sb-au logo
Story image

Sophos unearths origin of prominent cryptominer

22 Jan 2021

Sophos has tracked the MrbMiner cryptominer to a small software development company based in Iran, the company announced in a report released today.

The cryptominer was recently unearthed when attackers targeted internet-facing database servers (SQL servers), and the MrbMiner was downloaded and installed.

Database servers are an attractive target for cryptojackers because they are used for resource-intensive activity and therefore have powerful processing capability.

SophosLabs threat research director Gabor Szappanos says MrbMiner had attributes similar to many other cryptojackers — save for one.

“In many ways, MrbMiner’s operations appear typical of most cryptominer attacks we’ve seen targeting internet-facing servers,” says Szappanos.

“The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner’s configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran.”

According to Sophos, attackers used various methods and routes to install the cryptominer on target servers, with the cryptominer payload and configuration files packed into deliberately misnamed zip archive files.

Researchers learned more about the source of the attack when they came across its main configuration file, where they found the name of an Iran-based software company hardcoded into the file.

This domain is connected to many other zip files also containing copies of the miner, the company says.

“In an age of multi-million dollar ransomware attacks that bring organisations to their knees it can be easy to discount cryptojacking as a nuisance rather than a serious threat, but that would be a mistake,” continues Szappanos. 

“Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to detect. Further, once a system has been compromised, it presents an open door for other threats, such as ransomware. 

“It is therefore important to stop cryptojacking in its tracks. Look out for signs such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU.”

Sophos’ discovery comes only days after the company announced a significant milestone: being named a Numbering Authority in the Common Vulnerabilities and Exposures (CVE) programme, an international standard for identifying cybersecurity vulnerabilities.

With its new status, Sophos can now authoritatively assign CVE identification to vulnerabilities in its own products, while external security researchers can directly collaborate with Sophos to open CVEs for its products. 

The CVE programme, which runs an open data registry of vulnerabilities, enables programme stakeholders to correlate vulnerability information used to protect systems against attacks. 

The registry is publicly available to security researchers, vulnerability disclosers and IT vendors, simplifying the task of sharing and cross-checking data across the industry’s disparate security databases. The programme currently has 149 CNA’s in 25 countries.

Story image
Cybersecurity spending for critical infrastructure to surpass US$105 billion in 2021
The brunt of security spending is still first and foremost focused on IT networks, systems, and data security from a defensive perspective. More
Story image
CISOs, don't underestimate the importance of soft skills
There is increasing importance on Chief Information Security Officers (CISOs) having and developing the skill of emotional intelligence, a new report states.More
Story image
ExtraHop reveals methods used by attackers in SUNBURST breach
The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.More
Story image
Latest Tenable launch provides holistic approach to vulnerability management
Tenable.ep is reportedly the industry’s first, all-in-one, risk-based vulnerability management platform designed to scale as dynamic compute requirements change.More
Story image
Veeam reports growth as demand for modern data protection increases
“Even with the unforeseen challenges and circumstances that began in early 2020, Veeam continued its rapid growth with its second consecutive year of bookings over $1 billion."More
Story image
Palo Alto Networks turns attention to supporting remote workforces
"We’re working with more organisations to pivot their security architecture and move towards a cloud-delivered security model that can safely connect any user, to any application, from anywhere.”More