February 26, 2018

Epidemic of cryptojacking can be traced to escaped NSA superweapon

Boingboing writes on the connection between two of the themes often grumbled about in this blog: that Bitcoin muffed the incentives and encourages destructive and toxic behaviour, and that the NSA is the agency that as policy weakens our Internet.

The epidemic of cryptojacking malware isn't merely an outgrowth of the incentive created by the cryptocurrency bubble -- that's just the motive, and the all-important the means and opportunity were provided by the same leaked NSA superweapon that powered last year's Wannacry ransomware epidemic.

It all started when the Shadow Brokers dumped a collection of NSA cyberweapons that the NSA had fashioned from unreported bugs in commonly used software, including versions of Windows. The NSA discovered these bugs and then hoarded them, rather than warning the public and/or the manufacturers about them, in order to develop weapons that turned these bugs into attacks that could be used against the NSA's enemies.

This is only safe if neither rival states nor criminals ever independently rediscover the same bugs and use them to attack your country (they do, all the time), and if your stash of cyberweapons never leaks (oops).

Discovering the subtle bugs the NSA weaponized is sophisticated work that can only be performed by a small elite of researchers; but using these bugs is something that real dum-dums can do, as was evidenced by the hamfisted Wannacry epidemic.

Enter the cryptocurrency bubble: turning malware into money has always been tough. Ransomware criminals have to set up whole call-centers full of tech-support people who help their victims buy the cryptocurrency used to pay the ransom. But cryptojacking cuts out the middleman, stealing your computer to directly generate cash for the malware author. As long as cryptocurrencies continue to inflate, this is a great racket.

Wannamine is a cryptojacker that uses Eternalblue, the same NSA exploit as Wannacry. It's been around since last October, and it's on the rise, extracting Monero from victims' computers.

What's more, it's a cryptojacker written by a dum-dum, and it is so incontinent that slows down critical computers to the point of useless, shutting down important IT infrastructure.

WannaMine doesn’t resort to EternalBlue on its first try, though. First, WannaMine uses a tool called Mimikatz to pull logins and passwords from a computer’s memory. If that fails, Wannamine will use EternalBlue to break in. If this computer is part of a local network, like at a company office, it will use these stolen credentials to infect other computers on the network.

The use of Mimikatz in addition to EternalBlue is important “because it means a fully patched system could still be infected with WannaMine,” York said. Even if your computer is protected against EternalBlue, then, WannaMine can still steal your login passwords with Mimikatz in order to spread.

Cryptocurrency Mining Malware That Uses an NSA Exploit Is On the Rise [Daniel Oberhaus/Motherboard]

Posted by iang at February 26, 2018 05:43 PM

A first look at browser-based Cryptojacking

Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, Jeremy Clark
(Submitted on 7 Mar 2018)

In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code- bases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or knowledge, and pays out the seigniorage to the website. Websites may consciously employ this as an alternative or to supplement advertisement revenue, may offer premium content in exchange for mining, or may be unwittingly serving the code as a result of a breach (in which case the seigniorage is collected by the attacker). The cryptocurrency Monero is preferred seemingly for its unfriendliness to large-scale ASIC mining that would drive browser-based efforts out of the market, as well as for its purported privacy features. In this paper, we survey this landscape, conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for non- consenting users.

Posted by: A first look at browser-based Cryptojacking at April 15, 2018 03:12 AM

Cryptocurrency Mining and Cryptojacking Offer Cybercriminals Lower Risk, Higher Efficacy, Ease of Monetization of Efforts; Adding Passive Exploitation to Portfolio of Ransomware Extortion, Data Breach Theft, and Fraud

McAfee Labs sees coin miner malware grow 629% in Q1 2018
Lazarus cryptocurrency campaigns steal bitcoins from financial sector and users

SANTA CLARA, Calif.,June 27, 2018 - SANTA CLARA, Calif.--(BUSINESS WIRE)-- McAfee, the device-to-cloud cybersecurity company, today released its McAfee Labs Threats Report: June 2018 , examining the growth and trends of new malware, ransomware, and other threats in Q1 2018. McAfee Labs saw on average five new threat samples every second, including growth in cryptojacking and other cryptocurrency mining malware, and notable campaigns demonstrating a deliberate drive to technically improve upon the most sophisticate established attacks of 2017.

“There were new revelations this quarter concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide,” said Raj Samani, chief scientist at McAfee. “Bad actors demonstrated a remarkable level of technical agility and innovation in tools and tactics. Criminals continued to adopt cryptocurrency mining to easily monetize their criminal activity.”

Cybercriminals extended their operations in cryptojacking and other cryptocurrency mining schemes, where perpetrators hijack victims’ browsers or infect their systems to secretly use them to mine for legitimate cryptocurrencies such as Bitcoin. This category of coin miner malware grew a stunning 629% in the first quarter of 2018, rocketing from around 400,000 total known samples in Q4 2017 to more than 2.9 million the next quarter. This suggests that cybercriminals are continuing to warm to the prospect simply infecting users’ systems and collecting payments without having to rely on third parties to monetize their crimes.

“Cybercriminals will gravitate to criminal activity that maximizes their profit,” said Steve Grobman, chief technology officer at McAfee. “In recent quarters we have seen a shift to ransomware from data-theft, as ransomware is a more efficient crime. With the rise in value of cryptocurrencies, the market forces are driving criminals to crypto-jacking and the theft of cryptocurrency. Cybercrime is a business, and market forces will continue to shape where adversaries focus their efforts.”

Bitcoin-stealing campaigns

The Lazarus cybercrime ring launched a highly sophisticated Bitcoin-stealing phishing campaign—HaoBao—which targeted global financial organizations and Bitcoin users. When recipients open malicious email attachments, an implant would scan for Bitcoin activity and establishes an implant for persistent data gathering and crypto mining....

Posted by: McAfee Labs Sees Criminals “Infect and Collect” in Cryptocurrency Mining Surge at July 9, 2018 07:13 AM

There is quite a "religious" faction within the NSA, a large Catholic community around Ft. Meade, and a large Mormon or LDS community around the relatively new Utah data center.

Very little little diversity, whether of thought or of skin color. Chelsea Manning was undoubtedly led to believe by her closest comrades and superiors that she was doing the right thing, but the secretive "churching" and court-martial that she endured were out of proportion to a lack of foreign contacts of the type that would have been seen as treacherous.

I would want to consider to what extent the NSA grew out of Operation Paperclip after WWII, and thereby came to incorporate such and such subversive "Nazi" goals and agendas into the U.S. government under such great and exaggerated secrecy.

Some things are "too" highly classified, and they verge into "open secret" territory, and I am definitely alluding to the kind of information Manning is accused of leaking on these lines.

Posted by: La Abeja at December 15, 2018 09:45 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.