February 26, 2018

Epidemic of cryptojacking can be traced to escaped NSA superweapon

Boingboing writes on the connection between two of the themes often grumbled about in this blog: that Bitcoin muffed the incentives and encourages destructive and toxic behaviour, and that the NSA is the agency that as policy weakens our Internet.

The epidemic of cryptojacking malware isn't merely an outgrowth of the incentive created by the cryptocurrency bubble -- that's just the motive, and the all-important the means and opportunity were provided by the same leaked NSA superweapon that powered last year's Wannacry ransomware epidemic.

It all started when the Shadow Brokers dumped a collection of NSA cyberweapons that the NSA had fashioned from unreported bugs in commonly used software, including versions of Windows. The NSA discovered these bugs and then hoarded them, rather than warning the public and/or the manufacturers about them, in order to develop weapons that turned these bugs into attacks that could be used against the NSA's enemies.

This is only safe if neither rival states nor criminals ever independently rediscover the same bugs and use them to attack your country (they do, all the time), and if your stash of cyberweapons never leaks (oops).

Discovering the subtle bugs the NSA weaponized is sophisticated work that can only be performed by a small elite of researchers; but using these bugs is something that real dum-dums can do, as was evidenced by the hamfisted Wannacry epidemic.

Enter the cryptocurrency bubble: turning malware into money has always been tough. Ransomware criminals have to set up whole call-centers full of tech-support people who help their victims buy the cryptocurrency used to pay the ransom. But cryptojacking cuts out the middleman, stealing your computer to directly generate cash for the malware author. As long as cryptocurrencies continue to inflate, this is a great racket.

Wannamine is a cryptojacker that uses Eternalblue, the same NSA exploit as Wannacry. It's been around since last October, and it's on the rise, extracting Monero from victims' computers.

What's more, it's a cryptojacker written by a dum-dum, and it is so incontinent that slows down critical computers to the point of useless, shutting down important IT infrastructure.

WannaMine doesn’t resort to EternalBlue on its first try, though. First, WannaMine uses a tool called Mimikatz to pull logins and passwords from a computer’s memory. If that fails, Wannamine will use EternalBlue to break in. If this computer is part of a local network, like at a company office, it will use these stolen credentials to infect other computers on the network.

The use of Mimikatz in addition to EternalBlue is important “because it means a fully patched system could still be infected with WannaMine,” York said. Even if your computer is protected against EternalBlue, then, WannaMine can still steal your login passwords with Mimikatz in order to spread.

Cryptocurrency Mining Malware That Uses an NSA Exploit Is On the Rise [Daniel Oberhaus/Motherboard]

Posted by iang at 05:43 PM | Comments (0)

February 20, 2018

Tesla’s cloud was used by hackers to mine cryptocurrency

Just because I get the photo op, here's The Verge on Tesla's operations being cryptojacked.

Tesla’s cloud account was hacked and used to mine cryptocurrency, according to a security research firm. Hackers gained access to the electric car company’s Amazon cloud account, where they were able to view “sensitive data” such as vehicle telemetry.


According to RedLock, using Tesla’s cloud account to mine cryptocurrency is more valuable than any data stored within. The cybersecurity firm said in a report released Monday that it estimates 58 percent of organizations that use public cloud services, such as AWS, Microsoft Azure, or Google Cloud, have publicly exposed “at least one cloud storage service.” Eight percent have had cryptojacking incidents.

“The recent rise of cryptocurrencies is making it far more lucrative for cybercriminals to steal organizations’ compute power rather than their data,” RedLock CTO Gaurav Kumar told Gizmodo. “In particular, organizations’ public cloud environments are ideal targets due to the lack of effective cloud threat defense programs. In the past few months alone, we have uncovered a number of cryptojacking incidents including the one affecting Tesla.”

Posted by iang at 03:51 PM | Comments (0)

February 14, 2018

when we teach everyone to trust ID documents...

From Queanbeyan, Australia:

Police have issued a warning after a Queanbeyan mother said she let two strangers into her home and presented her infant children to them for inspection, after the pair apparently lied about being from Family and Community Services (FACS).

The two people went to the home in Karabar, just outside of Canberra, on Friday afternoon and presented the mother with identification purportedly from the NSW Government department.

The pair, a man and a woman, claimed they were at the home to check on the welfare of her children, despite the family having had no prior interactions with FACS or police.

The mother said her two six-month-old twins were asleep and she could call the pair when they woke up, however the impostors instead said they would wait at the home until the babies were ready.

Soon after, the mother brought the children to the lounge room to meet the strangers, and the pair checked both the babies and their bedroom before leaving the house.

After the visit aroused the woman's suspicions, she contacted Queanbeyan FACS, which confirmed none of its workers were due to visit the woman.

The male visitor was slim, white and in his 30s, about 183cm tall with dark black hair, while the woman with him was 170cm tall and in her 20s.

She had dark hair with a blonde streak in it, and was wearing a distinctive orange blazer at the time of the visit.

Police urge vigilance in checking IDs

Detective Chief Inspector Neil Grey said the incident was "disturbing", and reminded residents of what to look out for on a government ID.

"FACS have confirmed that all caseworkers in the Southern District carry photo ID with their name, job title and FACS logo," he said.

"The ID that was produced was good enough to fool the young mother into letting them into the house.

"Generally speaking workers from the Department of Family and Community services will ring prior to attending the address anyway."

Posted by iang at 08:51 PM | Comments (0)