Translated by
2019/02/11 15:34:32

Hidden mining of Kriptodzheking of Cryptojacking

Miners are called the programs operating resources of the computing device for generation of different cryptocurrencies. Users can sometimes set it to software independently, but sometimes it is about their illegitimate version. Such programs are installed without permission and the consent of the user and most often extend using various Trojans and other malware.

Content

Main article: Cryptocurrency mining

Mining (production) of cryptocurrency is necessary for system operation. Mining consists of a series of the calculations performed for transaction processing in the Blockchain. He creates new cryptocurrency and confirms transaction in all a blockchain network. To create more cryptocoins, it is necessary to get them. Without mining a system can fail.

Many users began to be engaged in mining to earn money. Miners execute mathematical transactions for confirmation of transactions, and for this purpose they use special software. So that mining was profitable, it is necessary to have huge computing powers. To make money on mining, cyber-criminals began to be engaged in a kriptodzheking (cryptojacking).

The Kriptodzheking consists in unauthorized use of devices of the user for production of cryptocurrency. Generally hackers use the malware for computer hacking, tablets or smartphones then they use them for the hidden cryptocurrency mining. Perhaps, the user will notice small reduction in the rate of operation of its device, but will hardly think that it is connected with attempt of the attack on it for cryptocurrency mining. One of the most widespread the technician is in receiving control over the processor of the device of the victim (CPU) or the processor of its video card (GPU) through visit of some website infected with the malware for cryptocurrency mining[1].

How does the hidden mining happen?

It is most often hidden mine the piracy popular websites: torrent trackers, forums, the websites with movies and series. To begin to mine at the expense of the user absolutely optional to install a trojan or other virus program on his computer. For this purpose it is enough to enter a special script which allows to be connected to the system of guests of the website imperceptibly into the code of the website. In principle, it is rather simple to detect it. At such intervention loading of the processor sharply increases practically to hundred percent. However, the loaded torrents and without it load a system that does not allow to define [2].

To see processor load of Windows, it is necessary to come into Task Manager. In MacOS this function is performed by the program "Monitoring of a System"(Activity.


It is possible to avoid the hidden mining in several ways:

  • Install the special extension, blocking web mining.
  • Disconnect JavaScript.
  • Use a reliable antivirus. An anti-virus software is seen most often by miners as potentially safe, but at the same time they can be used in the harmful purposes, i.e., risky.

How can the company protect itself from a kriptodzheking?

Such attacks have serious effects for the enterprises. The most obvious effects result from theft of resources of processors that can slow down work of systems and networks, having subjected the enterprise and all system to serious risks. Moreover, after the company was attacked, it is quite probable that a lot of time and means for elimination of this problem will be required. Intensive cryptocurrency mining can also have financial effects for the companies since as a result of the increased use of IT resources growth of power consumption should be observed, and it conducts to the raised expenses on the electric power.

Besides, such attacks can cause damage to corporate devices. If mining is performed during the long time frame, then devices and their batteries often experience excessive strain and overheating that also reduces a resource of operation of these devices.

Of course, it is also not necessary to forget that if you fell a victim of a kriptodzheking, then it means that hackers could overcome your security systems and receive control over corporate devices, having put at serious risk confidentiality of corporate data.

To be protected from the possible attack on cryptocurrency mining, we recommend to you to observe the following security measures:

  • Periodically you carry out risks assessments for detection of vulnerabilities.
  • Regularly update all your systems and devices.
  • Implement solutions of expanded information security which allow to receive unobstructed sight of activity on all end devices and to control all started processes.
  • Create a safe environment for viewing the websites, having installed the extensions which interfere with cryptocurrency mining.

2018

Only one of five IT specialists knows about infection with cryptominers

On February 11, 2019 the Check Point Software Technologies Ltd. company, solution provider for ensuring cyber security around the world, released the second part of the report of 2019 Security Report. According to the report, the tools used by cybercriminals became more democratic, and advanced methods of the attack are available now to all who are ready to pay for them.

The second part of the report of 2019 Security Report opens key trends of cyber attacks in 2018 and shows significant growth in the hidden complex attacks intended to remain out of sight of corporate security. Besides, in the report it is told about those types of cyber attacks which corporate IT and security experts consider by the biggest threat for the organizations.

Cryptominers remain unnoticed in network: in 2018 cryptominers struck in 10 times more of the companies, than programs racketeers, however only one of five IT security experts knew about infection of networks of the companies with malware.

The organizations underestimate risk of threat of cryptominers: only 16% of respondents called cryptomining the biggest threat of the organization. It is very low indicator in comparison with DDoS attacks (they were called by 34% of respondents), date leak (53%), programs racketeers (54%), and a phishing (66%). Such results say that cryptominers can easily remain unnoticed to load and start other types of malware.

Malware on a subscription gain popularity: the affiliate program of GandCrab Ransomware-as-a-Service proved that even laymans can get profit on cyberracketing now. Subscribers save up to 60% of the redemption collected from the victims, and developers of the program — 40%. For February, 2019 at GandCrab more than 80 active "branches", and within two months 2018 they attacked more than 50,000 victims and demanded from 300,000 to 600,000 dollars of the redemption.

«
The second part of the report of Check Point 2019 Security Report shows, how successfully cybercriminals investigate the hidden methods and business models to increase the illegal income and to reduce risks. However the fact that they remained unnoticed does not mean at all that they are absent: though during 2018 cyber attacks were in a shadow, all of them are also destructive and dangerous. We carry constantly out the analysis of the current threats that the organizations could understand better risks which they face and as they can prevent their influence on the business.
Vasily Dyagilev, the chief representative of Check Point Software Technologies in Russia and the CIS
»

The report of security of Check Point 2019 Security Report is based on data of network on fight against cyber crime of ThreatCloud intelligence which provides data on threats and trends of the attacks from a global network of sensors of threats; data from the researches Check Point for the last 12 months; and the IT specialists and upper managers given from the last poll which estimates their readiness for sovremnny threats. In the report the last threats for the different industries are considered and the comprehensive review of the trends observed in the field of malware, date leaks and cyber attacks on the state loss is given. He also turns on the analysis of experts of Check Point helping the organizations to understand and be prepared for a difficult landscape of threats.

Cryptominers attacked 37% of the companies worldwide

On January 30, 2019 it became known that Check Point Software Technologies Ltd. company, the solution provider for ensuring cyber security around the world, released the first part of the report of 2019 Security Report. The main tools which cybercriminals use for attacks to the organizations worldwide are covered in the report, and provides to cyber security specialists and heads of the companies information necessary for protection of the organizations against the current cyber attacks and threats of Fifth generation.

The report of 2019 Security Report opens the main trends and methods of the malware which researchers of Check Point observed in 2018:

  • Cryptominers dominate in a landscape of threats: cryptominers steadily held the first four places of ratings of the most active threats and attacked 37% of the organizations worldwide in 2018. Despite reduction in cost of all cryptocurrencies, 20% of the companies continue to be exposed to the attacks of cryptominers every week. Recently this malware considerably evolved to use vulnerabilities of the high level and to bypass sandboxes and other means of protecting to increase intensity of infection.
  • Mobile devices as moving target: 33% of the organizations were exposed to the attacks of the mobile malware worldwide, and three main threats were directed on OS Android. In 2018 there were several cases when mobile malware it was previously set on devices, and applications, available in app stores, actually were the hidden malware.
  • Multivector botnets start a chain of the attacks: bots were the third most widespread type of malware: 18% of the organizations were attacked by bots which are used for start of DDoS attacks and distribution of other malware. Nearly a half (49%) of the organizations which underwent DDoS attacks in 2018 was infected with botnets.
  • Falling of a share of programs racketeers: in 2018 use of racketeers was sharply reduced, having affected only 4% of the organizations around the world.

