Hidden mining Cryptojacking Cryptojacking

Main article: Cryptocurrency mining

Mining (mining) of cryptocurrency is necessary for the operation of the system. Mining consists of a series of calculations carried out to process transactions in Blockchain. It creates a new cryptocurrency and confirms the transaction throughout the blockchain network. To create a cryptomonet more, you need to mine them. Without mining, the system can collapse.

Many users themselves began to engage in mining in order to earn money. Miners perform mathematical operations to confirm transactions, and for this they use special software. Thus, for mining to be profitable, it is necessary to have huge computing power. To make money on mining, cyber criminals began to engage in cryptojacking.

Cryptojacking consists in the unauthorized use of user devices to mine cryptocurrency. Basically, hackers use malware to hack computers, tablets or smartphones, and then use them to conceal mining of cryptocurrencies. Perhaps the user will notice a slight decrease in the speed of his device, but is unlikely to think that this is due to an attempt to attack him to mine cryptocurrencies. One of the most common techniques is to gain control of the victim's device processor (CPU) or its video card processor (GPU) through a visit to some website infected with cryptocurrency mining malware^[1].

How does hidden mining happen?

Most often, pirated popular sites are hidden: torrent trackers, forums, sites with films and TV shows. In order to start mining at the expense of the user, it is completely unnecessary to install on his computer trojan or other virus program. To do this, it is enough to enter a special script into the site code, which allows you to imperceptibly connect to the site guests system. In principle, it is quite easy to detect. With this intervention, the processor load increases sharply to almost one hundred percent. However, downloadable torrents load the system without this, which does not allow determining ^[2]

In order to see the processor load on Windows, you need to go to the "Task Manager." In MacOS, this function is performed by the Activity Monitor.

There are several ways to avoid hidden mining:

• Install a special extension that blocks web mining.
• Disable JavaScript.
• Use reliable antivirus. Antivirus programs most often see miners as potentially safe, but at the same time they can be used for malicious purposes, that is, risky.

How can a company protect itself from crypto-jacking?

Such attacks have serious consequences for businesses. The most obvious consequences arise from the theft of processor resources, which can slow down systems and networks, exposing the enterprise and the entire system to serious risks. Moreover, after the company was attacked, it is likely that it will take a lot of time and money to fix this problem. Intensive mining of cryptocurrencies can also have financial consequences for companies, since as a result of increased use of IT resources, an increase in power consumption should be observed, and this leads to increased electricity costs.

In addition, such attacks can harm corporate devices. If mining is carried out over a long period of time, then the devices and their batteries often experience excessive load and overheating, which also reduces the life of these devices.

Of course, we should also not forget that if you are a victim of crypto-jacking, then this means that hackers were able to overcome your security systems and gain control over corporate devices, putting corporate data privacy at serious risk.

To protect yourself from a possible cryptocurrency mining attack, we recommend that you follow the following security measures:

• Periodically conduct risk assessments to identify vulnerabilities.
• Update all your systems and devices regularly.
• Implement advanced information security solutions that allow you to gain full visibility of activity across all end devices and control all running processes.
• Create a secure environment for browsing sites by installing extensions that prevent cryptocurrency mining.

Illegal mining

Main article: Illegal mining

Illegal mining is associated with the illegal use of equipment of own organizations for the extraction of cryptocurrencies or with illegal connection to electric networks.

2023

Hackers have learned to mine cryptocurrency on other people's servers without leaving a trace

On July 11, 2023, specialists from the information security company Wiz reported the discovery of a new type of malware that is capable of mining cryptocurrency on other people's servers, without leaving any traces. The malware was called PyLoose. Read more here.

HeadCrab malware detection - botnet from high-performance machines

On February 2, 2023, it became known that, malware intended for tracking vulnerable servers Redis down in, Internet infected more than a thousand of them, starting in September 2021. Researchers at the company who Aqua Security discovered the program gave it the name HeadCrab. According to them, so far malware it is impossible to detect traditional anti-virus solutions. More. here

2021

Hacking Alibaba Cloud servers and mining cryptocurrency with them

November 15, 2021 it became known that several hacker groups hacked Alibaba Cloud for the purpose of installing malware for mining cryptocurrencies Monero - "." cryptojacking More. here

Cryptocurrency was mined on the equipment of the main office of the Polish police

On August 2, 2021, it became known that Polish National Police officers found a cryptocurrency mining farm at the Police headquarters, which local media called mining. Read more here.

Cryptocurrency mining botnet operators use bitcoin blockchain to hide activity

Specialists of the information security company Akamai spoke about a cryptocurrency mining botnet that uses bitcoin transactions to disguise. This became known on February 25, 2021.

The obfuscation method described by the researchers is used by operators of a long-term malicious mining campaign, in cryptocurrencies which blockchain bitcoin transactions are used to hide the addresses of reserve C & C servers-.

The botnet receives commands from its operators from C&C servers. Law enforcement and security agencies constantly find and disable these servers, thereby disrupting malicious operations. However, if botnet operators use redundant servers, disconnection can become much more complicated. According to experts , cybercriminals have learned to hide the IP addresses of C&C servers using the blockchain - a simple but effective way to avoid disconnection.

The attack begins with the exploitation of remote code execution vulnerabilities in Hadoop Yarn and Elasticsearch, including CVE-2015-1427 and CVE-2019-9082. In some cases, instead of direct hacking, cybercriminals modify vulnerabilities to create a Redis server scanner, with which they find additional Redis installations for the purpose of mining cryptocurrency.

In December 2020, Akamai specialists discovered that malware bitcoin wallet addresses were added to the emerging cryptomining options. In addition, a URL API wallet verification address and one-line bash commands were found, and it seems that the resulting API data wallets were used to calculate the IP address. This IP address is then used to maintain consistency on the attacked system. According to the researchers, by receiving addresses through the wallet API, malicious operators ON can obfuscate store data configurations on the blockchain.

To convert wallet data to an IP address, operators use four single-line bash scripts to send a blockchain explorer API HTTP request for a given wallet, and then Satoshi values ​ ​ (the smallest predetermined bitcoin value) from the last two transactions are converted to the IP address of the backup^[3].

2020

MrbMiner miner virus infected thousands of Microsoft SQL Server

In mid-September 2020, it became known about the spread of a virus called MrbMiner, which attacks Microsoft SQL Server (MSSQL) systems and is used to mine cryptocurrencies. Tencent Security information security specialists spoke about this threat. Read more here.

Intel releases technology to protect business computers from hidden mining

At the end of June 2020, Intel and BlackBerry announced the launch of a joint system on the market that allows you to protect commercial PCs from hidden mining. The solution is called BlackBerry Optics and is based on Intel Threat Detection technology. Read more here.

Dozens of computers of Tatarstan officials infected with viruses for mining cryptocurrencies

In mid-June 2020, it became known that dozens of computers of Tatarstan officials were used to mine cryptocurrencies. As the Minister of Digital Development of the State Administration of the Republic Airat Khairullin told Business Online, some devices were equipped with viruses for hidden mining, but there were also cases when civil servants themselves mined cryptocurrency. Violators were brought to justice.

According to Khairullin, mining attempts cryptocurrencies from the beginning of 2020 to mid-June were recorded on 71 computers belonging to the state bodies of Tatarstan. The work of responding to such incidents is entrusted to the Monitoring Center (information security SOC/) SIEM when interacting with,, and. FSB FSTEC MINISTRY OF INTERNAL AFFAIRS Thanks to SOC, the number of security threats decreased from 750 in January to 461 in May, the minister said.

Cryptocurrency mining was discovered on 71 computers in government agencies of Tatarstan

The number of "holes" - vulnerabilities in state information systems - has decreased, we have minimized the possibility of threats. They conducted a series of pen tests when third-party experts in the field of cyber threats on the principle of a gray box tried to hack government information systems and gain access to them. As a result of such painstaking engineering work, we took additional protection measures, - he said.

Ayrat Khairullin also noted that there is no universal tool to combat hidden mining.

