Comments: Gresham's Law thesis is back - Malware bid to oust honest miners in Monero


The Varonis Security Research team recently investigated an ongoing cryptomining infection that had spread to nearly every device at a mid-size company. Analysis of the collected malware samples revealed a new variant, which the team dubbed “Norman” that uses various techniques to hide and avoid discovery. We also discovered an interactive web shell that may be related to the mining operators.

Research Overview

* We found a large-scale infection of cryptominers; almost every server and workstation in the company was infected.

* Since the initial infection, which took place over a year ago, the number of variants and infected devices grew.

* Norman employs evasion techniques to hide from analysis and avoid discovery.

* Most of the malware variants relied on DuckDNS (a free, Dynamic DNS service). Some needed it for command and control (C&C) communications, while others used it to pull configuration settings or to send updates.

* Norman is an XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency.

* We have no conclusive evidence that connects the cryptominers to the interactive PHP Shell. However, we have strong reason to believe they originate from the same threat actor. We make a case whether they may or may not be connected.

* We provide tips for defending against remote web shells and cryptominers.

The Investigation
The investigation began during an ...

Posted by Varonis Uncovers New Malware Strains and a Mysterious Web Shell During a Monero Cryptojacking Investigation at August 16, 2019 04:00 AM

Ukrainian authorities are investigating a potential security breach at a local nuclear power plant after employees connected parts of its internal network to the internet so they could mine cryptocurrency.

The investigation is being led by the Ukrainian Secret Service (SBU), who is looking at the incident as a potential breach of state secrets due to the classification of nuclear power plants as critical infrastructure.

Investigators are examining if attackers might have used the mining rigs as a pivot point to enter the nuclear power plant's network and retrieve information from its systems, such as data about the plant's physical defenses and protections.

According to authorities, the incident took place in July at the South Ukraine Nuclear Power Plant, located near the city of Yuzhnoukrainsk, in southern Ukraine.

It's unknown how the scheme was discovered, but on July 10 the SBU raided the nuclear power plant, from where it seized computers and equipment specifically built for mining cryptocurrency.

This equipment was found in the power plant's administration offices, and not on its industrial network.

Confiscated equipment included two metal cases containing basic computer parts, but with additional power supplies, coolers, and video cards. According to court documents [1, 2], one case held six Radeon RX 470 GPU video cards, and the second five.

Further, the SBU also found and seized additional equipment[1, 2] that looked like mining rigs in the building used as barracks by a military unit of the National Guard of Ukraine, tasked with guarding the power plant.

Posted by Employees connect nuclear plant to the internet so they can mine cryptocurrency at August 23, 2019 10:35 AM

Employees at the Russian Federation Nuclear Center have been arrested on suspicion of using supercomputers at the facility to mine cryptocurrency. .... The Sarov-based nuclear facility, also known as the All-Russian Research Institute of Experimental Physics (RFNC-VNIIEF), focuses on enhancing nuclear weaponry at the computational and theoretical levels. ....

As none of the facility's systems, including its 1-petaflop capable supercomputer which was powered up in 2011, are meant to be connected to the Internet due to the research involved, once the engineers allegedly attempted to connect to the web for mining, the scheme was exposed.

"Similar attempts have recently been registered in a number of large companies with large computing capacities, which will be severely suppressed at our enterprises, this is technically a hopeless and criminal offense," Zalesskaya added. ....

Posted by Russian Nuclear Center engineers arrested for using supercomputers to mine cryptocurrency at August 23, 2019 10:38 AM

It has been reported the Australian Federal Police (AFP) is investigating two Bureau of Meteorology (BOM) staff over allegations they were using the bureau's equipment to mine for cryptocurrency.

Posted by Bureau of Meteorology staff questioned by AFP over cryptocurrency mining: Report at August 23, 2019 10:39 AM

Pe măsură ce le creşte cota, monedele virtuale, cum sunt Bitcoinul sau Monero, devin atrăgătoare şi pentru romani. ...

Posted by Romanian National Research Institute for Nuclear Physics and Engineering was also caught mining cryptocurrency at work at August 23, 2019 10:45 AM

Between March and July 2019, Paige Thompson accessed at least 30 institutions’ servers managed by an unnamed cloud computing company, compromising at least 100 million customer accounts, according to a release published Wednesday. While there is no indication Thompson attempted to sell this information, she did use stolen computing power to mine cryptocurrencies.

Posted by Capital One Hacker Used Stolen Computing Power to Mine Crypto at September 1, 2019 01:26 PM

... Denis Baykov was handed the penalty by a jurisdictional city court for accessing the lab’s supercomputer to illegally mine the world’s top cryptocurrency by market valuation.

Located in Sarov, Russia, the top-secret lab was where the first Soviet nuclear bombs were manufactured in the late 1940s. It remains home to some of Russia’s most powerful computers.

The mining trio was first exposed last February and promptly handed over to the Federal Security Service. ....

Court verdicts for the other two scientists have not yet been reached.

Posted by Russian Nuclear Scientist Gets $7,000 Fine for Mining Bitcoin at Work at October 1, 2019 10:32 AM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x5646c7950d18) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.