CSO Online has a good primer on how to detect and prevent crypto mining malware:

Unfortunately, crypto mining traffic can be very difficult to distinguish from other types of communications. The actual messages are very short, and malware writers use a variety of techniques to obfuscate them. “It’s extremely difficult to write a rule for something like this,” Vaystikh says. “So not many companies can detect it. Pretty much every organization above 5,000 employees has the data already — the only problem is that it is very, very hard to go over the huge amounts of data that they have.”

SecBI’s Autonomous Investigation technology deals with this issue by using machine learning to look for suspicious patterns in the vast sea of data that come through corporate networks. There are thousands of factors that SecBI looks at, Vaystikh says. For example, crypto mining traffic is periodic, though malware writers will try to disguise the regular nature of the communication by, for example, randomizing the intervals.

Crypto mining also has an unusual message length. Incoming traffic, the hash, is short. The outgoing results are slightly longer. By comparison, with normal internet traffic, the initial request is short and the response is long. “In Bitcoin mining, I actually upload a little bit more than I download,” Vaystikh says. “That is something that we look for.” The technology can be applied to public cloud infrastructure like Amazon as well as to on-premises networks, he says.

Even if the traffic is encrypted — and 60 percent of all network traffic now is — the periodicity of the communications, the lengths of the messages, and other subtle indicators combine to help the system spot the infections. In fact, when crypto mining first showed up, SecBI’s platform flagged it as possibly malicious before it even knew what it was. “Now, after our users looked at it, they say, ‘Ah, it’s crypto mining!’ and the software now correctly classifies it as well,” Vaystikh says.

The entire article is a valuable resource for those unfamiliar with cryptocurrency and the mining malware actors and criminals are using these days. Outside of endpoint security technologies using signatures, sandboxing, machine learning, or behavioral analytic techniques, network-based detection may be difficult but also may be the best option.

Even the endpoint side has some issues, as there appears to be less-than-effective collaboration between browser developers and the security industry. So not all endpoint security is capable of detecting in-browser malware leveraging Javascript for malware deployment. Turning off Javascript in 2018 is impossible, as it would render 90% of the websites inaccessible or unusable. So generally, the best detection and prevention method may in fact be network-based tools like intrusion prevention systems and other similar technologies.

Dark Reading on cyber criminals using brute-force password attacks against open source e-commerce system Magento to steal credit card numbers and distribute cryptocurrency mining malware:

He describes the types of compromised websites as ranging from small to midsize organizations that had installed the Magento CMS for e-commerce transactions. Online retail stores appear to have been the mostly heavily affected, followed by healthcare and education websites, Kremez says.

“The actors exploit and monetize their Magento panel accesses in three unique ways depending on [the] sites,” he says.

The favored way is to install JavaScript sniffers on the compromised site for scraping payment card data, which is then later sold on Dark Web stores. If the breached website does not yield payment card data, the attackers resort to uploading cryptocurrency mining tools such as Coinhive.

The third tactic is to use the compromised site to host code — typically a phony Adobe Flash Player update — which, if executed, results in a data-stealing malware tool dubbed AZORult being downloaded on computers belonging to site visitors. AZORult in turn downloads Rarog, a Coinhive cryptocurrency miner on the user’s system.

The attackers have shown a tendency to update the malicious files daily in order to avoid detection by signature-based anti-malware tools, according to Flashpoint.

The Magento sites are initially compromised with a brute-force password attack to gain access to the administrative panel. In many cases it appears the default administrative credentials were never modified, and thus essentially offering free access to the malicious actors.

Overall, this is a fairly sophisticated operation. Not many attack groups have the wherewithal to update their malicious code daily to avoid signature-based detection tools. It takes a fair bit of work to make the changes and deploy them out to the thousand plus compromised Magento sites.

CSO Online reports on how the GoScanSSH malware is targeting Linux operating systems but somehow manages to avoid government and military operated servers:

For the initial infection, the malware uses more than 7,000 username/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices, honing in on the following usernames to attempt to authenticate to SSH servers: admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

Those and other credential combinations are aimed at specific targets, such as the following devices and systems: Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.

After a device is infected, the malware determines how powerful the infected system is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service “in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.”

The researchers determined the attack has been ongoing for at least nine months — since June 2017 — and has at least 250 domains; “the C2 domain with largest number of resolution requests had been seen 8,579 times.”

This sounds like a particularly nasty type of attack, but one that ought to be fairly simple to prevent. Considering it is easy to determine what the target system types are, and how the malware functions, deploying the right defense strategy is actually quite straightforward.