«
From rapid growth of cryptomining before mass date leaks and DDoS attacks — we saw a full range of cyber attacks to the organizations for 2018. Malefactors own a wide choice of options for the attacks and profit earning from the organizations in any industry, and in the first part of our annual report we described more and more reserved methods which they use. These the multivector, quickly extending, large-scale attacks of fifth generation of Gen V become more and more frequent, and the organizations need to accept the multilevel strategy of cyber security which does not allow these attacks to take control of their networks and data.
Vasily Dyagilev, the chief representative of Check Point Software Technologies in Russia and the CIS
»

Categories of cyber attacks in the world and on regions

The report of security of Check Point 2019 Security Report is based on data of ThreatCloud intelligence, big joint network on fight against cyber crime which provides

  • data on threats and trends of the attacks from a global network of sensors of threats;
  • data from Check Point issledovniya for the last 12 months;
  • data from the last poll of IT specialists and upper managers which estimates their readiness for today's threats.

The university completely disconnected the network to delete viruses for the hidden production of bitcoin

The cyber attack to the Saint Francis Csaverija's university located in the city of Antigonish (Canada) which began on November 1, 2018 led to the fact that an institution had to close almost for a week access to the network. In computer systems detected the malicious software for the hidden production of cryptocurrency. Read more here.

The number of the attacks of the hidden mining grows and decreases after rate fluctuations of cryptocurrencies

On November 2, 2018 it became known that analysts of the company Avast recorded an interesting trend: the number attacks, connected using harmful SOFTWARE for mining in browser in Russia, grows and decreases after rate fluctuations Bitcoin, Monero and others cryptocurrencies. In September, 2018 kriptodzheking became more active — possibly, it is connected with the expected growth of cost of cryptocurrencies by the end of 2018. Thus, malefactors strengthen illegal mining at a high rate at the cryptoexchanges and limit this activity when the rate decreases.

After reduction of cost of cryptocurrencies in 2018 the level of the hidden mining in Russia also decreased. In August only 1.7 million similar attacks were recorded. In September, 2018 their number increased again — up to 5.1 million.

Influence of a rate of cryptocurrencies on the hidden mining
«
Between activity of attempts of infection of browsers with the hidden miners and cost of cryptocurrencies, for example, of Bitcoin and Monero, interesting parallels are really traced. It is obvious that cybercriminals plan the activity taking into account popularity and rates of these digital assets. For the last several months the number of the attacks decreased — as well as the cost of the majority of cryptocurrencies. In September, 2018 small gain of this activity was recorded. Most likely, malefactors expect explosive rise in price of cryptocurrencies what was in 2017. One of the reasons for which cybercriminals strengthen the attacks during growth of rates of cryptocurrencies is that they incur expenses too. They need to support own websites, to improve algorithms of infection of other resources and also to service command servers. For this reason mining is profitable only during certain time frames — for example, at a high rate of cryptocurrencies against a normal rate
Michal Salat, director of the department of a research of security risks of Avast company
»

The technology of detection of threats Avast based on artificial intelligence forming a basis of the solution Avast Free Antivirus and also mechanisms of detection of scripts of the safe Avast Secure Browser browser will recognize the infected websites and protect users of Avast from the attacks of cybercriminals.

The malware for a kriptodzheking via the browser is implemented into the code of web pages in the form of scripts for mining. When the user visits such website, the script begins to use computing powers of its computer for production of cryptocurrencies. Negative effects of such attacks are big accounts for the electric power, bad capacity of devices, decrease in efficiency and also the general reduction of service life of computers, smartphones and smart TV. The miner is started in the browser therefore any device in which there is such application can undergo infection.

It is possible to add a harmful script to the code by two methods: cybercriminals can crack others website or create an own resource for mining. Usually malefactors get Monero as this cryptocurrency provides big anonymity and confidentiality of owners, than Bitcoin and other digital assets. The algorithm of mining Monero was specially developed for use on normal computers while production of currencies like Bitcoin requires the special equipment. Nevertheless, on the majority of malware are intended for mining of Monero and Bitcoin as ready scripts are in free access.

Cybercriminals also develop harmful miners for the appearing cryptocurrencies. This model is attractive that after primary placement of tokens they are at peak of the cost, and only then their rate begins to decrease. Malefactors exchange almost at once the appearing cryptocurrencies mined using illegal mining for already settled, and then monetize them in rubles or dollars USA.

Attacks of cryptominers on the Apple iPhone

On October 17, 2018 the Check Point Software Technologies Ltd. company, solution provider of cyber security, issued the report of Global Threat Index for September, 2018. Researchers note that the number of the attacks of miners of cryptocurrency on Apple iPhone devices increased almost by 400%. The attacks are carried out by means of the malware Coinhive which holds an upper place in the rating of Global Threat Index since December, 2017. Read more here.

The hidden production of cryptocurrency in workshop of AvtoVAZ

On October 15, 2018 it became known that Security service specialists of AvtoVAZ detected the equipment for the hidden production of cryptocurrency in one of the Tolyatti workshops of the enterprise, reports the TLT Pravda edition. The farm was hidden in electric cabinets of the 19th hall of control of pipelines. Read more here.

Nearly a quarter of the companies faced the malware for a kriptodzheking

On September 20, 2018 the Fortinet company provided results of the last world research of threats. According to a research, recently cybercriminals apply more inventive strategy of work with exploits and act more quickly. Besides, they try to obtain maximum efficiency of the criminal activity due to use of the next directions of the attacks and improve their techniques by means of the iterative approach. The main outputs stated in the report:

