Monero Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/monero/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 04 Nov 2022 20:35:42 +0000 en-US hourly 1 https://wordpress.org/?v=76524 200474804 The Updated Fodcha Botnet Reaches a Capacity of 1 Tb / s and Demands a Ransom Directly in DDoS Packets https://gridinsoft.com/blogs/updated-fodcha-botnet/ https://gridinsoft.com/blogs/updated-fodcha-botnet/#respond Mon, 31 Oct 2022 09:44:49 +0000 https://gridinsoft.com/blogs/?p=11493 Qihoo 360 (360 Netlab) experts have warned about the emergence of an updated version of the Fodcha botnet, which embeds ransom demands directly into DDoS packets and has new infrastructure hiding functionality. Let me remind you that the Fodcha botnet was discovered in the spring of this year, and even experts reported that the threat… Continue reading The Updated Fodcha Botnet Reaches a Capacity of 1 Tb / s and Demands a Ransom Directly in DDoS Packets

The post The Updated Fodcha Botnet Reaches a Capacity of 1 Tb / s and Demands a Ransom Directly in DDoS Packets appeared first on Gridinsoft Blog.

]]>
Qihoo 360 (360 Netlab) experts have warned about the emergence of an updated version of the Fodcha botnet, which embeds ransom demands directly into DDoS packets and has new infrastructure hiding functionality.

Let me remind you that the Fodcha botnet was discovered in the spring of this year, and even experts reported that the threat was growing rapidly and replenished with new bots, including routers, DRVs, and vulnerable servers.

Let me remind you that we also wrote that Google Stops Glupteba Botnet and Sues Two Russians, and also that TeamTNT mining botnet was infected over 50,000 systems in three months.

If in April of this year, Fodcha attacked about 100 targets daily, now, according to the researchers, the botnet has grown significantly, and the average number of targets per day has increased to 1000. The updated Fodcha peaked on October 11, 2022, attacking 1396 targets at once per day. Confirmed botnet attacks include:

  1. DDoS attack on a healthcare organization that lasted from June 7 to 8, 2022;
  2. DDoS attack on the communications infrastructure of an unnamed company in September 2022;
  3. A 1TB/s DDoS attack against a well-known cloud service provider on September 21, 2022.

Currently, the botnet uses 42 C&C domains for the daily work of 60,000 active bots, which are capable of generating attacks with a capacity of up to 1 Tb / s.

Updated Fodcha botnet

Most of Fodcha’s targets are located in China and the US. Still, the botnet can be safely called international, as it has infected systems in Europe, Australia, Japan, Russia, Brazil, and Canada.

Updated Fodcha botnet

Analysts believe that Fodcha operators make money by renting out their botnets to other attackers who want to carry out DDoS attacks. Moreover, the new version of Fodcha is also engaged in extortion: to stop the attacks, demanding a ransom from the victims in the Monero cryptocurrency.

The Updated Fodcha Botnet Reaches a Capacity of 1 Tb / s and Demands a Ransom Directly in DDoS Packets

Fodcha demands a ransom starting from 10 XMR (Monero), about $1,500. Interestingly, the demands are embedded in the botnet’s DDoS packets, where the attackers warn that the attacks will continue until the payment is made.

Updated Fodcha botnet

The researcher’s report also notes that the botnet now uses encryption to communicate with the control server, making it difficult to analyze malware and the potential destruction of its infrastructure by information security specialists.

The post The Updated Fodcha Botnet Reaches a Capacity of 1 Tb / s and Demands a Ransom Directly in DDoS Packets appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/updated-fodcha-botnet/feed/ 0 11493
Microsoft warns of mining attacks on Kubernetes clusters https://gridinsoft.com/blogs/mining-attacks-on-kubernetes-clusters/ https://gridinsoft.com/blogs/mining-attacks-on-kubernetes-clusters/#respond Thu, 10 Jun 2021 20:33:24 +0000 https://blog.gridinsoft.com/?p=5577 Microsoft has warned of ongoing attacks on Kubernetes clusters running Kubeflow (an open source project that allows running super powerful machine learning computing on top of Kubernetes clusters). Criminals use them to deploy malicious containers that mine Monero and Ethereum cryptocurrencies. Researchers say the attacks appear to be a continuation of a campaign that was… Continue reading Microsoft warns of mining attacks on Kubernetes clusters

The post Microsoft warns of mining attacks on Kubernetes clusters appeared first on Gridinsoft Blog.