By certain signatures, we record that a particular computer has been seized, and take measures to prevent such vulnerabilities. Our task is that out of 45 thousand personal computers that are connected to the state integrated telecommunications system, not a single one could be a gateway to attack state information systems, the minister added.

Earlier, after an unsuccessful attempt to hack Tatarstan servers for mining cryptocurrency  , a hacker from the Vladimir region was sentenced to one and a half years in prison.^[4]

Supercomputers across Europe infected with virus to mine cryptocurrencies

In mid-May 2020, it became known about the infection of several supercomputers in Europe with malicious software for mining the Monero cryptocurrency.

The first to detect the virus was announced by the University of Edinburgh, which has an ARCHER supercomputer. According to system administrators, they recorded suspicious activity on the login nodes. After that, users immediately suspended access to the supercomputer, canceling all existing access passwords.

Hackers hacked supercomputers in Europe to mine cryptocurrencies

After EPCC Systems, Cray and the State Cyber ​ ​ Security Center joined the investigation of the incident, after 7 days, the ARCHER security perimeter was restored, and access to the computer was returned.

On the same day the problem was reported by the University of Edinburgh, suspicious activity was notified by the German organisation bwHPC, which operates supercomputers in the Baden-Württemberg area of Germany. Experts recorded attacks on 5 systems hosted at the University of Stuttgart, Karlsruhe Institute of Technology, Ulm University and the University of Tübingen. All of these systems have been turned off.

Two days later, a similar incident occurred in Barcelona, ​ ​ and a day later, four more - in Munich, Bavaria, Julich and Dresden. A few days later, two supercomputer centers in Munich and Switzerland reported the attacks.

None of the organizations shared their guesses about who might be behind the attacks, and how the hackers penetrated the systems. But, according to preliminary results of an investigation information security by Cado Security, a British company, hackers used stolen credentials containing data for authorization using the remote administration protocol. SSH

Apparently, the credentials of researchers from universities in Canada, Poland and China, who were given remote access to these systems for scientific calculations, fell into the hands of the attackers.^[5]

2019

38% of companies became victims of crypto miners

Experts from Check Point Software in the Cyber ​ ​ Security Report 2020 spoke about the main tools that cybercriminals used to attack companies around the world in 2019. This became known on January 21, 2020.

According to experts, harmful ON they dominate among, despite the cryptominers fact that the number of cryptomining attacks in 2019 has decreased. 38% of companies around the world fell victim to this. malware Crypto miners are popular for small risks and high income. According to the survey, only the Russian 7% of the company was afraid of cryptominers.

28% of companies were attacked by botnets, which is 50% higher than this figure for 2018. Emotet became the leader among malware due to its versatility.

As noted by experts, the number of attacks on mobile devices has decreased - from 33% in 2018 to 27% in 2019. According to the survey, only 16% of IT experts in Russia install or plan to use special software to protect mobile devices, and 52% of respondents consider the ban on the use of personal smartphones for work to be the most effective measure of protection.

Experts noted an increase in the number of enterprises using cloud services - up to 90%. However, more than half of the respondents (67%) of information security specialists complained about the insufficient transparency of their cloud infrastructure, security and non-compliance with requirements. The main reason for attacks on cloud services is still the incorrect configuration of their resources^[6].

Russian hackers mine cryptocurrency on the web pages of state organizations

As Deputy Director National Coordination Centre for Computer Incidents (NCCCI) Nikolai Murashov said at a press conference, the infected resources state organizations Russia were used hackers for. cryptocurrency mining This became known on December 16, 2019.

{{quote 'author = said N. Murashov' Cases of cryptocurrency mining using infected information resources of state organizations have been identified. In this case, attackers infect web pages, and mining is carried out at the time they are viewed in the browser, }}

Up to 80% of the free power of the computer can be used to generate virtual coins, and the legal user may not even know about it, said deputy head of NCCCI

Murashov noted that the seizure of servers of large companies for mining purposes threatens to significantly reduce their productivity and significant damage to business.

In the Russian Federation, there have recently been two cases of criminal prosecution of persons who used seized computers to mine cryptocurrencies. One of them is a resident of Kurgan, who used almost a whole botnet in various regions of the country. In the second case, a criminal case was initiated on the fact of using the site of Rostovvodokanal JSC for mining, said Nikolai[7]

Software for mining cryptocurrencies learned to hide in processes on PC

In mid-December 2019, cybersecurity researchers documented the use of technology to hide the presence of malware in infected systems. Hackers have developed new attack tactics and used the "process flooding" (hallowing) technique to hide software for [[mining 'mining\\. Antiviruses are powerless before new tactics.

Trend Micro researchers said that throughout November 2019, hackers conducted an organized malware campaign using an unusual malware dropper component in various countries, including Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil and Pakistan.

Hackers have developed new attack tactics and used the technique of "flooding processes"

The file embedded in the victim's PC acts as a means of removing malware and as an archive, but is not malicious in itself. This archive contains the main executable file and software for mining cryptocurrencies, but makes them inactive, which allows you to bypass security checks.

The dropper component requires a specific set of command line codes to run malware. After executing the command, the file "leaves no trace of harmful exposure that would detect or analyze it," the researchers said. This technique is commonly known as the hallowing process.

To avoid antivirus scanning, malicious code is hidden in the directory without an extension. Attackers can run malware using certain codes, so the malware is unpacked through a child process and the cryptocurrency miner XMRig Monero is entered into the system. Thus, cryptocurrency mining begins in the background, and the proceeds are sent to an electronic wallet controlled by cybercriminals.^[8]

I turned on the music on my computer and started mining bitcoin. How cybercriminals mine cryptocurrency in a new way

In October 2019, information security experts reported that hackers learned to place malicious code in [(%D0%B0%D1%83%D0%B4%D0%B8%D0%BE%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%82)|WAV files] for mining cryptocurrencies.

According to BlackBerry Cylance, cybercriminals have embedded a hidden miner in WAV audio files. Moreover, the files into which the miner was introduced were reproduced without quality problems, some of them had white noise.

Cryptojacking worm spread by Docker containers found

On October 17, 2019, it became known that a team of researchers from Unit 42 of the company Palo Alto Networks discovered, according to them, the first worm for cryptojacking, spreading with. containers Docker More. here

Node.js-Trojan mines TurtleCoin cryptocurrency

On June 19, 2019, Doctor Web reported that a bootloader Trojan written in JavaScript and using Node.js to launch was investigated in its virus laboratory. Running on the victim's device, Trojan.MonsterInstall downloads and installs the modules necessary for its work, collects information about the system and sends it to the developer server. After receiving an answer, it is set to startup and begins mining (mining) of the TurtleCoin cryptocurrency. Read more here.

Coinhive closes, but cryptomining still dominates

On April 11, 2019, it became known that Check Point Software Technologies published a report with the most active threats in March Global Threat Index. According to the rating, despite the fact that mining services such as Coinhive are closing, cryptominers are still the most common malware directed at companies around the world.

Red marks the countries with the highest malicious activity and the highest risks, green marks the countries with the lowest malicious activity and the lowest risks. Countries for which there is not enough data are marked in gray.

Coinhive and Authedmine services ceased operations on March 8 - and for the first time since December 2017, Coinhive lost the top position to the Global Threat Index. However, despite the fact that the cryptominer worked in March only for eight days, it ranked sixth among the most active threats. In moments of its most active work, Coinhive attacked 23% of organizations around the world.

Many sites still contain Coinhive JavaScript code, although they are no longer mining. Check Point researchers warn that Coinhive could easily resume operations if Monero's currency shows growth again. In addition, other cryptominers can take advantage of the lack of competition from Coinhive - and increase their activity.

