencies. Nobody is happy in this situation, as it blocks new features and can be maddening to roll back component versions and hope that nothing breaks. Developers need a way to  quickly  determine if
From PDFs to Payload: Bogus Adobe Acrobat Reader Installers Distribute Byakugan Malware

From PDFs to Payload: Bogus Adobe Acrobat Reader Installers Distribute Byakugan Malware

Apr 05, 2024 Malware / Endpoint Security
Bogus installers for Adobe Acrobat Reader are being used to  distribute  a new multi-functional malware dubbed  Byakugan . The starting point of the attack is a PDF file written in Portuguese that, when opened, shows a blurred image and asks the victim to click on a link to download the Reader application to view the content. According to Fortinet FortiGuard Labs, clicking the URL leads to the delivery of an installer ("Reader_Install_Setup.exe") that activates the infection sequence. Details of the campaign were  first disclosed  by the AhnLab Security Intelligence Center (ASEC) last month. The attack chain leverages techniques like DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious dynamic-link library (DLL) file named "BluetoothDiagnosticUtil.dll," which, in turn, loads unleashes the final payload. It also deploys a legitimate installer for a PDF reader like Wondershare PDFelement. The binary is equipped to gather and exfiltrate s
WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

Feb 27, 2024 Website Security / Cryptojacking
A critical security flaw has been disclosed in a popular WordPress plugin called  Ultimate Member  that has more than 200,000 active installations. The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw. In an advisory published last week, WordPress security company Wordfence  said  the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query." As a result, unauthenticated attackers could take advantage of the flaw to append additional SQL queries into already existing queries and extract sensitive data from the database. It's worth noting that the issue only affects users who have checked the "Enable custom table for usermeta" option in the plugin settings.
New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

Feb 20, 2024 Server Security / Cryptojacking
A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts. "This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir  said  in a technical report. The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines. The cloud security company said it detected the campaign after it identified an "unusual series of commands" targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options - protected-mode   replica-read-only aof-rewrite-incremental-fsync , and rdb-save-incremental-fsync It's suspected that these options are turned off in order to send additional commands to the Re
DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking

DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking

Feb 02, 2024 Cryptojacking / Malware
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe. The agency  attributed  the campaign to a threat actor it calls  UAC-0027 . DirtyMoe , active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware's ability to propagate in a worm-like fashion by taking advantage of known security flaws. The DDoS botnet is known to be delivered by means of another malware referred to as  Purple Fox  or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also  equipped with a rootkit  that allows the threat actors to  hide the malware  on the machine and make it difficult to detect and remove. The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organiza
Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Feb 01, 2024 Cryptojacking / Linux Security
Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called  Commando Cat . "The campaign deploys a benign container generated using the  Commando project ," Cado security researchers Nate Bill and Matt Muir  said  in a new report published today. "The attacker  escapes this container  and runs multiple payloads on the Docker host." The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on  another activity cluster  that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software. Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider
29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services

29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services

Jan 13, 2024 Cryptojacking / Cloud Security
A 29-year-old Ukrainian national has been arrested in connection with running a "sophisticated cryptojacking scheme," netting them over $2 million (€1.8 million) in illicit profits. The person, described as the "mastermind" behind the operation, was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following "months of intensive collaboration." "A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs," Europol  said , adding it shared the intelligence with the Ukrainian authorities. The Cyber Police of Ukraine, in a separate announcement, said the suspect "infected the servers of a well-known American company with a miner virus" at least since 2021, using custom brute-force tools to infiltrate 1,500 accounts of the firm. "Using the compromised accounts, the hacker gained access to the management of the service," the a
8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

