Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
How to find cryptojacking malware
Message
<blockquote data-quote="Prorootect" data-source="post: 711358" data-attributes="member: 905"><p><span style="font-size: 22px"><strong>Coin Mining by Opportunistic and Automated Threats</strong></span></p><p>on icebrg.io/blog/: <a href="https://www.icebrg.io/blog/coin-mining-by-opportunistic-and-automated-threats" target="_blank">Streaming Network Forensics™ for Real-Time Threat Detection and Response | ICEBRG | Streaming Network Forensics™</a></p><p></p><p>By: Justin Warner</p><p>With the recent surge in popularity and increasing value of cryptocurrency, it should be no surprise that financially motivated threat actors have begun leveraging their victims to contribute to “mining” efforts, where the computing resources of the victim are used to generate cryptocurrency for the threat actor. To succeed in making a large profit, the actors must continually compromise a large number of victims and utilize significant computing resources. This demand for mass compromise has forced these threat actors to adopt automated methods that rely on opportunistic exploitation to outpace defenders, increasing the number of victims as quickly as possible with minimal cost.</p><p></p><p>While on the surface, the business impact from coin mining seems minimal, having an unauthorized party in control of systems you own introduces a dangerous wild card. Is it really a criminal performing coin mining or is that a disguise? What will they do with the access if coin mining is no longer profitable? ICEBRG has witnessed incidents stemming from criminals who decided to sell their access to other parties, and the increasingly common <a href="https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/access-to-corporate-remote-desktops-sold-for-3-in-the-dark-web" target="_blank">malware-as-a-service</a> scheme contributes to the risk from “simple” coin mining. Simply stated, criminal post-exploitation has become an efficient and wide-spread business that poses a threat to all enterprises, especially those with a significant and historical internet footprint that may contain undocumented or obsolete systems and pages. In this post, we will provide a walkthrough of an attack campaign that ICEBRG has witnessed in the wild over the past several weeks and break down some key lessons learned from the attack.</p><p></p><p><span style="font-size: 18px"><strong>Attack Walkthrough</strong></span></p><p><span style="font-size: 15px"><strong>Exploitation</strong></span></p><p>Attackers primarily rely on opportunistic exploitation of well known (and signatured) vulnerabilities in applications running on internet connected systems, and exhibit complete disregard for stealth or disguise. Throughout the recently observed campaign, attackers originating from multiple source addresses (191.101.180[.]84, 72.11.140[.]178) leveraged CVE-2017-10271, a java deserialization vulnerability in the Oracle WebLogic Server, to target outdated servers (Figure 1). Java deserialization vulnerabilities are not unique to Oracle, and plague several older versions of WebSphere, JBoss, Jenkins, OpenNMS, etc. In this class of vulnerability, server software attempts to deserialize untrusted content without validation allowing an attacker to abuse the application for code execution.</p><p></p><p><em><img src="https://www.icebrg.io/uploads/images/1.18_CoinMining_Fig1.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></em></p><p></p><p><strong><em>Figure 1: Connections from an external untrusted entity with suspicious referrer to an exposed vulnerable Oracle WebLogic endpoint</em></strong></p><p><strong><em></em></strong></p><p><strong>...read MORE at the website...</strong></p></blockquote><p></p>
[QUOTE="Prorootect, post: 711358, member: 905"] [SIZE=6][B]Coin Mining by Opportunistic and Automated Threats[/B][/SIZE] on icebrg.io/blog/: [URL="https://www.icebrg.io/blog/coin-mining-by-opportunistic-and-automated-threats"]Streaming Network Forensics™ for Real-Time Threat Detection and Response | ICEBRG | Streaming Network Forensics™[/URL] By: Justin Warner With the recent surge in popularity and increasing value of cryptocurrency, it should be no surprise that financially motivated threat actors have begun leveraging their victims to contribute to “mining” efforts, where the computing resources of the victim are used to generate cryptocurrency for the threat actor. To succeed in making a large profit, the actors must continually compromise a large number of victims and utilize significant computing resources. This demand for mass compromise has forced these threat actors to adopt automated methods that rely on opportunistic exploitation to outpace defenders, increasing the number of victims as quickly as possible with minimal cost. While on the surface, the business impact from coin mining seems minimal, having an unauthorized party in control of systems you own introduces a dangerous wild card. Is it really a criminal performing coin mining or is that a disguise? What will they do with the access if coin mining is no longer profitable? ICEBRG has witnessed incidents stemming from criminals who decided to sell their access to other parties, and the increasingly common [URL='https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/access-to-corporate-remote-desktops-sold-for-3-in-the-dark-web']malware-as-a-service[/URL] scheme contributes to the risk from “simple” coin mining. Simply stated, criminal post-exploitation has become an efficient and wide-spread business that poses a threat to all enterprises, especially those with a significant and historical internet footprint that may contain undocumented or obsolete systems and pages. In this post, we will provide a walkthrough of an attack campaign that ICEBRG has witnessed in the wild over the past several weeks and break down some key lessons learned from the attack. [SIZE=5][B]Attack Walkthrough[/B][/SIZE] [SIZE=4][B]Exploitation[/B][/SIZE] Attackers primarily rely on opportunistic exploitation of well known (and signatured) vulnerabilities in applications running on internet connected systems, and exhibit complete disregard for stealth or disguise. Throughout the recently observed campaign, attackers originating from multiple source addresses (191.101.180[.]84, 72.11.140[.]178) leveraged CVE-2017-10271, a java deserialization vulnerability in the Oracle WebLogic Server, to target outdated servers (Figure 1). Java deserialization vulnerabilities are not unique to Oracle, and plague several older versions of WebSphere, JBoss, Jenkins, OpenNMS, etc. In this class of vulnerability, server software attempts to deserialize untrusted content without validation allowing an attacker to abuse the application for code execution. [I][IMG]https://www.icebrg.io/uploads/images/1.18_CoinMining_Fig1.png[/IMG][/I] [B][I]Figure 1: Connections from an external untrusted entity with suspicious referrer to an exposed vulnerable Oracle WebLogic endpoint [/I] ...read MORE at the website...[I][/I][/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
