Story image

Criminals “infect and collect” in cryptocurrency mining surge

06 Jul 2018

Cybersecurity company McAfee has released its H3 threat report, examining the growth and trends of new malware, ransomware, and other threats in Q1 2018.

McAfee Labs saw on average five new threat samples every second, including growth in cryptojacking and other cryptocurrency mining malware, and notable campaigns demonstrating a deliberate drive to technically improve upon the most sophisticated established attacks of 2017.

“There were new revelations this quarter concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide,” says McAfee chief scientist Raj Samani.

“Bad actors demonstrated a remarkable level of technical agility and innovation in tools and tactics. Criminals continued to adopt cryptocurrency mining to easily monetise their criminal activity.”

Cybercriminals extended their operations in cryptojacking and other cryptocurrency mining schemes, where perpetrators hijack victims’ browsers or infect their systems to secretly use them to mine for legitimate cryptocurrencies such as Bitcoin.

This category of coin miner malware grew a stunning 629% in the first quarter of 2018, rocketing from around 400,000 total known samples in Q4 2017 to more than 2.9 million the next quarter.

This suggests that cybercriminals are continuing to warm to the prospect of simply infecting users’ systems and collecting payments without having to rely on third parties to monetise their crimes.

“Cybercriminals will gravitate to criminal activity that maximises their profit,” says McAfee chief technology officer Steve Grobman. 

“In recent quarters we have seen a shift to ransomware from data theft, as ransomware is a more efficient crime. 

“With the rise in value of cryptocurrencies, the market forces are driving criminals to cryptojacking and the theft of cryptocurrency,” Grobman says.

“Cybercrime is a business, and market forces will continue to shape where adversaries focus their efforts.”

Bitcoin-stealing campaigns

The Lazarus cybercrime ring launched a highly sophisticated Bitcoin-stealing phishing campaign—HaoBao—which targeted global financial organisations and Bitcoin users.

When recipients open malicious email attachments, an implant would scan for Bitcoin activity and establishes an implant for persistent data gathering and cryptomining.

Gold Dragon: Attacks on South Korea

In January, McAfee Advanced Threat Research reported an attack targeting organisations involved in the Pyeongchang Winter Olympics in South Korea. 

The attack was executed via a malicious Microsoft Word attachment containing a hidden PowerShell implant script.

The script was embedded within an image file and executed from a remote server.  

Dubbed Gold Dragon, the resulting in fileless implant encrypted stolen data, sent the data to the attackers’ command and control servers, performed reconnaissance functions, and monitored anti-malware solutions to evade them.

Hidden Cobra: GhostSecret and Bankshot

Operation GhostSecret targeted the healthcare, finance, entertainment, and telecommunications sectors.

Operation GhostSecret is believed to be associated with the international cybercrime group known as Hidden Cobra.

The campaign, which employs a series of implants to appropriate data from infected systems, is also characterised by its ability to evade detection and throw forensic investigators off its trail.

The latest Bankshot variation of GhostSecret uses an embedded Adobe Flash exploit to enable the execution of implants. 

It also incorporates elements of the Destover malware, which was used in the 2014 Sony Pictures attack, and the Proxysvc implant, a previously undocumented implant that has operated undetected since mid-2017.

Security incidents by industry

McAfee Labs counted 313 publicly disclosed security incidents in Q1 2018, a 41% increase over Q4.

Incidents involving multiple sectors (37) and those targeting multiple regions (120) were the leading types of incidents in Q1.

  • Healthcare. Disclosed incidents in health care rose 47%. Cybercriminals continued to target the sector with the SAMSA ransomware, and there were numerous cases in which hospitals were compelled to pay the criminals.
     
  • Education. Incidents of attacks on the education sector rose 40%, with ransomware being a notable culprit in attacks on schools and related institutions.
     
  • Finance. Disclosed incidents increased by 39%, which included continuous attacks on the SWIFT banking system. These attacks were not always region-specific, as was the case in previous years, but McAfee identified activity in Russia, and related reconnaissance efforts in Turkey and South America.
Cryptomining apps discovered on Microsoft’s app store
It is believed that the eight apps were likely developed by the same person or group.
WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.
Swiss Post asks public to hack its e-voting system
Switzerland’s postal service Swiss Post is inviting keen-eyed security experts and white hats to hack its e-voting system.
Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.
Flashpoint signs on emt Distribution as APAC partner
"Key use cases that we see greatly benefiting the region are bolstering cybersecurity, combating insider threats, confronting fraud, and addressing supply chain risk, to name a few."
The attack surface: 2019's biggest security threat
As businesses expand, so does their attack surface – and that may be the biggest cybersecurity risk of them all, according to Aon’s 2019 Cyber Security Risk Report.
Opinion: Cybersecurity as a service answer to urgent change
Alan Calder believes a CSaaS model can enable a company to build a cyber resilience strategy in a coherent and consistent manner.
Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.