October 3, 2024 at 10:39AM Summary: The Linux malware “perfctl” has evaded detection for at least three years, targeting servers for cryptomining purposes. It exploits misconfigurations and known vulnerabilities to gain initial access, deploys rootkits for evasion, and communicates with threat actors over TOR. Aqua Nautilus offers detection and mitigation strategies to combat perfctl’s activities. … Read more
September 12, 2024 at 09:36AM Bad actors target Internet-exposed Selenium Grid instances for illicit cryptocurrency mining and proxyjacking. The lack of authentication makes these instances vulnerable. Threat actors exploit this to carry out malicious actions, including deploying crypto miners and proxyware solutions EarnFM and IPRoyal Pawn. Organizations are urged to configure authentication to prevent abuse. … Read more
September 12, 2024 at 06:09AM Threat actors are targeting Internet-exposed Selenium Grid servers for cryptomining, proxyjacking, and potentially more malicious activities. With thousands of exposed servers, hackers have been deploying automated malware to hijack them. Furthermore, the lack of authentication and outdated versions of Selenium Grid servers pose a significant security risk. Improperly secured servers … Read more
August 22, 2024 at 11:51AM Log4j zero-day exploits continue to be a threat despite being discovered two years ago. Cybercriminals are still targeting unpatched corporate systems, deploying malware scripts and crypto-currency miners. Nation-state actors have incorporated Log4j exploits into their toolkits, and eradicating the issue is challenging due to software dependencies. Datadog Security Labs recently … Read more
July 11, 2024 at 10:04AM A threat actor known as “Crystalray” has been utilizing open source software (OSS) to expand its operations in credential stealing and cryptomining. Researchers observed Crystalray utilizing a range of OSS tools to carry out various stages of its attack chain. Despite its efficiency, the use of OSS opens the attacker … Read more
July 9, 2024 at 08:13AM Researchers found that misconfigured Jenkins Script Console instances can be exploited for criminal activities, like cryptocurrency mining. Attackers can gain remote code execution and misuse sensitive data. The console lacks administrative controls and can be accessed over the internet due to misconfigurations. Safeguards include proper configuration, robust authentication, and restriction … Read more
July 5, 2024 at 05:04AM Summary: The blog entry discusses how attackers can use the Jenkins Script Console for cryptomining by executing malicious Groovy scripts if the console is not properly configured. Misconfigurations and vulnerable Jenkins servers can enable remote code execution and the deployment of cryptocurrency miners. The entry also provides mitigations and indicators … Read more
May 30, 2024 at 11:03AM The RedTail cryptocurrency mining malware has evolved, incorporating a new PAN-OS vulnerability and advanced anti-analysis techniques. It’s known for utilizing patched vulnerabilities in various systems for propagation. The latest version includes encrypted mining configuration and operates without a cryptocurrency wallet, indicating a switch to a private mining pool for financial … Read more
May 22, 2024 at 10:20AM A new malware named GhostEngine has been identified, targeting vulnerable drivers to disable endpoint detection and response solutions. It is used in a complex cryptomining campaign by an intrusion set labeled “REF4578.” The malware’s intricate features include disabling EDR, establishing persistence, installing a backdoor, and executing a cryptominer. Detection methods … Read more
May 21, 2024 at 06:34PM The ‘REF4578’ crypto mining campaign deploys GhostEngine, a sophisticated malicious payload, using vulnerable drivers to disable security products and deploy an XMRig miner. Researchers highlight GhostEngine’s unusual sophistication and provide detection rules, but the campaign’s origin and scope remain unknown. To defend against GhostEngine, look out for suspicious PowerShell execution, … Read more