Three of the five most active threats in March are cryptominers Cryptoloot, XMRig and JSEcoin. For example, Cryptoloot topped the threat rating for the first time, followed by the Emotet modular Trojan. Both attacked about 6% of companies around the world. The third most common is XMRig (5%).

quote '= Nikita Durov, CTO of Check Point Software Technologies in Russia and CIS ' Given the overall decline in cryptocurrency value since 2018, more and more crypto miners are likely to follow in Coinhive's footsteps and stop working. However, I suspect that cybercriminals will find ways to make money, such as focusing on mining in cloud environments, where the built-in auto-scaling feature allows even more cryptocurrency to be mined. We've seen organizations ask to pay hundreds of thousands of dollars to their cloud providers for computing resources illegally used by cryptominers. So companies should pay attention to cloud protection as soon as possible.

Top 3 most active malware ON in March 2019:

Arrows show a change in position from the previous month.

1. ↑ Cryptoloot is a cryptominer that uses CPU or GPU power and existing resources for crypto mining-adding transactions to the blockchain and issuing a new currency. Competitor Coinhive.
2. ↑ Emotet is an advanced, self-propagating modular Trojan. Emotet was once used as a banking Trojan, and more recently used as a delivery of other malware or malicious campaigns. It uses several methods to avoid detection. It is also distributed through phishing spam messages containing malicious attachments or links.
3. ↑ XMRig - Open source software first discovered in May 2017. Used to mine Monero cryptocurrency.

In April 2019, Hiddad became the most common mobile malware and removed Lotoor from the top spot. The Triada Trojan remains in third place.

The most active mobile threats of March 2019:

1. Hiddad - Modular backdoor for Android, which provides superuser rights for downloaded malware, and also helps to inject it into system processes. It can access key security details built into the OS, allowing it to obtain sensitive user data.
2. Lotoor is a program that exploits vulnerabilities in the Android operating system to gain privileged root access on compromised mobile devices.
3. Triada - Modular backdoor for Android, which provides superuser privileges for downloaded malware, and also helps to inject it into system processes. Triada has also been spotted spoofing URLs downloaded in the browser.

Check Point researchers also analyzed the most exploited vulnerabilities. CVE-2017-7269 remained in first place (47%). Also in the top three leak information through repositories is web-Git servers (46%) and critical vulnerabilities OpenSSL TLS of the DTLS Heartbeat library (45%).

The Global Threat Impact Index and ThreatCloud Map are developed by ThreatCloud intelligence, the largest collaborative cybercrime network that provides threat and attack trend data from a global network of threat sensors. Containing more than 250 million addresses analyzed to detect bots, more than 11 million malware signatures and more than 5.5 million infected sites, the ThreatCloud database continues to identify millions of malware every day.

2018

Only one in five IT professionals knows about cryptomainers

On February 11, 2019, Check Point Software Technologies Ltd., a provider of cybersecurity solutions worldwide, released the second part of the 2019 Security Report. Tools used by cybercriminals have become more democratic, and advanced attack methods are now available to anyone willing to pay for them, according to the report.

The second part of the 2019 Security Report reveals key trends in cyberattacks in 2018 and shows a significant increase in hidden complex attacks designed to remain out of view of corporate security. In addition, the report refers to the types of cyber attacks that corporate IT and security professionals consider the biggest threat to their organizations.

Cryptominers go unnoticed online: in 2018, cryptominers hit 10 times more companies than, programs extortioners but only one in five IT security professionals knew about the infection of their companies' networks. malware

Organizations underestimate the risk of the threat of cryptomainers: only 16% of respondents called cryptomining the largest threat to the organization. This is a very low indicator compared to DDoS attacks (34% of respondents called them), data leakage (53%), ransomware (54%), and phishing (66%). Such results suggest that cryptominers can easily go unnoticed to download and run other types of malware.

Subscription malware is gaining popularity: the GandCrab Ransomware-as-a-Service partner program has proven that even amateurs can now profit from cyber power. Subscribers retain up to 60% of the ransom collected from the victims, and the program developers - 40%. As of February 2019, GandCrab has more than 80 active "affiliates," and during the two months of 2018, they attacked more than 50,000 victims and demanded between $300,000 and $600,000 in ransoms.

The second part of the Check Point 2019 Security Report shows how successfully cybercriminals are investigating hidden methods and business models to increase their illicit revenues and reduce risks. However, the fact that they went unnoticed does not mean that they are not at all: although cyber attacks were in the shadows during 2018, they are still destructive and dangerous. We continually conduct an analysis of current threats so that organizations can better understand the risks they face and how they can prevent them from impacting their business. , 'Vasily Diaghilev Head of Check Point Software Technologies Russia and CIS

The Check Point 2019 Security Report is based on data cyber crime ThreatCloud the Intelligence Network, which provides threat and attack trend data from a global network of threat sensors; data from Check Point studies over the past 12 months; and data from the latest survey of IT professionals and senior managers that assesses their preparedness for modern threats. The report looks at the latest threats to various industries and provides a comprehensive overview of trends observed in malware, data breaches, and cyber attacks in state damage. It also includes an analysis by Check Point experts to help organizations understand and prepare for the complex threat landscape.

Cryptominers attacked 37% of companies around the world

On January 30, 2019, it became known that Check Point Software Technologies Ltd., a provider of cybersecurity solutions worldwide, released the first part of the 2019 Security Report. The report highlights the main tools cybercriminals use to attack organizations around the world and provides cybersecurity professionals and company executives with the information they need to protect organizations from ongoing cyberattacks and Fifth Generation threats.

The 2019 Security Report reveals major malware trends and methods that Check Point researchers observed in 2018:

• Cryptominers dominate the threat landscape, with cryptominers consistently at the top four of the most active threat rankings and attacking 37% of organizations worldwide in 2018. Despite the decline in the cost of all, cryptocurrencies 20% of companies continue to be attacked by cryptomainers every week. Recently, this malware has ON evolved markedly to exploit high-level vulnerabilities and bypass sandboxes and other means protection to increase the intensity of infection.
• Mobile devices as a moving target: 33% of organizations around the world have been attacked by mobile malware, with three major threats targeted at. In OS Android 2018, there were several cases when mobile malware was pre-installed on devices, and those applications available in app stores actually turned out to be hidden malware.
• Multi-vector botnets launch a chain of attacks: bots were the third most common type of malware: 18% of organizations were attacked by bots that are used to launch DDoS attacks and distribute other malware. Almost half (49%) of organizations subjected to DDoS attacks in 2018 were infected with botnets.
• The fall in the share of ransomware: ransomware use declined sharply in 2018, affecting only 4% of organizations worldwide.

From the rapid growth of cryptomining to massive data breaches and DDoS attacks, we saw the full range of cyber attacks on organizations in 2018. Attackers own a wide range of options to attack and profit from organizations in any industry, and in the first part of our annual report, we described the increasingly secretive methods they use. These multi-vector, fast-spreading, large-scale fifth-generation Gen V attacks are becoming more and more frequent, and organizations need to adopt a tiered cybersecurity strategy that prevents these attacks from taking possession of their networks and data. , 'Vasily Diaghilev Head of Check Point Software Technologies Russia and CIS

The Check Point 2019 Security Report is based on data from ThreatCloud intelligence, a large collaborative cybercrime network that provides

• Threat and attack trends from a global network of threat sensors
• data from Check Point studies over the past 12 months;
• data from the latest IT and senior management survey that assesses their preparedness for today's threats.

University has completely shut down its network to remove viruses for hidden bitcoin mining

The cyber attack on the University of St. Francis Xavier, located in the city of Antigonish (Canada), which began on November 1, 2018, led to the fact that the institution had to close access to its network for almost a week. Malicious software for hidden mining of cryptocurrency was found in computer systems. Read more here.

The number of hidden mining attacks is growing and decreasing following fluctuations in cryptocurrency rates

On November 2, 2018, it became known that the company's analysts Avast recorded an interesting trend: the number attacks associated with the use harmful ON of mining browser in in is Russia growing and decreasing following fluctuations in rates, Bitcoin Monero and others. cryptocurrencies In September 2018, it became cryptojacking more active - probably due to the expected increase in the value of cryptocurrencies by the end of 2018. Thus, attackers intensify illegal mining at a high rate on crypto exchanges and limit this activity when the rate decreases.