A quick couple of very simplistic examples immediately come to mind:

  1. Delete all unnecessary users from the above list or rename unneeded ones. In most cases guest, oracle, osmc, pi, test, ubnt, ubuntu, and user are unnecessary and can be removed. If they need to be kept, as I said, rename the accounts.
  2. For all the needed accounts, ensure ssh access is turned off. There is never a reason to SSH directly as root. This is the entire point of the sudo and su commands – login as another user and then use one of those commands to perform functions as root or other users.

There are plenty of other methods for combating this attack to make it more difficult to be breached. But simple actions like the above are often overlooked.

Talos provided both an IP blacklist and a domain blacklist that the malware uses to determine if it should continue attempts to compromise the system. Some of those domains include: .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, govt.uk, .police.uk, .gov.au, govt.nz, and .mil.nz.

If the system or device is on neither set of blacklists, Talos “believes the attacker then compiles a new malware binary specifically for the compromised system and infects the new host, causing this process to repeat on the newly infected system.”

That is an interesting and novel approach to avoiding governmental systems. It is not unprecedented but definitely not a method often seen.

iTnews reports Slingshot, a highly advanced malware, has remained hidden for six years and was just recently discovered:

They were unable to pinpoint how Slingshot infected all of its targets, however in several cases the malware’s operators targeted routers and used them as a springboard to attack computers within a network.

“The initial loader replaces the victim’s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others,” Kaspersky Lab reported.

“While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.”

Slingshot likely used other methods – like zero-day vulnerabilities – to attack targets, Kaspersky Lab said.

After infection Slingshot downloads a variety of additional modules onto the victim device. The two most powerful modules – GollumApp and Cahnadr – are connected and can support each other in gathering data.

Slingshot appears targeted towards espionage; Kaspersky Lab said the malware was used to log desktop activity, steal data from the clipboard, and collect information about open windows, keyboard data, and network data, among other things.

Considering Slingshot is targeting espionage, it may be backed by nation state actors. Now the questions is: which nation state stands to benefit from spying on, and exfiltrating data from, the thus-far identified victims in the Middle East and Africa since 2012?

One local sophisticated player comes to mind: Iran.

Ars Technica reports on what may be one of the largest malware-driven currency mining operations, currently generating more than $3 million in cryptocurrency thus far:

The unknown criminals generated the windfall over the past 18 months. The campaign has mainly exploited critical vulnerabilities on Windows computers and then, once gaining control over them, installing a modified version of XMRig, an open-source application that mines the digital coin known as Monero. While the group has used a variety of mining services, it has continued to dump the proceeds into a single wallet. As of last week, the wallet had received payouts of almost 10,829 Monero, which, at current valuations, are worth more than $3.4 million.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows and has already secured him over $3 million worth of Monero cryptocurrency,” researchers at security firm Check Point wrote in a blog post. “As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.”

The Jenkins Continuous Integration server is open-source software written in Java for deploying and automating all kinds of tasks. With more than 1 million users, it’s one of the most widely used open-source automation servers. In January, independent researcher Mikail Tunç estimated that as many as many as 20 percent of Jenkins servers are misconfigured in ways that make serious hacks possible. The compromises cause slower performance and potential denial-of-service failures on compromised machines.

That is an unreal amount of money generated from such an insignificant amount of work.

ZDNET reports on further PyeongChang malware discoveries by McAfee prior to the Winter Olympics opening ceremony, this time specifically related to the recently confirmed hack:

While the details are mostly unknown, McAfee Advanced Threat Research senior analyst Ryan Sherstobitoff said his teams found a new variant of the malicious documents targeting the Winter Games a few days prior to the opening ceremonies.

“The new document contained the same metadata properties as those related to Operation GoldDragon, and sought to gain persistence on systems owned by organisations involved with the Winter Games,” Sherstobitoff said in a statement.

“It is clear attacks are ongoing and are likely to continue throughout the duration of the games. What is yet to be determined is if actors are working simply to gain disruption, or if their motives are greater.”

This is additional information after McAfee Labs reported last month about unconvering a major campaign targeting the PyeongChang Winter Olympics and related organizations. There is likely more to the story, to include which group may be responsible for the operation.

Disclaimer: I work for McAfee.

The Guardian reports thousands of UK government web sites have been unwittingly infected with malware designed to force visitors into crytocurrency mining:

Late on Sunday, the website of the UK’s data protection watchdog, the Information Commissioner’s Office, was taken down to deal with the issue after it was reportedly infected by the malware.