]]>
Microsoft has warned of ongoing attacks on Kubernetes clusters running Kubeflow (an open source project that allows running super powerful machine learning computing on top of Kubernetes clusters).

Criminals use them to deploy malicious containers that mine Monero and Ethereum cryptocurrencies.

Researchers say the attacks appear to be a continuation of a campaign that was discovered last April. Although that campaign peaked in June and then dwindled, new attacks began in late May 2021 when researchers noticed a sudden increase in deployments of the open source machine learning library TensorFlow, adapted for mining.

This is not the first time we see attackers use legitimate images for running their malicious code. Particularly in this case, the existence of TensorFlow images in the cluster makes a lot of sense: It’s not uncommon to find TensorFlow containers in a ML workload. If the images in the cluster are monitored, usage of legitimate image can prevent attackers from being discovered.Report Microsoft researchers.

In this case, deployments in different clusters occurred simultaneously.

The burst of deployments on the various clusters was simultaneous. This indicates that the attackers scanned those clusters in advance and maintained a list of potential targets, which were later attacked on the same time.specialists write.

Although the pods used by the hackers were taken from the official Docker Hub repository, they were modified to mine cryptocurrency. At the same time, all pods are named according to the sequential-pipeline-{random pattern} pattern, which now makes it quite easy to detect possible compromises.

attacks on Kubernetes clusters

According to the company, in order to gain access to clusters and deploy miners to them, attackers search the network for incorrectly configured and publicly available Kubeflow dashboards that should be open only for local access.

Attackers deploy at least two separate modules on each of the compromised clusters: one for CPU mining and the other for GPU mining. So, XMRig is used to mine Monero using a CPU, and Ethminer is used to mine Ethereum on a GPU.

Microsoft recommends that administrators always enable authentication on Kubeflow dashboards if they cannot be isolated from the internet and control their environments (containers, images, and the processes they run).

Let me remind you that I wrote that Microsoft developed a SimuLand lab environment for simulating cyberattacks.

The post Microsoft warns of mining attacks on Kubernetes clusters appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/mining-attacks-on-kubernetes-clusters/feed/ 0 5577
PgMiner botnet attacks poorly protected PostgreSQL DBs https://gridinsoft.com/blogs/pgminer-botnet-attacks-poorly-protected-postgresql-dbs/ https://gridinsoft.com/blogs/pgminer-botnet-attacks-poorly-protected-postgresql-dbs/#respond Mon, 14 Dec 2020 22:19:32 +0000 https://blog.gridinsoft.com/?p=4845 Palo Alto Networks has discovered the PgMiner botnet, which attacks and breaks into poorly protected PostgreSQL DBs in order to install miners. A new Linux-based cryptocurrency mining botnet exploits PostgreSQL’s Remote Code Execution (RCE) vulnerability, which compromises cryptojacking database servers. Cryptojacking (or simply malicious coin mining) is a common way for malware authors to monetize… Continue reading PgMiner botnet attacks poorly protected PostgreSQL DBs

The post PgMiner botnet attacks poorly protected PostgreSQL DBs appeared first on Gridinsoft Blog.

]]>
Palo Alto Networks has discovered the PgMiner botnet, which attacks and breaks into poorly protected PostgreSQL DBs in order to install miners.

A new Linux-based cryptocurrency mining botnet exploits PostgreSQL’s Remote Code Execution (RCE) vulnerability, which compromises cryptojacking database servers.

Cryptojacking (or simply malicious coin mining) is a common way for malware authors to monetize their operations.

Palo Alto Networks has named the new cryptocurrency mining botnet “PGMiner” after its delivery channel and mining mode.