Following the decrease in the value of cryptocurrencies in 2018, the level of hidden mining in Russia also decreased. In August, only 1.7 million such attacks were recorded. In September 2018, their number increased again - to 5.1 million.

There are really interesting parallels between the activity of attempts to infect browsers with hidden miners and the cost of cryptocurrencies, for example, Bitcoin and Monero. Obviously, cybercriminals plan their activities taking into account the popularity and courses of these digital assets. Over the past few months, the number of attacks has decreased - as has the cost of most cryptocurrencies. In September 2018, a slight increase in this activity was recorded. Most likely, the attackers are counting on an explosive rise in the price of cryptocurrencies, which was the case in 2017. One reason cybercriminals are ramping up attacks at a time of rising cryptocurrency rates is that they, too, are incurring costs. They need to maintain their own sites, improve algorithms for infecting other resources, and maintain command servers. That is why mining is profitable only at certain periods of time - for example, with a high rate of cryptocurrencies in relation to the usual rate

Avast threat detection technology based on the artificial intelligence solution, Avast Free Antivirus as well as secure script detection mechanisms browserAvast Secure Browser , recognizes infected sites and protects Avast users from attacks by cybercriminals.

Crypto-jacking malware is injected into web page code through a browser in the form of mining scripts. When a user visits such a site, the script begins to use the computing power of his computer to mine cryptocurrencies. The negative consequences of such attacks are large energy bills, poor device performance, reduced efficiency, as well as an overall reduction in the life of computers, smartphones and smart TVs. The miner runs in a browser, so any device that has such an application can be infected.

There are two ways to add a malicious script to the code: cybercriminals can hack someone else's site or create their own mining resource. Typically, attackers mine Monero, as this cryptocurrency provides greater anonymity and privacy for owners than Bitcoin and other digital assets. The Monero mining algorithm was specially designed for use on conventional computers, while special equipment is needed to mine currencies such as Bitcoin. Nevertheless, Monero and Bitcoin are designed for most malware, since the ready-made scripts are freely available.

Cybercriminals are also developing malicious miners for emerging cryptocurrencies. This model is attractive in that after the initial placement of tokens, they are at the peak of their value, and only then their course begins to decline. Attackers almost immediately exchange emerging cryptocurrencies mined using illegal mining for already established ones, and then monetize them rubles in or. dollars USA

Crypto printer attacks on Apple iPhone

On October 17 Check Point Software Technologies , 2018, Ltd., a solution provider, cyber security released the September 2018 Global Threat Index report. The researchers note that the number of attacks miners cryptocurrencies on devices Apple iPhone has increased by almost 400%. Attacks are carried out using the malicious ON Coinhive, which has been at the top of the Global Threat Index since December 2017. More. here

Nearly a quarter of companies have experienced crypto-jacking malware

On September 20, 2018, Fortinet presented the results of the latest worldwide threat study. According to the study, recently cybercriminals have been using more inventive exploit strategies and acting more quickly. In addition, they achieve maximum effectiveness of their criminal activities by using the next directions of attacks and improve their methods using an iterative approach. The main conclusions outlined in the report are:

• The target of a dangerous exploit can be any company. As of September 2018, the identified critical threats and attacks of high severity can be said to be an alarming trend: 96% of firms have faced serious threats at least once. No firm is fully immune to the risks of ever-evolving attacks. In addition, almost a quarter harmful ON of companies have encountered cryptojacking. Only six types of malware were used to defeat more than 10% of corporate networks. Also over the past quarter, FortiGuard Labs identified 30 zero-day vulnerabilities.
• Cryptojacking began to pose a threat to IoT consumer devices. Cybercriminals continue to mine cryptocurrencies. Their goals included IoT devices, including consumer multimedia devices. They are especially attractive to attackers due to the large computing power that can be used to achieve criminal goals. Attackers use these permanently connected devices to their advantage by downloading malware designed for continuous mining. In addition, the interfaces of such devices are used as modified web browsers, which exacerbates their vulnerability and contributes to the emergence of the next directions of attack. As this trend spreads, segmentation will become increasingly important for the security of devices connected to corporate networks.
• Trends in the development of botnets testify to the ingenuity of cybercriminals. Data on trends in the development of botnets gives an idea of ​ ​ the approaches by which attackers increase the effectiveness of existing attacks. Another variant of the Mirai botnet, known as WICKED, includes at least three exploits aimed at defeating vulnerable IoT devices. Also a major threat is the state-sponsored advanced VPNFilter attack, which targets SCADA/ICS environments by monitoring MODBUS SCADA protocols. This is especially dangerous, since the technology developed by attackers not only extracts data, but can also lead to a complete loss of performance of both individual devices and their groups. The Anubis threat, a type of Bankbot family threat, is equipped with a number of next technologies. It supports the functions of ransomware, keylogger, RAT, SMS interception, screen lock and call forwarding. In the face of increasingly sophisticated, ever-changing attacks, it is imperative to monitor trends with current threat data.
• Use of flexible malware development technologies by attackers. Malware developers have long used the property of polymorphism to bypass attack detection mechanisms. As 2018 trends show, criminals are increasingly turning to flexible development techniques to complicate malware detection and counteract anti-malware tactics. In 2018, many versions of the GandCrab threat were discovered, and the developers of this malware regularly update it. Thus, the risk factors include not only the automation of attacks using malware, but also the use of flexible development technologies, which indicates the high qualification of attackers in creating more secretive versions of attacks. Countering the flexible development methods used by criminals requires the introduction of advanced threat detection and protection functions that can eliminate the most vulnerable vulnerabilities.
• Effectively defeat vulnerabilities. Attackers show great selectivity in choosing goals. As of September 2018, in an analysis of exploits in terms of the prevalence and number of cases of their detection, it was found that in practice, criminals exploit only 5.7% of known vulnerabilities. If the vast majority of vulnerabilities are not exploited, it is more advisable to direct efforts to develop a preventive strategy for eliminating vulnerabilities that often become agents of attacks.
• Use applications in educational and state institutional settings. Based on the results of comparing the indicators for 2018 of application use in various industries, it can be concluded that SaaS the frequency of application use in government agencies is 108% higher than the average level. As of September 2018, in terms of the total number of daily applications used, formations the industry is second only to the sphere: this value is 22.5% and 69% higher than the average, respectively. The likely reason for higher application usage in these two industries is the increased need for a wider variety of applications. Organizations in these areas need an approach safety that overcomes application silos by enabling monitoring and security management across locations, including multi-cloud application deployment environments.

According to the company, countering developing attacks requires the introduction of an integrated security system equipped with a threat data collection function. The results of the study confirm many of the forecasts for 2018 released by the FortiGuard Labs threat research department. The key to effective threat protection is an adaptive network security system that covers all areas of attack and consists of integrated components. This approach enables large-scale collection and rapid exchange of current threat data, accelerates their detection, and supports automated response to modern attacks in various directions.

The Fortinet Worldwide Threat Research Report was reported to present data collected by FortiGuard Labs through an extensive network of sensors from April to May 2018. Data were collected on a global, regional, sectoral and organizational scale. The focus was on three interconnected types of threats: exploit applications, malicious software and botnets. The report also provides information about the main zero-day vulnerabilities and an overview of infrastructure trends that can identify patterns of cyber attacks over time and prevent future attacks aimed at organizations.

Experts warned of a new threat of criminal cryptomining

Cybersecurity experts warn of the threat of malicious applications containing hidden code and capable of hijacking mobile devices for illegal mining. These can be either crypto-jacking attacks or programs with Trojan code. Despite the fact that interest in cryptocurrencies is slowly declining, the danger of infection of gadgets is high. According to Kaspersky Lab, the number of users who encountered criminal miners in 2017-2018. increased by 44.5% compared to 2016-2017. The number of malicious objects for mobile devices in the first half of 2018 increased by almost 74% compared to the first half of the previous year^[9].

