recentpopularlog in


Cryptocurrency Web Miner Script Injected into AOL Advertising Platform - TrendLabs Security Intelligence Blog
Our team tracked the web miner traffic and found that the bulk of it was linked to MSN[.]com in Japan. Further analysis revealed that malicious actors had modified the script on an AOL advertising platform displayed on the site to launch a web miner program.
malvertising  cybersecurity  cryptojacking 
may 2018 by bwiese
Paradigm Shifts - Security Predictions - Trend Micro USA
: Business Process Compromise (BPC). With BPC, cybercriminals learn the inner workings of the organization, particularly in the financial department, with the aim of modifying internal processes (possibly via corporate supply chain vulnerabilities) and hitting the mother lode. However, given that it requires long-term planning and more work, BPC is less likely to make headlines in 2018, unlike the much simpler BEC.
2018  cybersecurity  bpc  research  history  threats  iot  cryptocurrency  cryptojacking  javascript 
may 2018 by bwiese
AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet • The Register
Updated Crooks today hijacked internet connections to Amazon Web Services systems to ultimately steal a chunk of alt-coins from online cryptocurrency website

The Ethereum wallet developer confirmed on Tuesday morning that thieves redirected DNS lookups for its dot-com to a malicious website masquerading as the real thing. That meant some people logging in to were really connecting to a bogus site and handing over their details to criminals, who promptly drained ETH from their marks' wallets.

Victims had to click through a HTTPS error message, as the fake was using an untrusted TLS/SSL certificate. The bandits have amassed $17m in Ethereum in their own wallet over time.
bgp  dns  aws  cryptocurrency  cryptojacking 
april 2018 by bwiese
Threat Detection #7017: When Web Servers Go Cryptocurrency Mining
Sometimes we find PowerShell’s Invoke-Expression commandlet combined with the WebClient object’s DownloadString method to download and execute malicious code. When we receive these events we usually move through a few steps:

Evaluate the reputation of the file downloaded
Evaluate the reputation of the remote network host
Find out what triggered this download
threathunting  powershell  redcanary  cryptojacking 
april 2018 by bwiese
Lessons from the Cryptojacking Attack at Tesla
RedLock Cloud Security Intelligence (CSI) team found hundreds of Kubernetes administration consoles accessible over the internet without any password protection. 

mine a cryptocurrency called Monero quietly in the background. The use of Mimikatz ensures that the malware does not have to rely on the EternalBlue exploit and enables it to evade detection on fully patched systems.

access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.

Unlike other crypto mining incidents, the hackers did not use a well known public “mining pool” in this attack. Instead, they installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint. This makes it difficult for standard IP/domain based threat intelligence feeds to detect the malicious activity.
The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging.
Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic.
Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.
tesla  kubernetes  cryptocurrency  cybersecurity  cryptojacking  aws  s3 
april 2018 by bwiese
Threat Detection 4422: Mixing Lateral Movement and Cryptomining
4 key behaviors to detect...
1: Lsass.exe spawning a child process
2: The creation of persistence mechanisms
3: Network connections to a cryptomining pool - especially Monero
4: Network connections to Tor by unexpected processes

1: Use configuration management controls
2: Apply patches
3: Consider network segmentation
threathunting  redcanary  mitre  attack  cryptojacking  cryptocurrency 
april 2018 by bwiese
RT : Here's another case of showing up in an AWS S3 bucket.

Using we find the malwa…
Coinhive  cryptojacking  from twitter
february 2018 by lijnenspel

Copy this bookmark:

to read