Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

Advertisement 

×

Message

EU e-Privacy Directive

This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.

View e-Privacy Directive Documents

You have declined cookies. This decision can be reversed.

Cryptojacking cyber criminals up their game

Written by  teve Baxter - Cryptocurrency Expert Mar 10, 2018

Illicit cryptocurrency mining or cryptojacking has become popular with cyber criminals as an easy way to fund their operations as the use and value of digital currencies increase.

The attacks usually involve malware that is used to install legitimate cryptocurrency mining software on targeted systems and send the generated digital coins to wallets controlled by the criminals.

Businesses have been urged to be on the lookout for cryptojacking as a sign of security vulnerabilities and to avoid degraded computing performance, processor burnout and increased electricity consumption.

A newly-discovered cryptojacking attack is more complex than its forerunners in terms of evasion techniques and capabilities, and heralds a new generation of crytojacking attacks that are aimed at both database servers and application servers, according to researchers at security firm Imperva.

The attack was dubbed RedisWannaMine because it is powered by the open source Redis in-memory data structure store and the EternalBlue exploit used by WannaCry.

RedisWannaMine demonstrates a worm-like behaviour combined with advanced exploits to increase the attackers’ infection rate and coin generation capacity.

“In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute,” the researchers wrote in a blog post.

They tracked down RedisWannaMine through a remote code execution (RCE) detected by Imperva’s web application sensors.

A shell script file used in the attack is a downloader that is similar to older cryptojacking downloaders in the way it downloads a crypto miner malware from an external location and gains persistency and remote access, but the researchers said the downloader is unlike any other they have seen.

Firstly, the script installs a lot of packages using Linux standard package managers such as apt and yum, which the researchers believe is to make it self-sufficient and able to operate without depending on local libraries on the victim’s machine.

Secondly, the script downloads a publicly available tool, named masscan, from a Github repository, then compiles and installs it. Masscan is described as a “TCP port scanner, spews SYN packets asynchronously, scanning entire internet in under five minutes”.

Advertisement 
Daily Steals Up to 95% Off!

Thirdly, the script launches another process, named “redisscan.sh”, which uses the masscan tool to discover and infect publicly available Redis servers. “It does so by creating a large list of IPs, internal and external and scanning port 6379, which is the default listening port of Redis,” the researchers said.

If one of the IPs in the list is publicly available, the script launches the “redisrun.sh” process to infect it with the same cryptominer malware (“transfer.sh”).

“The infection is done using the redis-cli command line tool that the downloader previously installed, that runs the “runcmd” payload,” the researchers said.

The “runcmd” payload is a 10-line Redis command script that creates new entries in the Redis server crontab directory and so infects the server and gains persistency in case the malware is detected and deleted.

After the script completes the Redis scan, the researches said it launches another scan process called “ebscan.sh” which uses the masscan tool to discover and infect publicly available Windows servers with the vulnerable version of the SMB (server message block) protocol.

“It does so by creating a large list of IPs, internal and external, and scanning port 445, which is the default listening port of SMB,” the researchers said.

The SMB vulnerability this script is scanning for was used by the US National Security Agency (NSA) to create the Eternal Blue exploit, which was adapted to carry out the global WannaCry attacks in May 2017.

When the script finds a vulnerable server, it launches the “ebrun.sh” process to infect it, which then runs a Python implementation of the Eternal Blue exploit and drops the file “x64.bin” in the vulnerable machine.

The dropped file creates and runs a malicious VBScript file named “poc.vbs” that downloads a cryptominer malware executable from an external location, saves it in the vulnerable server as “admissioninit.exe” and runs it.

The Imperva researchers said that in the light of their discovery, businesses should:

Advertisement 
Weekly offers at GamersGate

  • Protect web applications and databases because the initial attack vector was introduced through a web application vulnerability, and a properly patched application or an application protected by a web application firewall (WAF) should be safe.
  • Make sure they do not expose their Redis servers to the world by applying a simple firewall rule.
  • Make sure they do not run machines with the vulnerable SMB version.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Latest

3rd Party Patch Released for Windows Zero-Day

Aug 31, 2018 Cyber News

3rd Party Patch Released for Windows Zero-Day

A patch is available for a Windows zero-day that became public knowledge earlier this week, but it’s not from Microsoft...

Advertisement 

  1. Popular
  2. Trending
  3. Comments

Calendar

« September 2018 »
Mon Tue Wed Thu Fri Sat Sun
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Advertisement 

Advertisement