Mining cryptocurrency can make a profit, but at the same time requires high initial investments and is accompanied by serious energy costs. This prompted hackers to find alternative solutions and, in particular, to use smartphone processors. The computing power of mobile phones available to attackers is relatively small, but there are a lot of such devices and, therefore, in the aggregate, they provide a lot of potential, while leaving smartphone owners with energy and wear costs. Most often, fraudsters use several device infection schemes for criminal mining.

Interest in hidden cryptocurrency mining is waning

Cybercriminals' interest in illegal mining is gradually weakening as a result of lower cryptocurrency prices, according to a report published by MalwareBytes Labs^[10][11][12]].

According to the report, despite the fact that the so-called cryptojacking (the practice of using the computing power of a computer to mine cryptocurrency without the consent or knowledge of the owner) remains relatively popular, there is a tendency to reduce the number of incidents related to this method.

"We do not know which cyber threat will become the most popular in the next quarter, but it is unlikely that it will be illegal mining of cryptocurrencies," the researchers noted.

As follows from the report, attackers are losing interest in this method due to insufficient income. The recent decline in activity mainly concerns ordinary users, in particular, the number of cases of detection of malicious programs for mining crypto currency for, OS Windows but the total number of incidents for the quarter remains relatively high.

After a massive surge in activity at the end of Q1 2018, the number of miners for Android devices also declined, according to the report. At the same time, in the second quarter, almost 2.5 times more cases of detection of miners for mobile devices were recorded.

According to the report, activity related to the Coinhive service, which allows mining cryptocurrency in the user's browser, remains relatively high. In addition, other similar services appear, such as Cryptoloot. According to experts, attackers are increasingly "using open source browser miners and adapting them for their needs."

Chinese hackers hacked more than 1 million computers to mine cryptocurrency

In July 2018, it became known that Chinese police officers arrested 20 members of a criminal group that hacked and infected users' computers with cryptocurrency miners. According to local media reports, in two years, attackers who were employees of a company specializing in computer technology earned more than $2 million in cryptocurrency^[13].

Hackers gained access to computers using custom plugins, allegedly helping to strengthen the security of the device or increase its performance. Plugins were distributed through pop-up advertisements.

Criminals chose to mine a lesser-known cryptocurrency, in particular, DigiByte, Decred, Siacoin, since it takes less computing power to mine coins. Hackers hoped that when less than 50% of resources were used, their activities would go unnoticed by users or antivirus solutions.

Japan given prison sentence for hidden mining for first time

In early July 2018, it became known about the first case when they gave a real prison sentence for crypto-jacking.

According ZDNet to the portal, citing Kahoku, a 24-year-old resident Japan of Yoshida Shinkaru was found guilty of illegal mining of cryptocurrencies using users' computers without their consent.

According to the Bitcoin.com website , citing an anonymous source, Shinkaru used the Monero - Coinhive cryptocurrency mining script to include it in the gaming cheat utility. This program, which was posted on the miner's blog, was downloaded only 90 times before it was exposed.

In early July 2018, it became known about the first case when they gave a real prison sentence for crypto jacking

Coinhive is originally used as an advertising tool and is usually embedded in a browser, however, Shinkaru used the tool as a downloadable component. Even in this case, it was not difficult to prove the corpus delicti. Many ad blockers have long disconnected Coinhive from the browser.

Yoshida Shinkaru conducted illegal mining of cryptocurrencies from January to February 2018 and during this time was able to earn only 5 thousand yen (about $45). Despite the small amount of earnings, the unlucky user was sentenced to a year in prison with a three-year suspended sentence. That is, the accused Japanese citizen will remain at large, but if he violates the conditions of a suspended sentence, he will go to jail for a year.

It is worth saying that the use of cheat tools in online games in Japan is illegal because they are prohibited by the law on countering unfair competition.

The 24-year-old Japanese became the first convicted of using Coinhive, which could now become a precedent. The fact is that at the end of June 2018  , 16 more people were detained in Japan who were also engaged in crypto-jacking. They are suspected of hacking sites and embedding compromised Coinhive script resources in the code.^[14]

Cryptominers attacked 40% of organizations worldwide

According to a May 2018 lobal Threat Impact Index report by Check Point Software Technologies, a cybersecurity solutions provider, cryptomainer Coinhive attacked 22% of organizations. Thus, compared to April (16%), the number of attacks increased by almost 50%.

For the fifth month in a row, the top 10 active malwares Check Point Global Threat Index has been topped by a cryptominer. In May, Coinhive still retains the primacy among the most common malware. Another cryptominer Cryptoloot is in second place (11%), in third place is the malicious advertising ON Roughted (8%).

Check Point researchers also note that cybercriminals continue to exploit uncovered server vulnerabilities MicrosoftWindows Server 2003 (CVE-2017-7269) and Oracle WebLogic (CVE-2017-10271) to attack corporate networks. Globally, 44% of organizations have been attacked by vulnerabilities in Microsoft Windows Server 2003, 40% by Oracle WebLogic, and 17% by SQL code injection, the Check Point report said.

In general, malicious cryptomining affected almost 40% of organizations in May and continues to be the most common cyber threat, the company's experts concluded. Obviously, attackers consider this method profitable and effective.

The most active malware in May 2018 was named:

• CoinHive is a cryptominer designed to mine Monero cryptocurrency without the user's knowledge when he visits websites.
• Cryptoloot is a cryptominer that uses the victim's CPU or video card power and other resources to mine cryptocurrency, the malware adds transactions to the blockchain and releases new currency.
• Roughted is a large-scale malicious advertising campaign that is used to spread malicious sites, exploit whales and ransomware. It can be used to attack platforms of any type and any OS, and is also able to withstand ad blockers to provide the widest coverage.

In the ranking of the most active malware for attacks on Russian organizations, the already mentioned cryptominers are located. Thus, the most active malware was the malicious cryptominers Cryptoloot (40%) and Coinhive (36%), followed by a set of Rig EK exploits (21%) in third place.

Lokibot, the Android banking Trojan that grants superuser privileges to download malware, became the most popular malware used to attack organizations' mobile devices in May, followed by Triada and Lotoor.

The most active mobile malware of May 2018:

• Lokibot is a banking Trojan for Android that steals user data and demands a ransom for it. Malware can block a phone if you remove its administrator rights.
• Triada is a modular backdoor for Android that gives huge privileges to downloaded malware.
• Lotoor is a hacking tool that exploits vulnerabilities in the Android OS to gain superuser privileges on hacked mobile devices.

Check Point researchers also analyzed the most exploited vulnerabilities. In the first place is the CVE-2017-7269 vulnerability (Microsoft IIS WebDAV ScStoragePathFromUrl receive buffer overflow) with a global coverage of 46%, then CVE-2017-10271 (remote execution of Oracle WebLogic WLS code) - 40%, in third place is a SQL injection vulnerability affecting 16% of organizations worldwide.

Applications with hidden miners on Google Play downloaded hundreds of thousands of times

In early April 2018, the antivirus company Kaspersky Lab announced the presence of applications in the Google Play catalog that secretly mine cryptocurrency from users. Some of these programs have been downloaded more than 100 thousand times, according to ZDNet.

Among the applications with built-in cryptocurrency miners are games, VPN services and a program for broadcasting sports broadcasts.

Applications with hidden miners found on Google Play

One of these applications - PlacarTV with the Coinhive miner, which mines Monero cryptocurrency, built into it - has been downloaded more than 100,000 times from Google Play. PlacarTV was removed from the store only after Kaspersky Lab experts pointed out its danger.

However, not all such unwanted programs are quickly removed from Google Play. Thus, the application for creating a VPN connection Vilny.net, which, according to Kaspersky Lab, also has a miner built in, is still available for download by the time of writing the article.

Interestingly, it Vilny.net the charge level of the device and its temperature - thus the risk of detection is reduced to a minimum. The application downloads the miner executable from the server and runs it in the background. Vilny.net downloaded more than 50 thousand times, most of the downloads fell on Russia and Ukraine.

Experts explain the particular danger of the detected cryptominers by the fact that the programs really perform the useful functions declared in the description, and therefore the work of the hidden module is difficult to notice. For example, miners were built into programs designed, judging by the official description, to watch football.

