recentpopularlog in

cryptojacking

Cryptocurrency Web Miner Script Injected into AOL Advertising Platform - TrendLabs Security Intelligence Blog
Our team tracked the web miner traffic and found that the bulk of it was linked to MSN[.]com in Japan. Further analysis revealed that malicious actors had modified the script on an AOL advertising platform displayed on the site to launch a web miner program.
malvertising  cybersecurity  cryptojacking 
18 days ago by bwiese
Paradigm Shifts - Security Predictions - Trend Micro USA
: Business Process Compromise (BPC). With BPC, cybercriminals learn the inner workings of the organization, particularly in the financial department, with the aim of modifying internal processes (possibly via corporate supply chain vulnerabilities) and hitting the mother lode. However, given that it requires long-term planning and more work, BPC is less likely to make headlines in 2018, unlike the much simpler BEC.
2018  cybersecurity  bpc  research  history  threats  iot  cryptocurrency  cryptojacking  javascript 
18 days ago by bwiese
AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet • The Register
Updated Crooks today hijacked internet connections to Amazon Web Services systems to ultimately steal a chunk of alt-coins from online cryptocurrency website MyEtherWallet.com.

The Ethereum wallet developer confirmed on Tuesday morning that thieves redirected DNS lookups for its dot-com to a malicious website masquerading as the real thing. That meant some people logging in to MyEtherWallet.com were really connecting to a bogus site and handing over their details to criminals, who promptly drained ETH from their marks' wallets.

Victims had to click through a HTTPS error message, as the fake MyEtherWallet.com was using an untrusted TLS/SSL certificate. The bandits have amassed $17m in Ethereum in their own wallet over time.
bgp  dns  aws  cryptocurrency  cryptojacking 
24 days ago by bwiese
Threat Detection #7017: When Web Servers Go Cryptocurrency Mining
Sometimes we find PowerShell’s Invoke-Expression commandlet combined with the WebClient object’s DownloadString method to download and execute malicious code. When we receive these events we usually move through a few steps:

Evaluate the reputation of the file downloaded
Evaluate the reputation of the remote network host
Find out what triggered this download
threathunting  powershell  redcanary  cryptojacking 
4 weeks ago by bwiese
Lessons from the Cryptojacking Attack at Tesla
RedLock Cloud Security Intelligence (CSI) team found hundreds of Kubernetes administration consoles accessible over the internet without any password protection. 

mine a cryptocurrency called Monero quietly in the background. The use of Mimikatz ensures that the malware does not have to rely on the EternalBlue exploit and enables it to evade detection on fully patched systems.

access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.

Unlike other crypto mining incidents, the hackers did not use a well known public “mining pool” in this attack. Instead, they installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint. This makes it difficult for standard IP/domain based threat intelligence feeds to detect the malicious activity.
The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging.
Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic.
Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.
tesla  kubernetes  cryptocurrency  cybersecurity  cryptojacking  aws  s3 
4 weeks ago by bwiese
Threat Detection 4422: Mixing Lateral Movement and Cryptomining
4 key behaviors to detect...
1: Lsass.exe spawning a child process
2: The creation of persistence mechanisms
3: Network connections to a cryptomining pool - especially Monero
4: Network connections to Tor by unexpected processes

Prevention:
1: Use configuration management controls
2: Apply patches
3: Consider network segmentation
threathunting  redcanary  mitre  attack  cryptojacking  cryptocurrency 
4 weeks ago by bwiese
Twitter
RT : Here's another case of showing up in an AWS S3 bucket.

Using we find the malwa…
Coinhive  cryptojacking  from twitter
11 weeks ago by lijnenspel
Protect your site from Cryptojacking with CSP + SRI
If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the 1 website that they all load content from. In this case it turned out that Text Help, an assistive technology provider, had been compromised and one of their hosted script files changed. The offending asset can be found here (https://www.browsealoud.com/plus/scripts/ba.js) for the duration it remains but here is the snippet that matters.
cryptojacking  browsealoud  ba.js 
february 2018 by vielmetti
Twitter
Half of All Cryptojacking Scripts Found on Porn Sites
malware  cryptojacking  tech  from twitter_favs
february 2018 by agius
Malvertising Campaign Abuses Google’s DoubleClick to Deliver Cryptocurrency Miners - TrendLabs Security Intelligence Blog
An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick. The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task. We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices. The traffic involving the abovementioned cryptocurrency miners has since decreased after January 24.
malvertising  cybersecurity  doubleclick  coinmining  cryptojacking 
january 2018 by bwiese
Twitter
RT : . said the YouTube ads containing malware, , were removed within two hours. However,…
Coinhive  cryptojacking  from twitter
january 2018 by netweb
Twitter
It is getting hard to detect 😓 americanairlinescheckin[.]com

script…
cryptojacking  Phishing  from twitter_favs
january 2018 by AramZS
americanairlinescheckin.com - urlscan.io
It is getting hard to detect 😓 americanairlinescheckin[.]com

script…
cryptojacking  Phishing  from twitter_favs
january 2018 by AramZS
GitHub - xd4rker/MinerBlock: An efficient browser extension to block browser-based cryptocurrency miners all over the web.
MinerBlock is an efficient browser extension that focuses on blocking web-based cryptocurrency miners all over the web.
cryptojacking  security  browser  extension  chrome  opera  firefox 
january 2018 by awhite

Copy this bookmark:





to read