We believe PGMiner is the first cryptocurrency mining botnet that is delivered via PostgreSQL. It is notable that malware actors have started to weaponize not only confirmed CVEs, but also disputed ones.the researchers said.

The PgMiner botnet operates according to a well-known and well-established by criminals scheme: it randomly selects a range of IP addresses (for example, 18.xxx.xxx.xxx) and then enumerates all parts of this range looking for systems with an open port 5432 (PostgreSQL).

PostgreSQL is one of the most commonly used open-source relational database management systems (DBMS) for production environments. According to DB-Engines, PostgreSQL is ranked fourth among all database management systems (DBMS) as of November 2020.

If the botnet detects an active PostgreSQL system, it moves from the scanning phase to a brute-force attack, during which it tries a long list of passwords in an attempt to guess the login and password of the default PostgreSQL account (postgres).

If the database owner forgot to disable this account or did not change the password, hackers gain access to the database and then use the COPY from PROGRAM function (CVE-2019-9193 was associated with it, though many in the PostgreSQL community refused to recognize as a bug) to expand access and reach the server and its OS. Having established control over the infected system, the PgMiner operators deploy a miner on the infected server for mining the Monero cryptocurrency.

According to the researchers, the botnet is currently able to install miners only on Linux MIPS, ARM and x64 platforms.

PgMiner attacks PostgreSQL DBs

Experts also mention that the PgMiner control server, from which hackers control infected bots, is hosted in Tor, and the botnet’s codebase resembles another similar malware – SystemdMiner.

Let me remind you that hackers cracked European supercomputers and forced them to mine cryptocurrency.

The post PgMiner botnet attacks poorly protected PostgreSQL DBs appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pgminer-botnet-attacks-poorly-protected-postgresql-dbs/feed/ 0 4845
Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it https://gridinsoft.com/blogs/bughunter-stole-a-monero-exploit-from-another-cybersecurity-specialist-and-received-a-reward-for-it/ https://gridinsoft.com/blogs/bughunter-stole-a-monero-exploit-from-another-cybersecurity-specialist-and-received-a-reward-for-it/#respond Tue, 20 Oct 2020 16:48:53 +0000 https://blog.gridinsoft.com/?p=4446 Bleeping Computer reporters drew attention to an interesting case that occurred as part of the bug bounty of the Monero program on HackerOne. Bughunter stole a Monero vulnerability exploit discovered by another person and received a reward. The publication notes that bug hunting is not just a good cause that benefits the community, but also… Continue reading Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it

The post Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it appeared first on Gridinsoft Blog.

]]>
Bleeping Computer reporters drew attention to an interesting case that occurred as part of the bug bounty of the Monero program on HackerOne. Bughunter stole a Monero vulnerability exploit discovered by another person and received a reward.

The publication notes that bug hunting is not just a good cause that benefits the community, but also a multimillion dollar industry. As a result, some may try to abuse platforms such as HackerOne and Bugcrowd, designed to foster ethics, trust and accountability among information security professionals, for their own financial gain.

Last weekend, cybersecurity specialist Guido Vranken discovered that an Everton Melo had used a copy of an exploit he had created to report a vulnerability in the Monero bug bounty program on HackerOne. The vulnerability Vranken found in the libzmq 4.1 series back in 2019 was a critical clipboard overflow bug (CVE-2019-6250). The researcher notified the developers about it in January 2019.

“Lol someone literally copied and pasted my libzmq + analysis exploit in the [HackerOne] bug bounty and took the money”, — Vranken wrote on Twitter.

Although HackerOne engineers have previously detected and closed plagiarized reports, there is always the possibility of accidental employee error. Currently, the Monero developers have already reported that they cannot return the amount already paid to the plagiarist:

“This report was stolen (!!) from the original Guido Vranken vulnerability report without any mention of his merits. We overlooked the fact that the report was redrawn from there, as we focused on reproducing the problem and fixing it. This is incredible meanness. Please don’t do this. We contacted Guido to pay him a fee, and unfortunately we cannot withdraw the fee from Everton Melo.”