In order not to become a victim of illegal mining, Kaspersky Lab recommends doing the following: pay attention to unreasonable discharge or strong heating of the device, check the reputation of developers before downloading the program and use antivirus.^[15]

42% of companies worldwide affected by cryptomining

According to Check Point Software Technologies, a provider of cybersecurity solutions, illegal cryptocurrency mining affected 42% of companies worldwide in February 2018. Information about this is contained in the Global Threat Impact Index report.

Check Point researchers have identified three different variants of malicious cryptominers that are in the top 10 active malware. The first place in the ranking is retained by CoinHive, which attacked every fifth organization in the world. Cryptoloot rose to second place, in February a malicious miner attacked twice as many companies as in the previous month. According to Check Point, 7% of organizations suffered from Cryptoloot in January, and already 16% in February. Following the cryptominers is a set of Rig EK exploits, which took third place in the rating thanks to attacks on 15% of companies in the world.

Over the past four months, we have seen a noticeable increase in the distribution of cryptominers. This constant threat significantly slows down PCs and servers, "said Maya Horowitz, group leader at Threat Intelligence, Check Point Software Technologies. - Once penetrated into the network, cryptominers can also be used to perform other malicious actions. That is why it is more important than ever for companies to apply a multi-level cybersecurity strategy that will protect against known malware and mark new threats.

According to Check Point, in February 2018, the number of attacks on Russian companies remained at the same level. Russia took 73rd place in the Global Threat Index, while Coinhive and Cryptoloot also entered the top 3 active malware attacking Russian organizations.

Botswana, Cameroon and New Caledonia were the most attacked in February. The least attacked were Liechtenstein, Guernsey and Kyrgyzstan.

The most active mobile malware in February 2018 was:

• Triada is a modular backdoor for Android that gives huge privileges to downloaded malware.
• Lokibot is a banking Trojan for Android that steals user data and demands a ransom for it. Malware can block a phone if you remove its administrator rights.
• Hiddad is a malware for Android that repackages legitimate applications and then implements them in third-party stores.

Check Point specialists noted on the map the level of cyber threats by country (green - low risk; red - high; white - not enough data):

ThreatCloud Map

The Global Threat Impact Index and ThreatCloud Map are developed by ThreatCloud intelligence, a collaborative cybercrime network that provides threat and attack trend data from a global network of threat sensors. ThreatCloud Data Base contains more than 250 million addresses analyzed to detect bots, more than 11 million malware signatures, and more than 5.5 million infected sites.

Hackers will mine with household appliances

Main article Smart home

Experts from the American analytical company Stratfor came to the conclusion that hackers will be able to use a "smart home" for mining in the future, cryptocurrencies according to February 2018. "" News^[16]

The danger threatens all devices included in the smart home system. Presumably, hackers will be able to mine through a direct attack or by infecting technology with a virus.

"Hackers will be able to connect to any device, be it a lighting appliance or a dishwasher: this way hackers have a central node, to which they will direct their attack," said Scott Stewart, vice president of the company.

Analysts also believe that hackers will be primarily interested in software assistants, since they have full access to the user's technique.

Every fifth company suffered from cryptomainers

According to the 2017 Check Point Software Technologies Global Threat Intelligence Trends report for the second half of the year (July-December), cybercriminals are increasingly using cryptominers, and organizations around the world continue to be attacked by ransomware and malicious advertising programs. So, according to researchers, for the period from July to December 2017. One in five companies suffered from illegal cryptocurrency mining. With this malware, cybercriminals gain access to the resources of the central processor or video card on the victim's PC and use them to mine cryptocurrencies. The consumption level can reach 65% of CPU power.

Key trends in cyber threats:

• The excitement around cryptocurrency mining.
  • Cryptominer programs are most often used to mine cryptocurrency for personal purposes. However, due to the growing public attention to virtual money, the mining process, which directly depends on the number of cryptocurrency owners, has slowed down. As a result, mining requires a lot more computing power, prompting hackers to come up with new ways to illegally use resources.

• Exploits are losing popularity.
  • A year ago, exploit whales were one of the main vectors of attacks. However, in 2017, they were used much less often because platforms and programs that were already victims of exploits improved their protection. The "expiration date" of new exploits is also reduced thanks to the prompt joint actions of security vendors and software developers and automatic software updates.

• The rise of fraud and malicious spam.
  • During 2017, the ratio between malware that uses HTTP and STMP protocols shifted towards SMTP. The volume of such attacks rose from 55% in the first half to 62% in the second. The popularity of these distribution methods has attracted the attention of experienced hackers. They use their skills to hack documents, especially Microsoft Office.

• Mobile malware has reached the enterprise level.
  • During 2017, attacks were recorded on companies whose sources were mobile devices. Thus, smartphones and tablets infected with the MilkyDoor malware were used as intermediary servers to collect confidential data from the corporate network. Another example of mobile threats is the Switch malware, which tries to hack into network elements (for example, routers) and redirect traffic to a server controlled by hackers.

Among other cyber threat trends, Check Point also noted the following:

• ransomware that emerged back in 2016 remains a major threat. They are used both for large-scale attacks around the world and for targeted attacks on specific organizations.
• 25% of hacks in the marked period were made through vulnerabilities discovered more than a decade ago.
• Less than 20% of attacks were conducted through gaps in defense, which are known for about two years.

Top 3 malware

1. Roughted (15.3%) is a large-scale malicious advertising campaign that is used to spread malicious sites, exploit whales and ransomware. It can be used to attack platforms of any type and any OS, and is also able to withstand ad blockers to provide the widest coverage.
2. Coinhive (8.3%) is a cryptomainer program developed for online mining of Monero cryptocurrency without the user's knowledge when visiting certain sites. The Coinhive malware appeared only in September 2017, but has already infected 12% of organizations around the world.
3. Locky (7.9%) - The ransomware, which appeared in February 2016, is distributed mainly through spam emails containing a bootloader disguised as a Word or Zip attachment, which then downloads and installs malware that encrypts user files.

Top 3 ransomware

1. Locky (30%) - The ransomware, which appeared in February 2016, is distributed mainly through spam emails containing a bootloader disguised as a Word or Zip attachment, which then downloads and installs malware that encrypts user files.
2. Globeimposter (26%) is a ransomware disguised as a Globe ransomware ransomware. It was discovered in May 2017 and distributed through spam campaigns, malicious ads and exploit whales. After encryption, the program adds the.crypt extension to each encrypted file.
3. WannaCry (15%) is a ransomware that became widespread during a large-scale attack in May 2017. It is distributed over networks using an exploit for a Windows Server Message Block (SMB) called EternalBlue.

Top 3 mobile malware

1. Hidad (55%) is a malware for Android that repackages legitimate applications and then sells them in third-party stores. Its main function is to display ads, but it can also access key security settings built into the operating system, allowing an attacker to obtain sensitive user data.
2. Triada (8%) is a modular backdoor for Android that gives huge privileges to downloaded malware so that they can infiltrate system processes. Triada was also seen spoofing URLs loaded in the browser.
3. Lotoor (8%) is a hacking tool that exploits vulnerabilities in Android operating systems to gain root access on hacked mobile devices.

Top 3 malware for banks

1. Ramnit 34% is a banking Trojan that steals bank customer account data, FTP passwords, session cookies and personal data.
2. Zeus 22% is a Trojan that attacks devices on the Windows platform and is often used to steal banking information using human-in-browser technologies - keylogging and capturing form content.
3. Tinba 16% is a banking Trojan that steals user account information using web injections. They are activated when a user tries to go to the website of his bank.

WannaMine Miner Virus

The ransomware virus, WannaCry which was actively parasitized in 2017, was replaced by the updated WannaMine miner virus, reports Gazeta.ru"."

He, too, is successfully engaged in illegal mining of cryptocurrency at the expense of other people's computer power. WannaMine, like its predecessor WannaCry, was based on the EternalBlue exploit base. This program, which finds vulnerabilities in the software, was also the "creator" of the Petya virus. EternalBlue is believed to have been created at the US National Security Agency. The virus infects users' PCs for the purpose of hidden mining of Monero virtual currency.