  • Any firm can become the purpose of a dangerous exploit. For September, 2018 the revealed critical threats and the attacks of high degree of gravity it is possible to speak about a disturbing trend: 96% of firms at least once faced serious threats. Any firm is fully not insured from the risks connected with constantly developing attacks. Besides, nearly a quarter of the companies faced with harmful SOFTWARE, intended for a kriptodzheking. For defeat more than 10% of corporate networks were used only six types of malware. Also for last quarter the department of FortiGuard Labs revealed 30 vulnerabilities of "zero day".
  • The Kriptodzheking began to represent threat for household IoT devices. Cybercriminals continue to be engaged in cryptocurrency mining. IoT devices, including household multimedia devices were among their purposes. They are especially attractive to malefactors owing to the big computing power which can be directed to achievement of criminal objectives. Malefactors use these devices which are constantly connected to network in the interests, loading the malware intended for continuous mining. Besides, interfaces of such devices are used as the modified web browsers that aggravates their vulnerability and promotes emergence of the next directions of the attacks. In process of distribution of this trend the increasing value for security of the devices connected to corporate networks will be purchased by segmentation.
  • Trends in the field of development of botnets demonstrate ingenuity of cybercriminals. Data on trends in the field of development of botnets give an idea of approaches by means of which malefactors increase efficiency of the existing attacks. The next option of the botnet Mirai known under the name WICKED includes not less than three exploits focused on defeat of vulnerable IoT devices. Also serious threat is the advanced attack of VPNFilter sponsored by the state which is aimed at defeat of the SCADA/ICS environments by monitoring of the MODBUS SCADA protocols. It is especially dangerous as the technology developed by malefactors not only takes data, but also can lead to complete loss of working capacity both separate devices, and their groups. Anubis threat which is a kind of threats of the Bankbot family is equipped a number of the next technologies. It supports functions of the program racketeer, a keylogger, RAT, interception of the SMS, blocking of the screen and readdressing of calls. In the conditions of emergence of more and more sophisticated, constantly changing attacks it is extremely important to monitor trends of their development by means of up-to-date data about threats.
  • Use by malefactors of flexible technologies of development of the malware. Developers of the malware use property of polymorphism for a bypass of mechanisms of identification of the attacks for a long time. As show trends of 2018, criminals even more often address flexible techniques of development for the purpose of complication of detection of the malware and counteraction to tactics of protection against malware. In 2018 the set of versions of threat of GandCrab was revealed, and developers of this malware regularly update it. Thus, it is possible to refer to number of risk factors not only automation of the attacks using the malware, but also use of flexible technologies of development that testifies to high qualification of malefactors in the field of creation of more reserved versions of the attacks. Counteraction to the flexible techniques of development applied by criminals requires implementation of the advanced functions of identification of threats and protection against them by means of which it is possible to eliminate the most subject to risks vulnerabilities.
  • Effective defeat of vulnerabilities. Malefactors show big selectivity in the choice of the purposes. For September, 2018, during the analysis of exploits in terms of prevalence and quantity of cases of their identification it was revealed that in practice criminals use only 5.7% of the known vulnerabilities. If the vast majority of vulnerabilities is not used, it is more reasonable to direct efforts to development of preventive strategy of elimination of the vulnerabilities which are often becoming conductors of the attacks.
  • Use of applications in educational and public institutions. Based on comparison of indicators for 2018 uses of applications in the different industries it is possible to draw a conclusion that the frequency of use of the SaaS-applications in public institutions for 108% exceeds the average level. As of September, 2018, on an indicator of a total quantity of daily used applications the industry concedes only to education: this value for 22.5% and 69% is higher than an average, respectively. The increased need for wider variety of applications is a probable cause of higher rate of use of applications in these two industries. The organizations operating in these spheres need such approach to security which overcomes separation of applications, providing implementation of functions of tracking and security management in all arrangements, including in multicloud environments of deployment of applications.

According to the company, counteraction to the developing attacks requires implementation of the integrated security system equipped with function of collection of data on threats. Results of the conducted research confirm many of the forecasts for 2018 published by department of a research of threats FortiGuard Labs. The adaptive system of network security covering all directions of the attacks and consisting of the integrated components is the key to effective protection against threats. Such approach provides large-scale collecting and operational exchange of up-to-date data about threats, accelerates their identification and supports the automated taking measures of response to the modern attacks to the different directions.

As it was reported, the data collected by department of FortiGuard Labs using extensive network of sensors from April to May, 2018 are provided in the report on the world research of threats Fortinet. Data collection was performed in global, regional, sectoral and organizational scales. In the center of attention there were three interconnected types of threats: exploits-application, malicious software and botnets. Also data on the main vulnerabilities of "zero day" and the overview of trends of development of infrastructure thanks to which it is possible to reveal patterns of carrying out cyber attacks in time and to prevent future attacks directed to the organizations are provided in the report.

Experts warned about new threat of criminal cryptomining

Experts in the field of cyber security warn about threat of the malware containing the hidden code and capable to capture mobile devices for illegal mining kpriptovalt. It can be both the kriptodzhekingovy attacks, and programs with the trojan code. In spite of the fact that interest in cryptocurrencies slowly declines, the danger of infection of gadgets is high. According to Kaspersky Lab, the number of the users who faced criminal miners in 2017-2018 grew by 44.5% in comparison with 2016-2017. The quantity of harmful objects for mobile devices in the first half of the year 2018 increased almost by 74% in comparison with the first half of the year of previous year[3].

Production of cryptocurrency can make profit, but at the same time requires high initial investments and is followed by serious costs for the electric power. It pushed hackers to search of alternative solutions and, in particular, to use of processors of smartphones. The computing power of mobile phones available to malefactors is rather small, but there is a lot of such devices and, therefore, in the general set they provide high potential, at the same time, leaving to owners of smartphones expenses on the electric power and wear. Most often for criminal mining swindlers use several schemes of infection of devices.

Cybercriminals lost interest in cryptocurrency mining

The interest of cybercriminals in illegal mining gradually weakens as a result of reduction of prices of cryptocurrency, follows from the published MalwareBytes Labs of the report[4][5].

According to data of the report in spite of the fact that the so-called kriptodzheking (practice of use of computing power of the computer for cryptocurrency mining without consent or is conducted the owner) remains rather popular, the tendency to reduction of number of the incidents connected with this method is traced.

"We do not know what cyberthreat will become the most popular in the next quarter, however hardly it will be illegal cryptocurrency mining", - researchers noted.

As it appears from the report, malefactors lose interest in this method because of not enough large income. Recent decrease of the activity generally concerns normal users, in particular the quantity of cases of detection of malware for mining decreased kripotvalt for OS Windows, however the total quantity of incidents in a quarter remains rather high.

According to the report, after mass surge in activity at the end of the 1st quarter 2018, the number of miners for Android devices also declined. At the same time nearly 2.5 times more cases of detection of miners for mobile devices in the second quarter were recorded.

As affirms as the report, the activity connected with the Coinhive service allowing to mine cryptocurrency in the user's browser remains rather high. In addition, also other similar services, such as Cryptoloot appear. According to specialists, malefactors even more often "use browser miners open source and adapt them for the requirements".

The Chinese hackers cracked more than 1 million computers for the purpose of cryptocurrency mining

In July, 2018 it became known that the staff of the Chinese police arrested 20 participants of the criminal grouping cracking and infecting computers of users with miners of cryptocurrencies. According to local media, in two years the malefactors who were the staff of the firm specializing in computer technologies earned more than $2 million in cryptocurrency[6].

Hackers got access to computers using the custom plug-ins which are allegedly helping to increase security of the device or to increase its performance. Plug-ins extended by means of pop-up advertisements.

Criminals preferred to mine less known cryptocurrency, in particular, of DigiByte, Decred, Siacoin as mining of coins requires less computing power. Hackers expected that at involvement less than 50% of resources their activity will remain unnoticed by users or anti-virus solutions.

For the first time gave a prison term for the hidden mining

At the beginning of July, 2018 it became known of the first case when gave a real prison term for a kriptodzheking.

According to the ZDNet portal with reference to the Kahoku edition, the 24-year-old resident of Japan Yoshida Shinkaru was found guilty of illegal production of cryptocurrencies by means of computers of users without their consent.