The cryptojacking script was inserted into website codes through BrowseAloud, a popular plugin that helps blind and partially-sighted people access the web.

More than 5,000 websites have been flooded by the malware. Software known as Coinhive, which quietly uses the processing power of a user’s device to mine open source cryptocurrency Monero, appears to have been injected into the compromised BrowseAloud plugin.

Texthelp, which operates BrowseAloud, took its website down on Sunday while it tried to resolve the problem.

The National Cyber Security Centre confirmed the issue was being investigated, adding there was nothing to suggest members of the public were at risk after the malware attack.

One problem with using plugins, such as BrowseAloud, is that if the company developing the software is not reputable, or lacks the proper quality assurance, there is a risk for malware to be either purposely or inadvertently injected into the code. Although the details in this instance remain unknown while UK’s NCSC investigates, one does have to wonder how this happened when so many UK government web sites are reliant upon this accessibility plugin.

Bleeping Computer reports on the discovery of yet another ransomware strain that encrypting users files and, rather than requesting bitcoin payment, redirects users to an online payment portal where the ransom may be paid via credit card:

The ransomware is not under active distribution and appears to be still under development. First samples were spotted by security researcher MalwareHunter going back to January 15.

The ransomware identifies itself as MindLost, but Microsoft detects it as Paggalangrypt.

The biggest clue that MindLost is still under development, is that this filter is not active yet. Searching and encrypting files on all the storage mediums is time consuming, so current MindLost samples bypass this behavior and only encrypt files in the “C:\\Users” folder. Stable versions will likely not feature this filter.

It is abnormal to see a development sample out in the wild like this, but not unprecedented. Analyzing it now will allow signatures to be written to detect the current variant, but a future distribution will likely be altered enough to be undetectable.

From the ZDNet reports on a huge ransomware attack against shipping giant Maersk:

Maersk has revealed that a devastating ransomware attack which struck businesses across Europe in 2017 required close to a “complete infrastructure” overhaul and the reinstallation of thousands of machines.

In total, Maersk reinstalled 4,000 servers, 45,000 PCs, and 2,500 applications in what the chairman called a “heroic effort” over ten days, one in which the executive said may have usually taken up to six months to implement.

Hagemann said the ransomware attack was a “very significant wake-up call for Maersk, and you could say, a very expensive one.”

“We were basically average when it came to cybersecurity, like many companies,” the executive said. “This was a wake-up call not just to become good, but to have cybersecurity as a competitive advantage.”

What a complete and utter disaster for Maersk. What is most interesting to me, and what I would really like to know, is how this was even able to cause such devastation to mission critical corporate IT assets.

The International Business Times reports:

A powerful malware, dubbed Triton or Trisis, which allows hackers to gain remote access to energy facilities’ safety systems, has reportedly been accidentally leaked online for anyone to download. The malware is considered by some experts to be a next-generation cyberweapon and has already been used in December 2017 to shut down an oil and gas facility in the Middle East.

According to research from multiple cybersecurity firms including FireEye, Dragos, Symantec and Trend Micro, the malware is likely created by a nation-state and targets safety systems of industrial control systems (ICS). Triton specifically targets the safety instrument system (SIS) produced by Schneider Electric’s Triconex.

Triton can reportedly allow hackers to dismantle safety systems that can lead to the breakdown of machinery or even cause explosions. Quoting three anonymous sources, Cyberscoop reported that the malware’s framework was inadvertently posted to VirusTotal inadvertently by Schneider Electric. The malware has reportedly been publicly available since 22 December and could even have been downloaded by anyone.

How does such dangerous malware accidentally leak online? Someone was either extremely careless, or there was nothing accidental about this at all.

Successful attacks against critical infrastructure operators may very well prove devastating in the event of an actual global military conflict. Malware like Triton and others are not just used for gaining access to systems, but are military-grade tools developed by nation states.

The UK’s National Health Service failed to follow basic IT security practices, gravely costing them when WannaCry hit the internet:

The UK’s National Health Service is spending £20m on a new security operations centre to improve its ability to help local NHS organisations respond to ransomware and other cyber security threats.

A subsequent review found that had UK security researcher Marcus Hutchins not found a ‘kill switch’ for WannaCry within days of the initial outbreak, a further 21 trusts – totaling 92 NHS organisations – could have experienced disruptions too.

