NSFOCUS released its H1 Cybersecurity Insights report, which analyzed traffic from January 1, 2018 to June 30, 2018. Since the end of March, the number of crypto mining activities has risen sharply compared to the beginning of 2018. Among all crypto miners, WannaMine was the most active, responsible for more than 70 percent of all crypto mining activities detected by NSFOCUS.
Among more than 27 million attack sources detected in the first half of 2018, 25 percent were responsible for 40 percent of attack events. This implies that “recidivists” (attack sources found to be repeatedly linked with malicious behaviors) are more threatening than other attack sources. China, the USA, and Russia are home to the most “recidivists.”
Check Point has published its latest Global Threat Index for September 2018, revealing a near-400% increase in cryptomining malware attacks against Apple iPhones. These attacks are using the Coinhive mining malware, which continues to occupy the top position in the Index that it has held since December 2017.
Coinhive now impacts 19% of organizations worldwide. Check Point’s researchers also observed a significant increase in Coinhive attacks against PCs and devices using the Safari browser, which is the primary browser used by Apple devices.
While fake Flash updates that push malware have traditionally been easy to spot and avoid, a new campaign has employed new tricks that stealthily download cryptocurrency miners on Windows systems.
To the average user, the newly discovered samples, which have been active as early as August, seem legitimate. The samples act as Flash updates, borrowing pop-up notifications from the official Adobe installer, and even actually updating a victim’s Flash Player to the latest version. Unbeknownst to the victims, while the legitimate Flash update has occurred, a tricky XMRig cryptocurrency miner is quietly downloaded and runs in the background of the infected Windows computers.
Read more about the stealthy new cryptojacking campaign on Threatpost.
Based on trends in the first half of 2018, Webroot found that cybercriminals are shifting to increasingly sophisticated and targeted means of attack while also expanding their money making endeavors, as shown by the uptick in cryptojacking and cryptomining.
Malware in general, including ransomware and cryptomining, accounted for 52 percent of threats in the first half of 2018. Phishing attempts increased by more than 60 percent from January to June 2018. Dropbox overtook Google in the first half of 2018 as the most impersonated company for phishing attacks, accounting for 17 percent of phishing emails.
McAfee released its McAfee Labs Threats Report September 2018, examining the growth and trends of new cyber threats in Q2 2018. In the second quarter, they saw the surge in cryptomining malware growth that began in Q4 2017 continue through the first half of 2018. McAfee also saw the continued adaptation of the type of malware vulnerability exploits used in the WannaCry and NotPetya outbreaks of 2017.
Although less common than ransomware, cryptomining malware has quickly emerged as a factor on the threat landscape and this threat continues to rise. McAfee Labs has even identified what appear to be older malware such as ransomware newly retooled with mining capabilities.
Despite the volatility that is characterizing cryptocurrencies, mining is still a lucrative business for cyber criminals. Recent academic research has shown that only the embedded cryptocurrency miner CoinHive is generating $250,000 worth of Monero every month, most of it (80%) going to just 10 individuals.
The Kodi media player has emerged as a malware distribution platform for cybercriminals, recently becoming the target for a cryptomining campaign that compromised about 5,000 machines before being thwarted. Those victims are still at risk, researchers warned.
Kodi is free and open-source, and can be used to play videos, music and other digital media files from local and network storage media and the internet / streaming sources. Users can extend the software’s functionality by installing add-ons. By targeting the various add-ons and relying on Kodi’s auto-update feature, it’s possible to stealthily spread bad code throughout the ecosystem.
Read more about how Kodi is used to distribute malware on Threatpost.
Cryptojacking — threat actors placing illicit cryptocurrency miners on a victim’s systems — is a growing threat to enterprise IT according to a just-released report from the Cyber Threat Alliance (CTA). CTA members have seen miner detections increase 459% from 2017 through 2018 and there’s no sign that the rate of infection is slowing.
The joint paper, written with contributions from a number of CTA members (including Cisco Talos, Fortinet, McAfee, Rapid7, NTT Security, Sophos, and Palo Alto Networks), points out that there is little unique in the methods cryptojackers use to infect their victims; defending against cryptojackers is identical in almost every respect to defending against other threats.
Read more about the findings of the new report on DarkReading.
It has only been two weeks since a critical vulnerability in Apache Struts 2 was revealed to the public, but this hasn’t stopped cybercriminals from rapidly adding proof-of-concept (PoC) attack code to their arsenal. The security flaw is tracked as CVE-2018-11776 and has been patched by the Apache Software Foundation.
Researchers from F5 Labs say the Apache bug is being used in a new cryptomining campaign which impacts Linux machines. According to the team, threat actors are harnessing PoC code for the Apache Struts 2 critical remote code execution vulnerability posted to Pastebin to infiltrate Linux systems for the purpose of mining Monero.
Read more about the new cryptojacking campaign on ZDNet.