Sophos unearths origin of prominent cryptominer
Sophos has tracked the MrbMiner cryptominer to a small software development company based in Iran, the company announced in a report released today.
The cryptominer was recently unearthed when attackers targeted internet-facing database servers (SQL servers), and the MrbMiner was downloaded and installed.
Database servers are an attractive target for cryptojackers because they are used for resource-intensive activity and therefore have powerful processing capability.
SophosLabs threat research director Gabor Szappanos says MrbMiner had attributes similar to many other cryptojackers — save for one.
“In many ways, MrbMiner’s operations appear typical of most cryptominer attacks we’ve seen targeting internet-facing servers,” says Szappanos.
“The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner’s configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran.”
According to Sophos, attackers used various methods and routes to install the cryptominer on target servers, with the cryptominer payload and configuration files packed into deliberately misnamed zip archive files.
Researchers learned more about the source of the attack when they came across its main configuration file, where they found the name of an Iran-based software company hardcoded into the file.
This domain is connected to many other zip files also containing copies of the miner, the company says.
“In an age of multi-million dollar ransomware attacks that bring organisations to their knees it can be easy to discount cryptojacking as a nuisance rather than a serious threat, but that would be a mistake,” continues Szappanos.
“Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to detect. Further, once a system has been compromised, it presents an open door for other threats, such as ransomware.
“It is therefore important to stop cryptojacking in its tracks. Look out for signs such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU.”
Sophos’ discovery comes only days after the company announced a significant milestone: being named a Numbering Authority in the Common Vulnerabilities and Exposures (CVE) programme, an international standard for identifying cybersecurity vulnerabilities.
With its new status, Sophos can now authoritatively assign CVE identification to vulnerabilities in its own products, while external security researchers can directly collaborate with Sophos to open CVEs for its products.
The CVE programme, which runs an open data registry of vulnerabilities, enables programme stakeholders to correlate vulnerability information used to protect systems against attacks.
The registry is publicly available to security researchers, vulnerability disclosers and IT vendors, simplifying the task of sharing and cross-checking data across the industry’s disparate security databases. The programme currently has 149 CNA’s in 25 countries.