Unfortunately, in most cases, the hackers use others’ hardware for making money for themselves. Recently, security researchers discovered a massive cryptojacking campaign that targets and infects MikroTik routers with a copy of the Coinhive in-browser mining script. As you can tell, Coinhive mining script is one of the most popular in-browser mining scripts of all times.

The campaign appears to have started this week and at the first stage, was mainly active in Brazil. However, as its next target, it started infecting MikroTik routers all over the world.

A Brazilian researcher (@MalwareHunterBR) identified the attacks first. The attack continued growing infecting more and more routers and got the attention of Simon Kenin – a security researcher from Trustwave’s SpiderLabs division.

another mass exploitation against @mikrotik_com devices (https://t.co/4MxQbnNStA)
hxxp://170.79.26.28/
CoinHive.Anonymous(‘hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3’, #coinhive pic.twitter.com/Nr8MA0TbzY

— MalwareHunterBR (@MalwareHunterBR) July 30, 2018

Numbers of infected routers

In a report from Trustwave, Kenin mentioned that the hacker(s) behind the campaign successfully compromised at least 72,000 MikroTik routers at the first stage of attack in Brazil.

But at the second stage, it attacked and infected more and the total number rose up to 170,000.

Update: Using a different Coinhive key, a new campaign of similar type was ongoing. It’s not sure whether the attacker is the same or another one. In total, the number is about 200,000 of infected routers.

Infection method

Kenin also said that the hacker(s) take the advantage of a zero-day vulnerability in the Winbox component of MikroTik routers. This vulnerability was first discovered back in April this year and MikroTik fixed the problem within 24 hours. However, this doesn’t mean that all the owners of the routers took the necessary steps to apply the required patch.

The zero-day was dissected by a number of security researchers and in GitHub, there are public proof-of-concept codes available. Check out proof-of-concept 1 and 2.

According to Kenin, the attacker(s) took the advantage of the public codes for altering traffic passing through the router and inject a copy of Coinhive library inside all the pages that passed through the router.

It’s only one threat actor, according to what information was found about the attacking. All the script shared the same Coinhive key.

Other users infected

Kenin says that he was able to identify where some non-MikroTik users were also impacted. It happened because some Brazilian ISPs were using MikroTik as their main network and thus, the attacker(s) successfully injected malicious Coinhive mining script in a massive amount of web traffic.

The attacker is also smart enough to decrease the surface of the attack. If users would get a lot of trouble visiting sites, both the ISPs and users would perform investigation on what’s going on. Recently, the attacker(s) switched tactics and only injecting the scripts in error pages returned by routers.

This doesn’t have a downfall for the attacker as it seems. Kenin said that in recent days, he noticed the attack spreading all over the world and infected nearly as much as 170,000 MikroTik routers.

Thus, even if the attacking surface is only limited to error pages, there are potentially millions of daily pages for the attacker.

How to stay safe

If you own a MikroTik router, it’s a must that you have to upgrade your router’s firmware. Don’t forget to apply all the available patches as well.

It’s also recommended to reset the router to system default beforehand so that it will remove any possible malicious code present in the system.

The post Cryptojacking Campaign Infected 170,000 MikroTik Routers appeared first on Linux Windows and android Tutorials.

Cryptojacking has turned into the hottest malware trend of the recent days. Hackers don’t need to break into your bank account. Instead, they can simply use your PC to make money. You pay for the energy consumption and hackers get their money free of charge. After emerging, lots of security software (antivirus, ad blockers, browser extensions etc.) are now able to detect and block cryptojacking scripts. The miner was previously loaded as JavaScript codes associated with cryptojacking servers.

Hackers now have found ways to work around the blocking and mine freely. Using proxy servers, crooks are now able to inject the mining code into your browser.

Proxy servers helping to evade detection

The most widespread and popular method of such workaround is deploying a “cryptojacking proxy server”. There’s an example available on GitHub, named CoinHive Stratum Mining Proxy.

These proxies allow the hackers to host the mining codes on their server (instead of CoinHive, DeepMiner, CryptoLoot servers) and load them as an anonymous JavaScript code. As you guessed, these servers are blocked by security programs by default.

Secondly, the proxies let the hackers to utilize a custom mining pool, featuring to detach the mining process from the parent cryptojacking service. For example, this ability ensures no fee payment to CoinHive.

Due to all these facilities, hackers are currently tending to use them as a defensive layer for their miners. Two security vendor company – Malwarebytes and Sucuri – have been tracking such attacks in the recent months.

The only way to identify the illegal mining is to check your system’s performance. If the CPU or GPU usage is pretty high, that means that a cryptojacking process is running. You can use Task Manager (on Windows) or System Monitor (on Linux) or any similar programs to check out the CPU usage regularly for any suspicious activity.

Hackers currently succeeded in earning $75,000 from a new campaign discovered recently. Learn more about how hackers earned the money using a 5-years-old exploit.

The post Improved Methods for Avoiding In-browser Miner Detection appeared first on Linux Windows and android Tutorials.

This new campaign used the vulnerability in the Cacti plugin. For those who don’t know, Cacti is a PHP-based open-source tool for monitoring network, more specifically, in its “Network Weathermap” plugin. Using this plugin, servers visualize the network activity via a GUI.

Security experts from Trend Micro also found evidence that this attack is linked to the biggest cryptojacking in the history where hackers were able to earn around $3 million using a specialized Monero miner on Jenkins servers and by exploiting the CVE-2017-1000353 vulnerability. This time, the newer one used the CVE-2013-2618 vulnerability in the Cacti.

The flaw in Cacti allowed hackers to gain permission from the system to execute codes. Using the ability, they installed a modified version of XMRig – a legitimate software that’s used for mining Monero. In addition, they also included a bash script that worked as a watchdog for the mining process. If the miner program was down, it would restart it and if it was running, nothing to do. The checking process continued every 3 minutes.