As specifies the website Bitcoin.com  with reference to an anonymous source, Shinkara was used by a script for cryptocurrency mining of Monero — Coinhive, having included it in the game chit-utility. This program which was placed in the blog by the miner was loaded by only 90 times, before what it was exposed.

At the beginning of July, 2018 it became known of the first case when gave a real prison term for a kriptodzheking

Coinhive is initial to be used as the advertizing tool and is usually built in in the browser, however Shinkara was used by the tool in the form of the loaded component. Even in this case it is possible to prove corpus delicti. Many disablers of advertizing disconnect Coinhive from work in the browser long ago.

Conducted illegal production of the Yoshida Shinkaru cryptocurrencies from January to February, 2018 and during this time could earn only 5 thousand yens (about $45). Despite the small amount of earnings of the unlucky user sentenced to a year of prison with a punishment delay for three years. So the accused citizen of Japan will bail, but if he violates conditions of suspended sentence, he will be sent to jail for a year.

It is necessary to tell that use of chit-tools in online games in Japan is illegal as they are prohibited by the law on counteraction of unfair competition.

The 24-year-old Japanese became the first convict for Coinhive use that can become now a precedent. The matter is that at the end of June, 2018 in Japan   16 more people who were also engaged in a kriptodzheking were delayed. They are suspected of cracking of the websites and embedding in the code of the compromised resources of scripts Coinhive.[7]

Cryptominers attacked 40% of the organizations around the world

According to the report of lobal Threat Impact Index for May, 2018 prepared by Check Point Software Technologies company, solution provider in the field of cyber security, the Coinhive cryptominer attacked 22% of the organizations. Thus, in comparison with April (16%) the number of the attacks increased almost by 50%.

Rating top-10 the active Check Point Global Threat Index malwares the cryptominer heads the fifth month in a row. In May Coinhive still saves superiority among the most widespread malware. One more Cryptoloot cryptominer was at the second place (11%), at the third — harmful advertizing Roughted software (8%).

Researchers of Check Point also note that cybercriminals continue to operate open server vulnerabilities Microsoft Windows Server 2003 Oracle WebLogic (CVE-2017-7269) and (CVE-2017-10271) for attacks to corporate networks. On a global scale 44% of the organizations underwent attacks on vulnerabilities of Microsoft Windows Server 2003, 40% — on Oracle WebLogic and 17% were subject to influence of implementation of the SQL code, said in the report of Check Point.

In general harmful cryptomining affected nearly 40% of the organizations in May and continues to be the most widespread cyberthreat, experts of the company concluded. It is obvious that malefactors consider this method profitable and effective.

The most active malwares in May, 2018 are called:

  • CoinHive is the cryptominer intended for production of the Monero cryptocurrency without the knowledge of the user when that visits websites.
  • Cryptoloot is the cryptominer using the power of the CPU or video card of the victim and other resources for cryptocurrency mining, the malware adds transaction to a blockchain and releases new currency.
  • Roughted is a large-scale campaign of harmful advertizing which is used for distribution of the harmful websites, an exploit whales and racketeers. It can be used for an attack on platforms of any type and any OS and also is capable to resist to advertizing disablers to provide the widest scope.

In the rating of the most active malware for attacks to the Russian organizations already mentioned cryptominers were located. So, the harmful Cryptoloot cryptominers (40%) and Coinhive (36%) became the most active malwares, behind them a set of the Rig EK exploits (21%) was at the third place.

Lokibot, bank trojan for Android which provides the privileges of the superuser for loading of the malware in May became the most popular malware used for an attack on mobile devices of the organizations, it is followed by Triada and Lotoor.

The most active mobile malwares of May, 2018:

  • Lokibot is a bank trojan for Android which steals user data and requires for them the redemption. The malware can block phone if to delete its rights of the administrator.
  • Triada is a modular backdoor for Android which gives huge privileges to the downloaded malwares.
  • Lotoor is the tool for cracking which uses vulnerabilities in Android OS to receive the privileges of the superuser on the cracked mobile devices.

Researchers of Check Point also analyzed the most operated vulnerabilities. On the first place — vulnerability of CVE-2017-7269 (overflow of the receiving Microsoft IIS WebDAV ScStoragePathFromUrl buffer) with a global scope of 46%, then CVE-2017-10271 (remote accomplishment of the Oracle WebLogic WLS code) — 40%, on the third place — the vulnerability like "implementation of the SQL code" affecting 16% of the organizations around the world.

Applications with the hidden miners in Google Play were loaded by hundreds of thousands of times

At the beginning of April, 2018 the anti-virus company "Kaspersky Lab" announced presence at the directory of Google Play of applications which secretly from users mine cryptocurrency. Some of such programs loaded more than 100 thousand times, reports the ZDNet edition.

Among applications with the built-in cryptocurrency miners — games, VPN services and the program for broadcasting of sports broadcastings.

The Google Play detected applications with the hidden miners

One of such applications — PlacarTV with built in in the Coinhive miner mining the Monero cryptocurrency — was downloaded with Google Play more than 100 thousand times. PlacarTV deleted from shop only after experts of Kaspersky Lab pointed to its danger.

However not all such undesirable programs quickly are removed from Google Play. So, the application for creation of the Vilny.net VPN connection which, according to Kaspersky Lab, the miner is built in too is still available to downloading by the time of writing of article.

It is interesting that it is Vilny.net the level of a charge of the device and its temperature — thus the risk of detection decreases to a minimum. The application is downloaded by the executable file of the miner from the server and starts it in the background. Vilny.net was downloaded by more than 50 thousand times, the most part of loadings fell on Russia and Ukraine.

Experts explain special danger of the detected cryptominers with the fact that programs really perform the useful functions stated in the description, and therefore it is difficult to notice operation of the hidden module. For example, miners were built in the programs intended, judging by the official description, for viewing soccer.

Not to fall a victim of illegal mining, Kaspersky Lab recommends to execute the following: pay attention to causeless discharging or strong heating of the device, check reputation of developers before program load and use an antivirus.[8]

42% of the companies around the world suffered from cryptomining

According to data of Check Point Software Technologies, solution provider in the field of cyber security, 42% of the companies around the world suffered from illegal production of cryptocurrency in February, 2018. Information on it contains in the report of Global Threat Impact Index.

Researchers of Check Point revealed three different versions of harmful cryptominers which entered in top-10 active malwares. The first place of rating saves CoinHive which attacked every fifth organization in the world. Cryptoloot rose to the second place, in February the harmful miner attacked twice more companies, than last month. According to Check Point, in January 7% of the organizations, and in February — already 16% suffered from Cryptoloot. After cryptominers a set of the Rig EK exploits which took the third place of rating thanks to attacks on 15% of the companies of the world was located.

«
For the last four months we see the noticeable growth of distribution of cryptominers. This permanent threat considerably slows down operation of the PC and servers — Maia Horowitz, the head of the group Threat Intelligence, Check Point Software Technologies noted. — Once having got into network, cryptominers can be also used for accomplishment of other malicious actions. For this reason it is very important to companies to apply the multilevel strategy of cyber security which will protect from the known malwares and will note new threats.
»

According to Check Point, in February, 2018 the number of the attacks to the Russian companies remained at the previous level. Russia took in the rating of Global Threat Index 73 the place, at the same time in top-3 active a malware, attacking the Russian organizations, Coinhive and Cryptoloot also entered.

