Tag: Cryptojacking
Zealot: New Apache Struts Campaign Uses EternalBlue and EternalSynergy to Mine Monero on Internal Networks
- by nlqip
F5 threat researchers have discovered a new Apache Struts campaign. This new campaign is a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits. We have dubbed the campaign “Zealot” based on the name of the zip file containing the python scripts with the NSA-attributed exploits. As we continue to research…
Read MoreFigure 2: Alternative C&C server address hosted on Pastebin.com One of the challenges that adversaries need to deal with is how to maintain a sustainable C&C infrastructure without being quickly denylisted by enterprise security solutions, or being frequently shut down by ISPs and hosting services following law enforcement and security vendors’ abuse reports. Many…
Read MoreEvery day, your web servers are increasingly being scanned—and likely attacked—by adversaries attempting to gain access to your infrastructure. Between 2015 and 2017, our data partner, Loryka, observed these types of scans grow from 200 per minute to as much as 2,000 per minute. These kinds of attackers are professionals; they do this for a…
Read MoreLast week, a malware campaign targeting Jenkins automation servers was reported by CheckPoint researchers.1 The attackers exploited a deserialization vulnerability2 in Jenkin’s bidirectional channel (CVE-2017-1000353)3 to deploy Monero cryptomining malware that generated an estimated profit of $3 million. Following this disclosure, F5 researchers observed what appears to be the same threat actor group, as they…
Read MoreF5 threat researchers detected attackers actively exploiting the rTorrent client through a previously undisclosed misconfiguration vulnerability and deploying a Monero (XMR) crypto-miner operation. The rTorrent client misconfiguration vulnerabilities include: No authentication required for XML-RPC communication Sensitive XML-RPC method is allowed (direct OS command execution) Attackers are actively exploiting this vulnerability in the wild by scanning…
Read MoreFigure 2: Latest attack request targeting Windows servers As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file. Using the Windows certutil Tool While Linux…
Read MoreThere’s a lot of speculation in cryptocurrency right now. People are mining coins all over the place, and even though it’s getting harder and harder to make money mining coins, interest is still high. All it costs is money for the power bill. So, of course, clever people are figuring out how to use other people’s power…
Read MoreF5 researchers recently noticed a new campaign exploiting a vulnerability in Microsoft Internet Information Services (IIS) 6.0 servers (CVE–2017–7269) in order to mine Electroneum crypto-currency. Last year, ESET security researchers reported that the same IIS vulnerability was abused to mine Monero, and install malware to launch targeted attacks against organizations by the notorious “Lazarus” group.…
Read MoreThreat actors continue to find creative yet relatively unsophisticated ways to launch new campaigns to reap profits from crypto-mining operations. Source link lol
Read MoreJust two weeks ago a new Apache Struts 2 critical remote code execution vulnerability was published,1 and F5 researchers have already detected known threat actors exploiting it in a new crypto-mining campaign: CVE-2018-11776 Apache Struts 2 namespace vulnerability allows unauthenticated remote code execution. In this Monero crypto-mining campaign, the injection point is within the URL.…
Read MoreRecent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’