Dec 19, 2023 Cryptojacking / Cyber Threat
The threat actors associated with the  8220 Gang  have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is  CVE-2020-14883  (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. "This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with  CVE-2020-14882  (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials," Imperva  said  in a report published last week. The 8220 Gang has a history of  leveraging known security flaws  to distribute cryptojacking malware. Earlier this May, the group was spotted utilizing another shortcoming in Oracle WebLogic servers (CVE-2017-3506, CVSS score: 7.4) to rope the devices into a crypto mining botnet. Recent attack chains documented by Imperva entail t
GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

Nov 29, 2023 Malware / Threat Intelligence
The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called  GoTitan  as well as a .NET program known as  PrCtrl Rat  that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been  weaponized  by various hacking crews, including the  Lazarus Group , in recent weeks. Following a successful breach, the threat actors have been observed to drop next-stage payloads from a remote server, one of which is GoTitan, a botnet designed for orchestrating distributed denial-of-service (DDoS) attacks via protocols such as HTTP, UDP, TCP, and TLS. "The attacker only provides binaries for x64 architectures, and the malware performs some checks before running," Fortinet Fortiguard Labs researcher Cara Lin  said  in a Tuesday analysis. "It also creates a file named &#
Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers

Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers

Nov 14, 2023 Cloud Security / Malware
Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service (DDoS) botnet dubbed  OracleIV . "Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named 'oracleiv_latest' and containing Python malware compiled as an ELF executable," Cado researchers Nate Bill and Matt Muir  said . The malicious activity starts with attackers using an HTTP POST request to Docker's API to retrieve a malicious image from Docker Hub, which, in turn, runs a command to retrieve a shell script (oracle.sh) from a command-and-control (C&C) server. Oracleiv_latest  purports to be a MySQL image for docker and has been pulled 3,500 times to date. In a perhaps not-so-surprising twist, the image also includes additional instructions to fetch an XMRig miner and its configuration from the same server. That said, the clo
 EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

Oct 30, 2023 Cloud Security / Cryptocurrency
A new ongoing campaign dubbed  EleKtra-Leak  has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. "As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist  said  in a technical report shared with The Hacker News. The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023. A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are  programmatically cloning and scanning the repositories  to capture the exposed keys.
New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities

New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities

Aug 17, 2023 Cryptojacking / Proxyjacking
A new, financially motivated operation dubbed  LABRAT  has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig  said  in a report shared with The Hacker News. "Furthermore, the attacker abused a legitimate service,  TryCloudflare , to obfuscate their C2 network." Proxyjacking  allows the attacker to rent the compromised host out to a proxy network, making it possible to monetize the unused bandwidth. Cryptojacking, on the other hand, refers to the abuse of the system resources to mine cryptocurrency. A notable aspect of the campaign is the use of compiled binaries written in Go and .NET to fly under the radar, with LABRAT also providing backdoor access to the infected systems.
Silentbob Campaign: Cloud-Native Environments Under Attack

Silentbob Campaign: Cloud-Native Environments Under Attack

Jul 06, 2023 Cloud Security / Server Hacking
Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments. "This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy  Tsunami malware , cloud credentials hijack, resource hijack, and further infestation of the worm," cloud security firm Aqua  said . The activity, dubbed  Silentbob  in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as  TeamTNT , citing overlaps in tactics, techniques, and procedures (TTPs). However, the involvement of an "advanced copycat" hasn't been ruled out. Aqua's investigation was prompted in the aftermath of an attack targeting its honeypot in early June 2023, leading to the discovery of four malicious cont
New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

Mar 15, 2023 Server Security / Cryptocurrency
Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike  said  in a new report shared with The Hacker News. The development marks a notable shift from Monero, which is a prevalent cryptocurrency used in such campaigns. It's suspected it may have to do with the fact that  Dero  "offers larger rewards and provides the same or better anonymizing features." The attacks, attributed to an unknown financially motivated actor, commence with scanning for Kubernetes clusters with authentication set as  --anonymous-auth=true , which allows anonymous requests to the server, to drop initial payloads from three different U.S.-based IP addresses. This includes deploying
Cybersecurity
Expert Insights
Cybersecurity Resources