Most of all in February Botswana, Cameroon and New Caledonia underwent the attacks. Least of all attacked Liechtenstein, Guernsey and Kyrgyzstan.

The most active mobile malwares of February, 2018 became:

  • Triada is a modular backdoor for Android which gives huge privileges to the downloaded malwares.
  • Lokibot is a bank trojan for Android which steals user data and requires for them the redemption. The malware can block phone if to delete its rights of the administrator.
  • Hiddad is a malware for Android which repacks legitimate applications and then implements them in shops of third-party producers.

Specialists of Check Point marked on the map the level of cyberthreats over the countries (green — the low level of risk; red — high; white — is not enough data):

ThreatCloud Map

Global Threat Impact Index and ThreatCloud Map are developed by ThreatCloud intelligence, joint network on fight against cyber crime which provides data on threats and trends of the attacks from a global network of sensors of threats. The ThreatCloud database contains more than 250 million addresses analyzed for detection of bots, more than 11 million signatures of malware and more than 5.5 million infected websites.

Hackers will mine using home appliances

Experts of the American analytical company Stratfor came to a conclusion that hackers will be able to use in the future the smart home for production of cryptocurrency, Izvestia reports in February, 2018 [9].

The danger threatens all devices which are logging in the smart home. Presumably hackers will be able to mine by means of the direct attack or equipment infection with a virus.

"Hackers will be able to be connected to any device, whether it be lighting instrument or the dishwasher: thus hackers have a central node to which they also will direct the attack", – the vice president of the company Scott Stewart said.

Also analysts consider that hackers will pervocheryodno be interested in program assistants as they have a full access to the user's equipment.

Main article Smart house

Every fifth company suffered from cryptominers

According to the report of Check Point Software Technologies Global Threat Intelligence Trends for the second half of the year (July – December) 2017, cybercriminals even more often use cryptominers, and the organizations continue to be exposed to the attacks of programs racketeers and harmful advertizing programs worldwide. So, according to researchers, from July till December, 2017. every fifth company suffered from illegal cryptocurrency mining. Using this malware cybercriminals get access to resources of the central processor or video card to the PC of the victim and use them for production of cryptocurrencies. The consumption level can reach 65% of power of the CPU.

Key trends of cyberthreats:

  • Agiotage around cryptocurrency mining.
    • Programs cryptominers are most often traded on for cryptocurrency mining. However because of the growing attention of society to virtual money process of mining which directly depends on number of owners of cryptocurrencies slowed down. As a result mining requires much more computing power that induces hackers to think out new methods of illegal use of resources.

  • Exploits lose popularity.

    • Still a year ago an exploit whales were one of the main vectors of the attacks. However in 2017 they were applied much less often because platforms and programs which already became the victims of exploits improved the protection. "Expiration date" of new exploits is reduced also thanks to prompt combined actions of vendors on security and developers of software and to automatic updates of software.

  • Growth of fraud and harmful spam.

    • During 2017 the ratio between malwares which use the HTTP and STMP protocols was displaced towards SMTP. The volume of such attacks grew from 55% in the first half of the year to 62% in the second. The popularity of these methods of distribution drew attention of experienced hackers. They apply the abilities to cracking of documents, in particular Microsoft Office.

  • The mobile malware reached the level of the enterprises.

    • During 2017 attacks to the companies which sources were mobile devices were fixed. So, the smartphones and tablets infected with the MilkyDoor malware were used as intermediary servers for collecting of confidential data from corporate network. One more example of mobile threats — the malware Switcher which tries to crack elements of network (for example, routers) and to redirect traffic on the server under control of hackers.

Among other trends of cyberthreats in Check Point noted also following:

  • the programs racketeers which appeared in 2016 remain serious threat. They are used both for the large-scale attacks worldwide, and for target attacks on the specific organizations.
  • 25% of cracking for the mentioned period were made through the vulnerabilities detected more than ten years ago.
  • Less than 20% of the attacks were carried out through gaps in protection which are known about two years.

Top-3 malware

  1. Roughted (15.3%) — a large-scale campaign of harmful advertizing which is used for distribution of the harmful websites, an exploit whales and racketeers. It can be used for an attack on platforms of any type and any OS and also is capable to resist to advertizing disablers to provide the widest scope.
  2. Coinhive (8.3%) — the program cryptominer developed for online cryptocurrency mining of Monero without the knowledge of the user at visit of certain websites by it. The Coinhive malware appeared only in September, 2017, but already managed to infect 12% of the organizations worldwide.
  3. Locky (7.9%) — the racketeer who appeared in February, 2016 extends generally with the help spam letters, containing the loader disguised under an investment of Word or Zip which then loads and sets the malware ciphering files of the user.


Top-3 programs racketeers

  1. Locky (30%) — the racketeer who appeared in February, 2016 extends generally with the help spam letters, containing the loader disguised under an investment of Word or Zip which then loads and sets the malware ciphering files of the user.
  2. Globeimposter (26%) — the racketeer disguised under the encoder of Globe ransomware. It was detected in May, 2017 and spam campaigns, harmful advertizing and an exploit whales extended with the help. After enciphering the program adds the.crypt expansion to each ciphered file.
  3. WannaCry (15%) — the racketeer who was widely adopted during the large-scale attack in May, 2017. It extends on networks using an exploit for server message block (SMB) of Windows under the name EternalBlue.


Top-3 mobile malwares

  1. Hidad (55%) — the malware for Android which repacks legitimate applications and then implements them in shops of third-party producers. Its main function — advertizing demonstration, however it can also get access to the key security settings which are built in the operating system that allows the malefactor to obtain confidential data of the user.
  2. Triada (8%) — a modular backdoor for Android which gives huge privileges to the downloaded malwares that they could be implemented into system processes. Triada was also noticed in substitution of the URL addresses loaded in the browser.
  3. Lotoor (8%) — the instrument of cracking using vulnerabilities in operating systems of Android to receive root-access on the cracked mobile devices.


Top-3 the malware for banks

  1. Ramnit 34% — a bank trojan which abducts data of accounts of clients of bank, the passwords FTP, cookies files for sessions and personal data.
  2. Zeus 22% — a trojan which attacks devices on the Windows platform and is often used for theft of bank information using technologies of type "person-in-browser" — a keylogging and capture of contents of forms.
  3. Tinba 16% — a bank trojan which abducts data of user accounts using web injections. They are activated when the user tries to visit the website of the bank.

WannaMine virus miner

To replace the WannaCry virus racketeer which actively parasitized in 2017 the updated WannaMine virus miner came, Gazeta.ru reports.

He too successfully is engaged in illegal production of cryptocurrency at the expense of others computer capacities. WannaMine, as well as the predecessor of WannaCry, was created on the basis of base of the EternalBlue exploit. This program finding vulnerabilities in the software was also "creator" and the Petya virus. It is considered that EternalBlue created in the U.S. National Security Agency. The virus affects the PC of users for the purpose of the hidden mining of a virtual currency of Monero.

There is a set of methods of infection: WannaMine can get on the device through the set file or a direct attack on the PC. Further the virus uses the Mimikatz tool for data acquisition. If it is impossible to crack a system, the virus involves a notorious exploit. If the computer is connected by a local or corporate network with other equipment, then WannaMine uses this opportunity for infection of other PCs.