Bughunter stole Monero exploit

Interestingly, upon closer examination of the report, the developers determined that the 4.1 series, apparently, is not affected by the CVE-2019-6250 problem, but it is definitely vulnerable to the CVE-2019-13132 issue, and therefore it was decided that Melo still has the right for a reward. For the same reason, the title of the report on HackerOne was changed to CVE-2019-13132 instead of CVE-2019-6250.

Let me remind you that Google recruits a team of experts to find bugs in Android applications.

The post Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bughunter-stole-a-monero-exploit-from-another-cybersecurity-specialist-and-received-a-reward-for-it/feed/ 0 4446
Prometei botnet uses SMB for distribution https://gridinsoft.com/blogs/prometei-botnet-uses-smb-for-distribution/ https://gridinsoft.com/blogs/prometei-botnet-uses-smb-for-distribution/#respond Thu, 23 Jul 2020 16:32:14 +0000 https://blog.gridinsoft.com/?p=4095 Cisco Talos has discovered a new botnet, Prometei, which was active since March 2020 and focused on mining the Monero (XMR) cryptocurrency. The researchers note that the Prometei botnet intensively uses the SMB protocol for distribution. The malware mainly attacks users from the USA, Brazil, Pakistan, China, Mexico and Chile. During four months of activity,… Continue reading Prometei botnet uses SMB for distribution

The post Prometei botnet uses SMB for distribution appeared first on Gridinsoft Blog.

]]>
Cisco Talos has discovered a new botnet, Prometei, which was active since March 2020 and focused on mining the Monero (XMR) cryptocurrency. The researchers note that the Prometei botnet intensively uses the SMB protocol for distribution.

The malware mainly attacks users from the USA, Brazil, Pakistan, China, Mexico and Chile. During four months of activity, the botnet operators “earned” about $5,000, that is, an average of about $1,250 per month.

Do you know who else is focused on mining Monero and manipulates a variety of exploits? Lucifer! (don’t be alarmed – this is such malware)

“The malware uses several techniques for distribution, including LOLbins (living off the land) to use legitimate Windows processes to execute malicious code (including PsExec and WMI), SMB exploits (including EternalBlue), and stolen credentials”, – write Cisco Talos experts.

In total, the researchers counted more than 15 ingredients in Prometei. All of them are controlled by the main module, which encrypts (RC4) the data before sending it to the management server via HTTP.

Prometei botnet uses SMB

Auxiliary modules can be used to establish communication over Tor or I2P, collect system information, check open ports, spread via SMB, and scan the infected system for any cryptocurrency wallets.

For example, a botnet steals passwords using a modified version of Mimikatz (miwalk.exe), and then passwords are passed to the spreader module (rdpclip.exe) for analysis and authentication via SMB. If that doesn’t work, the EternalBlue exploit is used for propagation.

The final payload delivered to the compromised system is SearchIndexer.exe, which is simply an XMRig version 5.5.3.

However, experts write that Prometei is not just a miner, the malware can also be used as a full-fledged Trojan and info-stealer.

“The botnet is split into two main branches: the C ++ branch is dedicated to cryptocurrency mining operations, and the .NET-based branch focuses on credential theft, SMB attacks and obfuscation. At the same time, the main branch can work independently from the second one, since it can independently communicate with the control server, steal credentials and engage in mining”, – say the researchers.

Cisco Talos experts point out that Prometei is unlike most mining botnets. Its authors not only divided their tools according to their purpose, it also “taught” malware to avoid detection and analysis. In particular, even in earlier versions, you can find several layers of obfuscation, which have become much more difficult in later versions.