As part of the project, NHS Digital is inviting private sector to bid for a three to five year contract to support its new security responsibilities.

The National Audit Office released the findings of a review of WannaCry’s impact on NHS last month that found the malware was preventable if the NHS had followed “Basic IT security best practice”.

The audit also found shortcomings in NHS incident response plans, which covered roles and responsibilities of national and local organisations, but had not been tested with local NHS organisations.

Most, not all, breached organizations failed to follow some basic IT security best practice or were complacent in applying operating system and application security patches. Cyber security is not rocket science – it takes a systematic, methodical strategy, and can be done well, but it requires laser focus and a corporate culture of understanding risk and demanding these security lapses do not happen.

Malware is definitely a global issue, but it is increasingly becoming a major problem in Japan as consumer Internet-of-Things devices rise in popularity:

In Japan, telecommunications companies are working to identify infected devices to prevent them from being used in cyber-attacks.

Cyber-attacks often involve IoT equipment, and financial firms are frequent targets.

In one example in Japan, more than 600,000 pieces of IoT equipment were held to ransom.

Hayato Sasaki, an expert at the Japan Computer Emergency Response Team Coordination Center, says Japanese firms are experiencing a global problem.

He says infected IoT equipment has been used in large-scale cyber-attacks overseas, and now Japan is a target. Sasaki urges communication carriers, equipment manufacturers, and the government to work together to strengthen IoT equipment and make it safe.

IoT device manufacturers bear the brunt of this effort. They need to start taking cyber security seriously, and rather than rushing to market, these companies need to take time to implement strong security in their IoT solutions.

I highly doubt that will happen unless the government steps in to mandate a baseline set of IoT security standards.

Wired reports on strong Russian interest in password cracking tool Mimikatz:

In early 2012, Delpy was invited to speak about his Windows security work at the Moscow conference Positive Hack Days. He accepted—a little naively, still thinking that Mimikatz’s tricks must have already been known to most state-sponsored hackers. But even after the run-in with the man in his hotel room, the Russians weren’t done. As soon as he finished giving his talk to a crowd of hackers in an old Soviet factory building, another man in a dark suit approached him and brusquely demanded he put his conference slides and a copy of Mimikatz on a USB drive.

Delpy complied. Then, before he’d even left Russia, he published the code open source on Github, both fearing for his own physical safety if he kept the tool’s code secret and figuring that if hackers were going to use his tool, defenders should understand it too.

As the use of Mimikatz spread, Microsoft in 2013 finally added the ability in Windows 8.1 to disable WDigest, neutering Mimikatz’s most powerful feature. By Windows 10, the company would disable the exploitable function by default.

But Rendition’s Williams points out that even today, Mimikatz remains effective on almost every Windows machine he encounters, either because those machines run outdated versions of the operating system, or because he can gain enough privileges on a victim’s computer to simply switch on WDigest even if it’s disabled.

Ransomware authors are leveraging publicly accessible app API’s to create malware:

However, the malware also has unusual aspects, such as the use and abuse of Telegram Messenger’s communication protocol to send decryption keys to the threat actor, which, according to Secure List, appears to be the “first cryptor to use the Telegram protocol in an encryption malware case.”

While cryptors either maintain offline encryption or don’t, this Trojan chooses to. In order to keep communication lines between the threat actor and ransomware concealed and protected, secure channels need to be created — and this often increases the cost of malware development.

To circumvent these costs, TeleCrypt abuses the publicly available Telegram Bot API by operating as a bot which generates unique tokens that are inserted into the malware’s body so the Trojan can use the Telegram API.

By utilizing this channel rather than maintaining communication between the operator’s command and control center (C&C) over simple HTTP-based protocols, commonly used by many ransomware variants, security is improved and tracing the operator is more difficult.

These malicious actors are getting craftier by the day.

Malicious actors – whether of the criminal, hacktivist, or nation state variety – will use any avenue possible to attack their intended targets. Some evil folks have turned to leveraging MailChimp as a means of spreading malware:

The “View Invoice” button leads to a .zip file, which, according to scans on malware analysis site Virus Total, is malicious.

Companies and websites sometimes outsource their newsletter distribution to another company, to handle the infrastructure and headaches of firing out tens or hundreds of thousands of emails at a time. In this case, that was MailChimpaccording to another apparent email from Business News Australia.

“This morning our MailChimp subscriber database was hacked and a fake invoice (Inoice 00317) [sic] was sent to our list,” the email reads, according to a screenshot tweeted by Hunt.