Besides that the virus illegally mines, it strongly lowers operability of the equipment. It should be noted that antiviruses do not reveal it and, especially, do not eliminate it. If the virus managed to be detected, the only certain way to get rid of it: create the backup copy of all data, format the drive, and then to reinstall the operating system and programs.

YouTube found the hidden miners of cryptocurrency

The cryptocurrency was learned to be mined even on the most popular video hosting of YouTube, reported[10].

Production of cryptocurrency at the expense of capacities of someone else's computers is performed using advertizing. Programmers build in the special code advertizing messages through the DoubleClick platform from Google company, allowing to get currency using CoinHive service.

When users browse a roller with this malicious code, swindlers mine at their expense the Monero cryptocurrency. In turn, these users receive a heavy load on the computers.

Normal users managed to detect this scheme using the Avast anti-virus software. After this Google blocked access to the corresponding advertisements.

Check Point: cryptominers attacked 55% of the companies in the world

The Check Point company recorded in December the sharp growth of distribution of the malware for cryptocurrency mining. Researchers of Check Point found out that in December cryptominers attacked 55% of the companies around the world. At the same time 10 types of this malware got to TOP 100 of the most active cyberthreats, and two of them entered into top three. Using cryptominers malefactors take control over the central processor or the video card and use their resources for production of cryptocurrency.

Check Point found out that the malware for cryptocurrency mining purposefully was implemented into popular websites without the knowledge of users, the majority of such websites are services of strimingovy media and file hosting services. Though generally such services are legal, they can be cracked to generate more than the power and to gain income, using up to 65% of the CPU resources of the user.

"Users even more often use software for advertizing blocking therefore websites began to use software for cryptocurrency mining as an alternative source of income — Maya Horovits, the head of the Threat Intelligence group of Check Point Software Technologies company notes. — Unfortunately, often it occurs without the knowledge of users whose processors are used for cryptomining. Possibly, we will observe how this trend will increase in the next several months".

In December of software for cryptocurrency mining CoinHive displaced the harmful advertizing RoughTed while a set of the Rig ek exploits saved the second place of rating from the leading position. The new Cryptoloot cryptominer closed the three of the most active malwares of December, having for the first time entered in top-10.

Experts of Check Point revealed key trends of cyberthreats in the second half of the year 2017:

  • Agiotage around cryptocurrency mining. Programs cryptominers are most often traded on for cryptocurrency mining. However because of the growing attention of society to virtual money process of mining which directly depends on number of owners of cryptocurrencies slowed down. As a result mining requires much more computing power that induces hackers to think out new methods of illegal use of resources.
  • Exploits lose popularity. Still a year ago an exploit whales were one of the main vectors of the attacks. However in 2017 they were applied much less often because platforms and programs which already became the victims of exploits improved the protection. "Expiration date" of new exploits is reduced also thanks to prompt combined actions of vendors on security and developers of software and to automatic updates of software.
  • Growth of fraud and harmful spam. During 2017 the ratio between malwares which use protocols HTTP and STMP, was displaced towards SMTP. The volume of such attacks grew from 55% in the first half of the year to 62% in the second. The popularity of these methods of distribution drew attention of the experienced hackers owning more perfect practicians of cracking. They apply the abilities to cracking of documents, in particular Microsoft Office.
  • The mobile malware reached the level of the enterprises. Within last year we saw attacks to the companies which sources were mobile devices. So, the smartphones and tablets infected with the MilkyDoor malware were used as intermediary servers for collecting of confidential data from corporate network. One more example of mobile threats — the malware Switcher which tries to crack elements of network (for example, routers) and to redirect traffic on the server under control of hackers.

The website of the Ministry of Health was used for production of cryptocurrency at the expense of resources of visitors

The script mining cryptocurrency using resources of computers of visitors of this resource worked indefinitely at the website of electronic registry through which it is possible to register in a row medical institutions on Sakhalin. Such discovery was made by one of users of the news and service portal of Sakhalin and Kuriles sakh.com[11].

After the appeal of this user to the regional Ministry of Health the script from the website was deleted. "How many users "offered" the resources for the sake of enrichment of the enterprising system administrator of registry or the unknown malefactor, is not set" — reports the news sakh.com resource — sakhalin.info.

"On the website the JavaScript-file was implemented. It worked, only when at the user the tab with the website was open, had no impact on the device after disconnection from the portal" — one of the Sakh.com programmers told. According to his colleagues, most likely the malicious code mined the monero cryptocurrency — electronic coins with nonconventional cryptography for ensuring the increased anonymity of users.

2017

FSB arrested the system administrator of the Vnukovo airport for cryptocurrency mining

Staff of Federal Security Service in December, 2017 carries out searches in the Moscow command center by air traffic at the Vnukovo airport. The appeal of heads of the center to law enforcement agencies with the complaint to permanent voltage surges became a reason for it.

During a search the staff of FSB found out that creation by one of system administrators of a farm for cryptocurrency mining which was connected to the electric network of the airport became their reason. The employee of the airport is delayed by FSB, investigation continues, reported the Telegram channel Mash which referred to own sources.

Also in December, 2017 attempts of cryptocurrency mining in Transneft the ex-Minister of Internal Affairs, the vice president of this company Vladimir Rushailo reported. Acting on expert advice of the company on cyber security, he noticed that it could interfere with technology processes of the company.

The Facebook messenger was used for mining

Unknown hackers cracked the messenger of popular social network and started in its program a virus for mining, reports the Coinspot portal[12].

Specialists from TrendLabs, managers of cyber security, detected a new virus. This virus, a bot miner, becomes more active when using Facebook Messenger. Using gadget resources, the virtual miner swings the Monero cryptocurrency. It was already given the name – Digmine.

Digmine contains only in the desktop version of Messenger, in the video_xxxx.zip file. At once when opening the application the virus dokachivat components, necessary for mining, and later begins to get a virtual currency. But on it nothing comes to an end: the cybervirus also installs the necessary extension thanks to which gets data access in Facebook in the Chrome browser, then it is given further on the Internet.

Initially Digmine was detected in South Korea, then it appeared also in other countries: Azerbaijan To Ukraine Vietnam Philippines Thailand and To Venezuela. Distribution speed malware very big, and experts consider that shortly the bot will detect itself and in other countries. Infection is made through links to video files in browser Google Chrome and in Facebook application of Messenger.

Production of bitcoins by employees government of the Crimea

Two employees of Council of Ministers of the Crimea paid with the positions for software installation for mining of bitcoins on the server of the government. At a press conference in Sevastopol in September, 2017 the head of committee on anti-corruption of the Crimea[13] reported about it[14].

The head of committee explained that it is about two specialists working in IT department. According to Akshatin, also they delivered on the server of the Crimean government the malicious software which opened access to information which is stored on it. In parallel in the cellar of the building more than ten computers which gave this access were started.

The head of committee noted that malefactors managed to earn a little. "Definitely I cannot tell, but it is less than one bitcoin. Then [in February — March, 2017] the bitcoin was $1800, now it costs $4000. Even if half-bitcoin is some money" — Akshatin noticed, having emphasized that dismissed did not manage to cash cryptocurrency.