This campaign earned the hackers 320 XMR ($75,000). All the infected servers were running Linux and major victims were situated in China, Taiwan, Japan and the USA.

What to do now

As long as the campaign is identified, it can be resolved very quickly. However, the hackers are already successful at their intentions. They earned a lot of cash, although less the largest one.

Such attacks demonstrate that our security measures are still not so tight after all. When it comes to updating the host system, system admins often forget or ignore them, as they may contain some complexity. That’s why hackers are able to keep on doing such hacking.

In order to stay protected, update all the software and the OS to the latest edition. It’s really important for fixing up all the known security holes. For every personal user, update all your programs to the latest version.

There are also other advanced cryptojacking campaigns, such as GhostMiner – an awesome malware with fortune on our side.

The post New Monero Miner Earned $75,000 using 5-years-old Exploit appeared first on Linux Windows and android Tutorials.

What happened?

The hacker(s) broke into the account and used it to “mine” cryptocurrency. Unfortunately, the account also included the proprietary data of the company. The hacker(s) succeeded in the attack because the automaker’s Kubernetes administration console didn’t have a password protection. A quick reminder – Google initially designed Kubernetes system It’s highly optimized for the cloud platform.

This incident kept access credentials for Tesla’s Amazon Web Services (AWS) accounts exposed to hackers. The hackers then used the data to deploy a cryptocurrency mining software named “Stratum” to mine cryptocurrency using the hardware resource of the cloud accounts. The hackers also took several measures to hide the process, like keeping the processor usage low, hiding the IP addresses of the mining pool servers behind CloudFlare etc.

Cryptocurrency mining a process where miners solve a series of math problems for validating a transaction using the computer’s processing power and add it to the network. However, RedLock didn’t specify which cryptocurrency hackers were mining on the accounts.

According to RedLock’s reports, other major firms like Gemalto & Aviva faced the same issue. However, the Tesla incident was more important as it used a number of strategies as defense layers from being detected. RedLock also said that they notified Tesla about the issue and Tesla swiftly solved it.

This incident is a good example that shows how immature the cloud platform is. It’s a strong one, but yet to reach perfection when it comes to security. According to RedLock CTO Gaurav Kumar, the immaturity of the cloud platform may give a rise to the cryptojacking scenario.

Tesla said that it didn’t see any initial impact on the privacy & protection of its vehicles and customers. As a prize, Tesla awarded the researchers $3,133.70. Tesla also has a bug bounty program like Google, Intel etc.

What is cryptojacking?

This incident is one of the many attack trends recently – cryptojacking. It’s a process where the hacker illegally sets a mining software on other’s computer and use the resource to mine money for him. Take a not that cryptocurrency mining is a very resource-heavy process. The processor of a computer works on the max level to continue mining.

Many hackers are presently trying to steal others’ computing power to earn some extra money. Why is that? The present market of cryptocurrency is super-hot. Take a look at Bitcoin – the most popular cryptocurrency. Currently, the price for 1 BTC is more than $10,000! It’s a huge factor playing role in the cryptojacking. For such a huge price, hackers are getting tempted to mine more and more cryptocurrency to earn money. That’s why they need the hardware – CPU’s processing abilities. The more processing, the more money.

Several websites even used a mining tool to use their visitors’ hardware and mine cryptocurrency as alternative revenue. If you want to stop hackers and websites to mine cryptocurrency on your system, take a look at how to stop cryptojacking.

The post Tesla Cloud Account Data Breached! appeared first on Linux Windows and android Tutorials.

Kaspersky researchers spotted several fake antivirus & porn apps for Android that are malware infected. Those apps are used to mine Monero, launch DDoS attacks and also perform other malicious tasks. All of these actions caused the infected phones drain the battery a lot faster and eventually, bulge out of the cover.

Security researchers at Chinese IT security firm Qihoo 360 Netlab identified another malware. This wormable malware scans for wide-range of IP address for finding out any more vulnerable devices to infect them. The malware uses the infected devices to mine Monero. This one is named “ADB.Miner”.

The researchers told that “ADB.Miner” is the first of the kind of Android worm that uses the scanning code programmed in Mirai – the infamous IoT botnet malware. This malware caused major IoT companies offline last year by performing massive DDoS attacks against DynDNS.

How the malware works

ADB (Android Debug Bridge) is a command line toolkit for devs to debug Android code on the emulator and grants some of the most sensitive features of the operating system. Almost all the Android devices come up with ADB port disabled. So, how does the malware work?

“ADB.Miner” searches for Android devices – smartphones, smart TVs, TV set-top boxes – everything publicly accessible via the ADB debug interface. Those devices must be running over port 5555 to be infected. “ADB.Miner” installs a malware app that mines Monero cryptocurrency for its operator. That being said, the malware will only work on those devices that have been configured to enable port 5555 manually.

Additionally, the “ADB.Miner” tries to propagate itself into other devices from the newly infected devices.

Researchers aren’t completely sure how this malware is infecting Android devices. One thing for sure – this isn’t happening by exploiting any type of ADB flaw. The reason is, it’s infecting numerous devices from a wide variety of manufacturers.

The attack started on January 21, 2018, and has increased recently. Based on the IP addresses, the highest infected devices are from China (around 40%) and South Korea (around 31%), according to researcher’s estimation.

How to stay protected

In order to protect your Android device, be aware of using apps. Don’t install apps from any untrusted source. Be careful to install apps from Google Play Store at the same time. You can use a VPN or a firewall to block the port 5555. The best option is to get a good antivirus for your Android. Check out the top Android antivirus from AV-Test.

The post Cryptojacking from Android – Stay Secured appeared first on Linux Windows and android Tutorials.