fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Cryptomining Malware Builds An Army Of Windows, Linux Bots

New Cryptomining Malware Builds An Army Of Windows, Linux Bots

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.

First spotted by Alibaba Cloud (Aliyun) security researchers in February (who dubbed it Sysrv-hello) and active since December 2020,the botnet has also landed on the radars of researchers at Lacework Labs and Juniper Threat Labs after a surge of activity during March.

While, at first, it was using a multi-component architecture with the miner and worm (propagator) modules, the botnet has been upgraded to use a single binary capable of mining and auto-spreading the malware to other devices.

Sysrv-hello’s propagator component aggressively scans the Internet for more vulnerable systems to add to its army of Monero mining bots with exploits targeting vulnerabilities that allow it to execute malicious code remotely.

The attackers “are targeting cloud workloads through remote code injection/remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic and Apache Struts to gain initial access,” Lacework found.

After hacking into a server and killing competing cryptocurrency miners, the malware will also spread over the network in brute force attacks using SSH private keys collected from various locations on infected servers 

“Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files,” Lacework added.

Also Read: The DNC Singapore: Looking At 2 Sides Better

Sysrv-hello attack flow (Lacework)

Vulnerabilities targeted by Sysrv-hello

After the botnet’s activity surged in March, Juniper identified six vulnerabilities exploited by malware samples collected in active attacks:

  • Mongo Express RCE (CVE-2019-10758)
  • XML-RPC (CVE-2017-11610)
  • Saltstack RCE (CVE-2020-16846)
  • Drupal Ajax RCE (CVE-2018-7600)
  • ThinkPHP RCE (no CVE)
  • XXL-JOB Unauth RCE (no CVE)

Other exploits used by the botnet in the past also include:

  • Laravel (CVE-2021-3129)
  • Oracle Weblogic (CVE-2020-14882)
  • Atlassian Confluence Server (CVE-2019-3396)
  • Apache Solr (CVE-2019-0193)
  • PHPUnit (CVE-2017-9841)
  • Jboss Application Server (CVE-2017-12149)
  • Sonatype Nexus Repository Manager (CVE-2019-7238)
  • Jenkins brute force
  • WordPress brute force
  • Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE)
  • Jupyter Notebook Command Execution (No CVE)
  • Tomcat Manager Unauth Upload Command Execution (No CVE)

Slowly but steadily filling cryptocurrency wallets

The Lacework Labs team successfully recovered a Sysrv-hello XMrig mining configuration file which helped them find one of the Monero wallets used by the botnet to collect Monero mined on the F2Pool mining pool.

The latest samples spotted in the wild have also added support for the Nanopool mining pool after removing support for MineXMR.

Even though this wallet contains just over 12 XMR (roughly $4,000), cryptomining botnets regularly use more than one wallet linked to multiple mining pools to collect illegally earned cryptocurrency, and this can quickly add up to a small fortune.

For instance, another wallet connected to Nanopool and spotted by Juniper researchers contains 8 XMR (almost $1,700 worth of Monero) collected between March 1 and March 28.

Sysrv-hello is not alone trawling the Internet for free computing power, as other botnets are also actively trying to cash in from exploiting and enslaving vulnerable servers to mine for Monero cryptocurrency.

Also Read: 4 Best Practices On How To Use SkillsFuture Credit

360 Netlab researchers spotted an increasingly active and upgraded version of the z0Miner cryptomining botnet attempting to infect vulnerable Jenkins and ElasticSearch servers to mine for Monero.

Cybereason’s Nocturnus incident response team published findings on the Prometei botnet on Thursday, first spotted last year and active since at least 2016, now deploying Monero miners on unpatched Microsoft Exchange servers.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us