The post Prometei botnet uses SMB for distribution appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/prometei-botnet-uses-smb-for-distribution/feed/ 0 4095
Lucifer malware uses many exploits, is engaged in mining and DDoS attacks https://gridinsoft.com/blogs/lucifer-malware-uses-many-exploits-is-engaged-in-mining-and-ddos-attacks/ https://gridinsoft.com/blogs/lucifer-malware-uses-many-exploits-is-engaged-in-mining-and-ddos-attacks/#respond Mon, 29 Jun 2020 16:20:16 +0000 https://blog.gridinsoft.com/?p=3980 Palo Alto Networks experts have prepared a report on Lucifer malware, which uses many exploits and, according to experts, “wreaks havoc” on Windows hosts. It is noted that the authors of the malware themselves named their brainchild Satan DDoS, but information security experts call it Lucifer to distinguish it from the Satan cryptographer. The Lucifer… Continue reading Lucifer malware uses many exploits, is engaged in mining and DDoS attacks

The post Lucifer malware uses many exploits, is engaged in mining and DDoS attacks appeared first on Gridinsoft Blog.

]]>
Palo Alto Networks experts have prepared a report on Lucifer malware, which uses many exploits and, according to experts, “wreaks havoc” on Windows hosts. It is noted that the authors of the malware themselves named their brainchild Satan DDoS, but information security experts call it Lucifer to distinguish it from the Satan cryptographer.

The Lucifer botnet attracted the attention of researchers after numerous incidents involving the exploitation of the critical vulnerability CVE-2019-9081 in the Laravel framework, which could lead to remote execution of arbitrary code.

Version of the malware that uses CVE-2019-9081, was spotted on May 29, 2020, after which the campaign stopped on June 10 and resumed after a few days, but with an updated version of the malware.

“If initially it was believed that the malware was quite simple and designed for mining cryptocurrency (Monero), it has now become clear that Lucifer also has a DDoS component and self-distribution mechanism, built on a number of serious vulnerabilities and brute force”, – say the experts.

For distribution on the network, Lucifer uses such well-known exploits as EternalBlue, EternalRomance and DoublePulsar, stolen from special services and in 2017 published in the public domain by The Shadow Brokers. But the attackers are not limited only to this bug, so the list of exploits taken by Lucifer into service is as follows:

  • CVE-2014-6287
  • CVE-2018-1000861
  • CVE-2017-10271
  • CVE-2018-20062 (RCE-vulnerability in ThinkPHP)
  • CVE-2018-7600
  • CVE-2017-9791
  • CVE-2019-9081
  • RCE-backdoor in PHPStudy
  • CVE-2017-0144
  • CVE-2017-0145
  • CVE-2017-8464

It is worth noting that all these vulnerabilities have already been fixed, and patches are available for them.

“After using exploits, an attacker can execute arbitrary commands on a vulnerable device. Considering that the attackers use the certutil utility in the payload to distribute the malware, in this case, the targets are both Windows hosts on the Internet and on the intranet”, — write the researchers.

Lucifer is also able to scan machines with open TCP 135 (RPC) and 1433 (MSSQL) ports and check if certain combinations of usernames and passwords are suitable for them. For brute force attacks, the malware uses a dictionary with 300 passwords and seven user names: sa, SA, su, kisadmin, SQLDebugger, mssql and Chred1433.

“The malware is able to infect devices using IPC, WMI, SMB and FTP, using brute force, as well as using MSSQL, RPC and network sharing”,- say the researchers.

Having infected the system, Lucifer places its copy there using the shell command, and also installs XMRig for secret mining of the Monero cryptocurrency (XMR). Judging by the fact that criminals currently earned only 0.493527 XMR (about $30 at the current exchange rate), experts believe that the malicious campaign is just beginning.

Also, gaining a foothold in the system, Lucifer connects to the management server to receive commands, for example, to launch a DDoS attack, transfer stolen system data or inform its operators about the state of the miner.

A newer version of malware also comes with analysis protection and checks the username and the infected machine before attacking. If Lucifer discovers that it is running in an analytical environment, it ceases all activity.

Recall also that according to the observations of information security experts, Evil Corp returns to criminal activity with WastedLocker ransomware.

The post Lucifer malware uses many exploits, is engaged in mining and DDoS attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lucifer-malware-uses-many-exploits-is-engaged-in-mining-and-ddos-attacks/feed/ 0 3980