In Opera function of protection against miners of cryptocurrency will appear

Opera will become the first browser in which protection against the miners which are built in the websites and using capacities of computers of users for production of cryptocurrency will be implemented. Function under the name NoCoin is for the end of 2017 at a development stage, Bleeping Computer reports. It is included in Opera of 50 Beta RC and should appear in stable release of Opera 50 which will leave in January, 2018.

Main article Opera web browser

Starbucks is accused of illegal mining

The known world network of Starbucks coffee shops was noticed in an unpleasant incident with cryptocurrencies. It became clear that in the capital of Argentina Buenos Aires the provider of coffee shop used institution Wi-Fi for mining. At connection to the free Internet in the equipment of clients the CoinHive code intended for production of cryptocurrency was activated,[15] reports].

The head of the developer of service of the corporate Stensul mail Noah Dinkin paid attention to it. During visit of cafe he noticed a ten-second delay at connection of the notebook. At clarification of the reason of a small problem, it revealed a special script code which is used for Monero cryptocurrency mining.

After a while the representative of network assured users that in the company already dealt with this problem, having contacted the Internet service provider, and now clients can quietly be connected to the Internet, without being afraid that their equipment will be used somehow. Also the representative of Starbucks emphasized that this problem concerned only network in Buenos Aires, and did not happen in coffee shops of other cities and other countries of it.

On the official site of D-Link the miner of cryptocurrency is detected

Researchers of security from Seekurity company detected the Javascript-miner allowing to mine the Monero cryptocurrency[16] on the website of D-Link (dlinkmea[.]com) [17][18].

Researchers knew of a problem after the user of Facebook social network Ahmed Samir reported that during visit of the website load of the central processor sharply increased. At each opening of the page the separate domain with the hidden iframe element containing the script allowing to mine cryptocurrency directly in the user's browser was loaded.

After researchers notified D-Link on an incident, the company completely disconnected the website and began to redirect users on the American version of a resource (us.dlink.com). According to researchers, blackout of the website instead of removal of one code line with the hidden iframe element can demonstrate cyber attack to the D-Link portal.

In Google Chrome protection against cryptominers can appear

Engineers Google consider the possibility of adding in browser Google Chrome special tools which will interfere with mining cryptocurrencies.

Discussions on the miners which are built in the websites and working directly in the browser in the company are conducted with the middle of September, 2017 when the first project such was started - Coinhive[19].

As one of Chrome developers Ojan Vafai reported,[20] according to the following scheme is offered to resist to the hidden miners: if the website uses more than the X % of processor capacities within Y seconds, then such page will be transferred to "the energy saving mode" in which the activity of all suspicious processes will be strictly limited. Then on the screen the pop-up notification allowing the user to turn off this mode will be displayed. If the tab which is in "the energy saving mode" is inactive, then accomplishment of processes completely stops.

Application of this method is found at a stage of discussion so far and officially is not approved by Google. As representatives of the company said, at the moment there is no opportunity to block the miners which are built in the websites completely as software developers for mining can modify with ease the code for a blocking bypass. So far for blocking of operation of cryptominers users can install the extensions like AntiMiner, No Coin and minerBlock.

500 million computers are used for secret cryptocurrency mining

The The Pirate Bay torrent tracker was convicted of secret cryptocurrency mining at the expense of users and, apparently, hundreds of other resources followed its example. According to experts[21], 2.2% of the websites from rating TOP-100000 Alexa adopted practice and now different miners apply, held for use capacities of central processors of computers for production of cryptocurrency[22].

The most widespread miners of cryptocurrency are CoinHive and JSEcoin.

In total researchers detected 220 websites starting process of mining at the moment when the user opens the homepage of a resource. Totally the audience of these websites makes about 500 million users. By Adguard estimates, these domains in only three weeks earned about $43 thousand without any costs. The greatest number of the websites - "miners" is recorded in the USA (18.66%), India (13.4%), Russia (12.44%) and Brazil (8.13%).

Generally among the websites mining cryptocurrency at the expense of users, torrent trackers, piracy resources, the websites "for adults", etc. Similar doubtful resources, as a rule, do not receive big earnings from advertizing therefore they are open for experiments and innovations, is explained in the research Adguard. Let's note that sometimes miners are used and on "white" resources – at the end of September convicted the websites of Showtime company of similar practice. By the way, on September 11 the piracy The Pirate Bay resource added the CoinHive code again, but it is impossible to disconnect it already. As specialists counted provided that the administration of a resource will not switch-off the miner, in a month of The Pirate Bay will be able to earn about $12 thousand.

Gradually antiviruses and disablers of advertizing begin to block scripts of cryptominers. At the same time usually to the user the miner is provided - to block the choice or to permit it to work.

Expansion for Google Chrome secretly mines cryptocurrency

In the code of the popular SafeBrowse expansion (version 3.2.25) for the Google Chrome browser in September, 2017 JavaScript script forcing browsers of users to mine cryptocurrency is detected. The strange behavior of expansion did not remain unnoticed as load of the central processor increased that considerably influenced the capacity of the "infected" computer[23].

In the source code of expansion the built-in Coinhive JavaScript Miner miner – the browser version of the algorithm CryptoNight used by Monero, Dashcoin, DarkNetCoin and other cryptocurrencies was detected. Now Coinhive JavaScript Miner supports only Monero mining.

This problem affects practically all users who set SafeBrowse. As it became clear, developers SafeBrowse did not suspect about his strange behavior. According to them, the program was not updated several months in this connection, they suggested that it is about cracking. Authors of SafeBrowse understand a situation together with a command of Google.

Cryptocurrency mining instead of advertizing on the Internet

In September, 2017 it became known of testing by the websites of a new method of monetization instead of traditional advertizing. It is about production (mining) of cryptocurrencies.

One of the world's largest  Pirate Bay torrent trackers began to use computers of the visitors for production of the Monero cryptocurrency. The hidden code was used on some web pages of the portal as an alternative to advertizing distribution. The script is automatically started when opening the page and  uses capacities of the computer of the visitor for production of cryptocurrency.

Screenshot of the Pirate Bay page
«
As you could notice, we test JavaScript for Monero mining. It is only the test. We really want to get rid of advertizing. But also we need enough money that the website continued to function, said in the blog Pirate Bay.
»

The administration of the website explains that inclusion of a cryptocurrency script is an experiment, which purpose — to find out whether the tracker will be able to get enough profits without online advertizing use. By September 21, 2017 the rate of one unit Monero makes about $94.

The experiment of Pirate Bay began without warning of users. The portal had to make the official statement after numerous complaints of visitors of the website to high loading of the processor during the visit on a torrent tracker. Some users noticed that in the code of the website there was a JavaScript-miner which  caused a high load on  computers. 

Later representatives of a resource said that the high load on computers is caused by a technical defect, and promised that in the future the script will use no more than 20-30% of capacities of the PC and to work only in one tab of the browser. According to representatives of Pirate Bay, the website can refuse completely traditional advertizing for benefit of getters of cryptocurrency.[24]

Data of Kaspersky Lab on distribution

The number of the attacks of the hackers connected with cryptocurrency malwares grew by 50% in 2017. Such data are provided in the research by Kaspersky Lab. Number of affected users made 2.7 million people against 1.9 million the previous year[25].