There are many ways of infection: WannaMine can get to the device through the installed file or by direct attack on the PC. Next, the virus uses the Mimikatz tool to obtain data. If it is not possible to hack the system, the virus will use the notorious exploit. If the computer is connected by a local or corporate network with other equipment, then WannaMine uses this feature to infect other PCs.

In addition to the fact that the virus illegally mines, it greatly reduces the performance of equipment. It should be noted that antiviruses do not detect it and, moreover, do not eliminate it. If the virus was detected, the only sure way to get rid of it is to back up all the data, format the drive, and then reinstall the operating system and programs.

Hidden cryptocurrency miners found on YouTube

They learned to mine cryptocurrency even on the most popular YouTube video hosting, Arstechnica ^[17] reported].

Mining cryptocurrencies at the expense of the power of other people's computers is carried out using advertising. Programmers embed special code in advertising messages through the platform DoubleClick from the company, Google while allowing them to extract currency using the CoinHive service.

When users watch a video with this malicious code, scammers mine Monero cryptocurrency at their expense. In turn, these users get a lot of pressure on their computers.

Ordinary users were able to detect this scheme using an antivirus program. Avast After that, Google blocked access to the corresponding advertisements.

Check Point: Crypto miners attacked 55% of companies in the world

Check Point recorded a sharp increase in the spread of cryptocurrency mining malware in December. Check Point researchers found that cryptominers attacked 55% of companies worldwide in December. At the same time, 10 varieties of this malware were in the top 100 most active cyber threats, and two of them entered the top three. Using cryptominers, attackers seize control of a CPU or video card and use their resources to mine cryptocurrency.

Check Point found that cryptocurrency mining malware was purposefully injected into popular websites without the knowledge of users, most of these sites are streaming media services and file sharing. Although mostly legal, such services can be hacked to generate more power and generate revenue using up to 65% of the user's CPU resources.

"Users are increasingly using ad blocking software, so websites are using cryptocurrency mining software as an alternative source of revenue," said Maya Horowitz, Threat Intelligence Group Leader at Check Point Software Technologies. - Unfortunately, this often happens without the knowledge of users whose processors are used for cryptomining. We will probably watch this trend pick up in the next few months. "

In December, cryptocurrency mining software CoinHive moved malicious RoughTed ads from the lead, while the Rig ek exploit suite retained second place in the ranking. The new cryptominer Cryptoloot closed the top three most active malware in December, entering the top 10 for the first time.

Check Point experts identified key trends in cyber threats in the second half of 2017:

• The excitement around cryptocurrency mining. Cryptominer programs are most often used to mine cryptocurrency for personal purposes. However, due to the growing public attention to virtual money, the mining process, which directly depends on the number of cryptocurrency owners, has slowed down. As a result, mining requires a lot more computing power, prompting hackers to come up with new ways to illegally use resources.
• Exploits are losing popularity. A year ago, exploit whales were one of the main vectors of attacks. However, in 2017, they were used much less often, because platforms and programs that were already victims of exploits improved their protection. The "expiration date" of new exploits is also reduced thanks to the prompt joint actions of security vendors and software developers and automatic software updates.
• The rise of fraud and malicious spam. During 2017, the ratio between malware that uses HTTP and SMTP protocols shifted towards SMTP. The volume of such attacks rose from 55% in the first half to 62% in the second. The popularity of these distribution methods has attracted the attention of experienced hackers who have more advanced hacking practices. They use their skills to hack documents, especially Microsoft Office.
• Mobile malware has reached the enterprise level. Over the past year, we have seen attacks on companies sourced from mobile devices. Thus, smartphones and tablets infected with the MilkyDoor malware were used as intermediary servers to collect confidential data from the corporate network. Another example of mobile threats is the Switch malware, which tries to hack into network elements (for example, routers) and redirect traffic to a server controlled by hackers.

The website of the Ministry of Health of Sakhalin was used to extract cryptocurrency at the expense of visitors

On the website of the electronic registry, through which you can enroll in a number of medical institutions on Sakhalin, a script has been working for an indefinite time that mines cryptocurrency using the computer resources of visitors to this resource. This discovery was made by one of the users of the news and service portal of Sakhalin and the Kuriles sakh.com^[18] of^[19].

After contacting this user in the regional Ministry of Health, the script from the site was removed. "How many users" sacrificed "their resources for the sake of enriching the enterprising system administrator of the registry or an unknown attacker has not been established," the sakh.com news resource reports sakhalin.info. -

A JavaScript file has been injected into the site. It worked only while the user had a tab with the site open, it had no effect on the device after disconnecting from the portal, "said one of the programmers Sakh.com.

According to his colleagues, most likely the malicious code mined monero cryptocurrency - electronic coins with unconventional cryptography to ensure increased anonymity of users.

2017

Facebook messenger used for mining

Unknown hackers hacked into the messenger of a popular social network and launched a mining virus in its program, according to the Coinspot portal^[20].

Specialists from TrendLabs, heads of cybersecurity, have discovered a new virus. This virus, a bot miner, is activated when using Facebook Messenger. Using the resources of the gadget, the virtual miner pumps Monero cryptocurrency. It has already been given a name - Digmine.

Digmine is contained only in the desktop version of Messenger, in the file "video_xxxx.zip". Immediately when the application is opened, the virus pumps the components necessary for mining, and then begins to mine virtual currency. But nothing ends there: the cybervirus also installs the desired extension in the Chrome browser, thanks to which it gains access to data on Facebook, then it is transmitted further over the Internet.

Digmine was originally discovered in South Korea, then it appeared in other countries: Azerbaijan, Ukraine, Vietnam, the Philippines, Thailand and Venezuela. The spread of malware is very fast, and experts believe that the bot will soon find itself in other countries. The infection itself is committed through links to video files in the Google Chrome browser and the Facebook Messenger application.

Opera will have a function of protection against cryptocurrency miners

Main article: Opera Web Browser

Opera will be the first browser to provide protection against miners built into sites and using the power of users' computers to mine cryptocurrency. A feature called NoCoin is in development at the end of 2017, Bleeping Computer reported. It is included in Opera 50 Beta RC and should appear in the stable version of Opera 50, which will be released in January 2018.

WiFi provider for Starbucks infected visitors with device mining application

Renowned global coffee chain Starbucks has been spotted in a nasty cryptocurrency incident. It turned out that in the capital of Argentina, Buenos Aires, a coffee shop provider used Wi-Fi mining establishments. When connected to the free Internet, the CoinHive code, designed to mine cryptocurrency, was activated in customer technology, according to Cointelegraph^[21].

The head of the developer of the corporate mail service Stensul Noah Dinkin drew attention to this. During a visit to the cafe, he noticed a ten-second delay when connecting the laptop. When finding out the cause of the small problem, he revealed a special script code that is used to mine the Monero cryptocurrency.

After some time, a network representative assured users that the company had already dealt with this problem by going out communication with its Internet provider, and now customers can safely connect to the Internet without fear that their equipment will be used in any way. Also, the representative of Starbucks stressed that this problem concerned only the network in Buenos Aires, and this did not happen in coffee shops in other cities and other countries.

Cryptocurrency miner found on the official D-Link website

Security researchers from Seekurity have found a Javascript miner on the D-Link website (dlinkmea [.] com) that allows you to mine^[22] cryptocurrency^[23][24].

Researchers became aware of the problem after Facebook user Ahmed Samir reported that during a visit to the site, the load on the central processor increased sharply. Each time the page was opened, a separate domain with a hidden iframe element was loaded, containing a script that allows you to mine cryptocurrency right in the user's browser.

After the researchers notified D-Link of the incident, the company completely disabled the website and began redirecting users to the American version of the resource (us.dlink.com). According to the researchers, a complete shutdown of the site instead of deleting one line of code with a hidden iframe element may indicate a cyber attack on the D-Link portal.