At the same time separate groupings of hackers earned from it millions. Potentially undesirable applications distributed through affiliate programs and also scripts executed in the browser, like Coinhive became the main methods of distribution of miners. Only this script of the program of Laboratory was blocked by more than 70 million times.

Many groups of hackers for the sake of increase in profit attack not only ordinary users, but also large business which is attractive because of presence of bigger computing power. For example, the Wannamine miner was widespread using the EternalBlue exploit in internal networks of a number of the companies, having brought to the creators more than $2 million. Cybercriminals earned more than $7 million in the second half of 2017 from miners botnets, the profit of one of groups was $5 million.


In September, 2017 experts of Kaspersky Lab established that today more than 1.65 million personal computers and other endpoynt are infected by so-called miners of cryptocurrencies.[26]

For the last four years the number of incidents with Trojan miners grew more than by eight times. The peak fell on 2016 when experts counted more than 1.8 million infections.

In the world epidemic of Trojan miners of cryptocurrencies is observed

Most often Trojan miners are engaged in generation of two currency types - Zcash and Monero. As both of these types of cryptocurrency support anonymous transactions, they enjoy special favor at cybercriminals. The currency Zcash was born only at the end of 2016, but already managed to get fair popularity.

At once several large transactions were mentioned during 2017.

  • In January the Monero miner began to extend using a set of the Terror Exploit Kit exploits
  • The miner of little-known currency Adylkuzz extended using an exploit of the NSA EternalBlue
  • The botnet Bondnet extended the Monero cryptominer on 15 thousand machines, mainly servers running Windows Server.
  • The malware Linux.MulDrop.14 is engaged in generation of cryptocurrencies on nezashchishchenny Raspberry Pi devices with access to Network.
  • The SambaCry exploit was used for distribution of the EternalMiner miner on the Linux servers.
  • The Trojan.BtcMine.1259 miner used one more exploit of the NSA - DoublePulsar - for infection of computers under Windows.
  • The campaign CoinMiner used the EternalBlue and WMI exploits for infection of the victims.
  • A number of the Amazon S3 servers fell the victim of the Trojan of Zminer.
  • The CodeFork grouping used besfaylovy malwares for distribution of the Monero miner.
  • The Hiking Club grouping extended the Monero miners through a set of the Neptune Exploit Kit exploits.
  • Chit for the game Counter-Strike: Global Offensive infected users of MacOS with the miner for Monero.
  • The bank Trojan of Jimmy got functionality of the miner;

«
The reason of so zealous distribution of miners is extremely simple — Oleg Galushkin, the expert in security of SEC Consult Services company notes. — The boom of cryptocurrencies, their rates against currencies traditional is now observed flew up to heaven, and cybermalefactors see in it a good method of enrichment. In fact they shoot to themselves at a leg, bringing closer the moment of crash of cryptocurrencies as the phenomena. However, any crime "fast money" interests more, than possible strategic effects.
»

It should be noted that in addition to above-mentioned large transactions the set of less large-scale enterprises for distribution of cryptominers is constantly observed, and in general there are all bases to speak about sound epidemic.

Experts announced growth of cybercrimes for mining in Russia

The Kaspersky Lab company revealed in the summer of 2017 several large a bot networks from thousands of infected computers for use at production of cryptocurrencies - so-called mining.

Experts noted that recently the number of the cybercrimes connected with mining increased. Hackers install the special malware on computers of citizens and the organizations which without the knowledge of owners participates in production of a virtual currency.

According to specialists, most often it occurs via installation files of any other programs downloaded by users on the Internet and also through vulnerabilities in [27].

Production of bitcoins on the working server of the Federal reserve of the USA

The employee of the Federal reserve of the USA having monopoly for release of dollar was fined for use of the working server for production of bitcoins. Nicholas Berthaume who worked as the analyst on communications at Board of Directors of a reserve used the access to the federal computer to install on it the illegal program for production of the Official cryptocurrency[28].

Remaining unnoticed, the program worked nearly two years: from March, 2012 to June, 2014. At the same time she used computing powers of the server of a reserve to carry out, verify and write transactions with bitcoins. By rules of work of this software, the more computing power the user attracts, the he earns a bigger reward. For the actions Bertoum was fined $5 thousand and also received 12 months of administrative supervision. How many bitcoins he managed to get for software operating time, it is unknown.

Besides, the Service of the general inspector of the USA which investigates case, claims that Bertoum modified protection on reserve servers far off to manage a program runtime from the house. Having heard charges in the address, Bertoum at first denied the fact of production of bitcoins, but remotely software from the server tried to delete a time later and to cover up tracks of its presence. When it was proved, the malefactor confessed to the actions and began to cooperate with the investigation. Despite changes in protection, information leak from the server of a reserve did not happen.

Notes

  1. IT resources of your company is a milk cow for hackers
  2. a mayningnovy type of money - "cryptocurrency" gradually becomes fashionable. And together with it "cryptofever" develops. How to protect the computer from greed of cryptominers? Comments of experts of Bitdefender Russia
  3. of CNews: Experts warned about new threat of criminal cryptomining
  4. Cybercriminals lost interest in cryptocurrency mining
  5. of Cybercrime tactics & techniques Q2 2018
  6. the Chinese hackers cracked more than 1 million computers for the purpose of cryptocurrency mining
  7. Japan issues first-ever prison sentence in cryptojacking case
  8. Android security: Cryptocurrency mining-malware hidden in VPNs, games, and streaming apps, dowloaded 100.000 times
  9. Experts announced threat of mining by hackers using home appliances
  10. the Arstechnica Now even YouTube serves ads with CPU-draining cryptocurrency miners edition
  11. the Website of the Ministry of Health was used for production of cryptocurrency at the expense of resources of visitors
  12. Through Facebook Messenger the bot of Digimine which mines Monero extends
  13. [http://www.rbc.ru/technology_and_media/29/09/2017/59ce36dc9a79470ae1e8039b Alexander Akshatin Rabotniki of the government of the Crimea
  14. are dismissed for mining in workplaces]
  15. [https://cointelegraph.com/news/starbucks-buenos-aires-accused-of-cryptocurrency-mining-using-customers-laptop Cointelegraph Starbucks Buenos Aires Accused of Cryptocurrency Mining Using Customer's Laptop
  16. [http://www.securitylab.ru/news/489458.php On the official site of D-Link
  17. the miner] of the DLink-MEA website is secretly mining cryptocurrencies D-Link Middle East cryptocurrency is detected
  18. [1]
  19. In Google Chrome can appear protection against cryptominers
  20. Please consider intervention for high cpu usage js
  21. of Adguard Cryptocurrency mining affects over 500 million people. And they have no idea it is happening.
  22. of 500 million computers are used for secret cryptocurrency mining
  23. Expansion for Google Chrome secretly mines cryptocurrency
  24. Miner
  25. the Number of the attacks by miners malwares in a year grew half
  26. Over 1.65 Million Computers Infected With Cryptocurrency Miners in 2017 So Far
  27. POExperts announced growth of cybercrimes for mining in Russia
  28. got bitcoins on the server of the Federal reserve of the USA