Protection against cryptomainers may appear in Google Chrome

Engineers Google are considering adding browser Google Chrome special tools that will impede mining. cryptocurrencies

Discussions on the topic of miner programs built into sites and running directly in the browser have been going on in the company since mid-September 2017, when the first project of this kind was launched - Coinhive^[25].

According to one of the Chrome developers Ojan Vafai,^[26] is proposed to resist hidden miners] according to the following scheme: if a site uses more than X% of processor power within Y seconds, then such a page will be put into "energy-saving mode," in which the activity of all suspicious processes will be severely limited. A pop-up notification is then displayed to allow the user to disable this mode. If the tab in "energy saving mode" is inactive, the processes are completely stopped.

The use of this method is still under discussion and has not been officially approved by Google. According to company representatives, at the moment it is not possible to block the miners built into the sites completely, since mining software developers can easily modify the code to bypass the lock. For now, users can install extensions like AntiMiner, No Coin and minerBlock to block cryptomainers.

500 million computers used for secret cryptocurrency mining

The Pirate Bay torrent tracker was caught secretly mining cryptocurrency at the expense of users and, apparently, hundreds of other resources followed suit. According to Adguard^[27], 2.2% of sites from the Alexa TOP-100000 rating have adopted the practice and now use various miners designed to use the power of central computer processors to mine cryptocurrency^[28].

The most common cryptocurrency miners are CoinHive and JSEcoin.

In total, the researchers found 220 sites that start the mining process at the moment when the user opens the main page of the resource. In total, the audience of these sites is approximately 500 million users. According to Adguard estimates, these domains earned about $43 thousand in just three weeks without any costs. The largest number of "miners" sites was recorded in the USA (18.66%), India (13.4%), Russia (12.44%) and Brazil (8.13%).

Mainly among the sites that extract cryptocurrency at the expense of users, torrent trackers, pirated resources, sites "for adults," etc. Such dubious resources, as a rule, do not receive much money from advertising, so they are open to experiments and innovations, explained in a study by Adguard. Note that sometimes miners are also used on "white" resources - at the end of September, Showtime sites were caught in this practice. By the way, on September 11, the pirate resource The Pirate Bay again added the CoinHive code, but it cannot be disabled. According to experts, provided that the resource administration does not turn off the miner, The Pirate Bay will be able to earn about $12 thousand a month.

Gradually, antiviruses and ad blockers begin to block cryptomainer scripts. In this case, usually the user is given a choice - to block the miner or allow it to work.

Google Chrome extension secretly mines cryptocurrency

In the code of the popular SafeBrowse extension (version 3.2.25) for the Google Chrome browser in September 2017, a JavaScript script was discovered that forced users' browsers to mine cryptocurrency. The strange behavior of the extension did not go unnoticed, as the load on the central processor increased, which significantly affected the performance of the "infected" computer^[29].

The built-in Coinhive JavaScript Miner, a browser version of the CryptoNight algorithm used by Monero, Dashcoin, DarkNetCoin and other cryptocurrencies, was discovered in the source code of the extension. Currently, Coinhive JavaScript Miner only supports Monero mining.

This issue affects almost all users who have installed SafeBrowse. As it turned out, the SafeBrowse developers themselves were unaware of his strange behavior. According to them, the program has not been updated for several months, in connection with which, they suggested that we are talking about hacking. The authors of SafeBrowse understand the situation together with the Google team.

Mining cryptocurrencies instead of advertising on the Internet

In September 2017, it became known that sites were testing a new method of monetization instead of traditional advertising. We are talking about mining (mining) cryptocurrencies.

One of the world's largest torrent trackers , Pirate Bay, has started using its visitors' computers to mine Monero cryptocurrency. Hidden code has been used on some portal web pages as an alternative to advertising. The script is automatically launched when the page is opened and uses the visitor's computer power to mine cryptocurrency.

Screenshot of Pirate Bay page

As you may have noticed, we are testing JavaScript for Monero mining. This is only a test. We really want to get rid of ads. But we also need enough money to keep the site functioning, "Pirate Bay said in a blog post.

The site administration explains that the inclusion of a cryptocurrency script is an experiment aimed at finding out whether the tracker can make enough profit without using online advertising. By September 21, 2017, the Monero unit rate is about $94.

The Pirate Bay experiment began without warning users. The portal had to make an official statement after numerous complaints from site visitors about high processor utilization during a visit to the torrent tracker. Some users noticed that a JavaScript miner appeared in the site code, which caused a high load on computers. 

Later, representatives of the resource said that the high load on computers was caused by a technical flaw, and promised that in the future the script would use no more than 20-30% of the PC capacity and work only in one browser tab. According to representatives of Pirate Bay, the site may completely abandon traditional advertising in favor of cryptocurrency miners.^[30]

Kaspersky Lab data on the distribution of crypto-jacking

The number of hacker attacks related to cryptocurrency malware increased by 50% in 2017. Such data are cited in their research by Kaspersky Lab. The number of affected users amounted to 2.7 million people against 1.9 million a year earlier^[31].

At the same time, individual groups of hackers earned millions from this. The main ways to distribute miners were potentially unwanted applications distributed through partner programs, as well as scripts executed in the browser, like Coinhive. Only this script of the Laboratory program was blocked more than 70 million times.

Many groups of hackers attack not only ordinary users for the sake of increasing profits, but also large businesses that are attractive due to the presence of more computing power. For example, the Wannamine miner was distributed using the EternalBlue exploit on the internal networks of a number of companies, bringing its creators more than $2 million. Cybercriminals earned more than $7 million on botnet miners in the second half of 2017, the profit of one of the groups amounted to $5 million.

In September 2017, Kaspersky Lab experts found that today more than 1.65 million personal computers and other endpoints are infected with the so-called cryptocurrency miners.^[32]

The number of incidents involving mining Trojans has grown more than eightfold in the past four years. The peak came in 2016, when experts counted more than 1.8 million infections.

There is an epidemic of cryptocurrency miners Trojans in the world

Most often, the Trojan miners are engaged in the generation of two types of currencies - Zcash and Monero. Since both of these varieties of cryptocurrency support anonymous transactions, they take special advantage of cybercriminals. The Zcash currency was born only at the end of 2016, but has already gained a fair amount of popularity.

Several major operations were noted at once during 2017.

• In January, miner Monero began distributing with the Terror Exploit Kit
• Miner of little-known currency Adylkuzz was distributed using the NSA exploit EternalBlue
• The Bondnet botnet has distributed the Monero cryptomainer on 15,000 machines, mainly servers running Windows Server.
• The malware is Linux.MulDrop.14 generating cryptocurrencies on unprotected Raspberry Pi devices with access to the Web.
• The SambaCry exploit was used to distribute the EternalMiner miner on Linux servers.
• Miner Trojan.BtcMine.1259 used another NSA exploit - DoublePulsar - to infect Windows computers.
• The CoinMiner campaign used EternalBlue and WMI exploits to infect victims.
• A number of Amazon S3 servers fell victim to the Zminer Trojan.
• The CodeFork group used file-free malware to distribute the Monero miner.
• The Hacking Club group distributed Monero miners through the Neptune Exploit Kit.
• Cheat for the game Counter-Strike: Global Offensive infected MacOS users with a miner for Monero.
• Banking Trojan Jimmy has acquired miner functionality;

The reason for such a zealous distribution of miners is extremely simple, - notes Oleg Galushkin, security expert at SEC Consult Services. - Now there is a boom in cryptocurrencies, their rates against traditional currencies have skyrocketed, and cyberplayers see this as a good way to enrich themselves. In fact, they themselves shoot themselves in the foot, bringing closer the moment of the collapse of cryptocurrencies as a phenomenon. However, any crime "fast money" is more interested than possible strategic consequences.

It is worth noting that in addition to the above large operations, there are constantly many smaller enterprises for the distribution of cryptominers, and in general there is every reason to talk about a full-fledged epidemic.

Experts reported an increase in cybercrimes for mining in Russia

Kaspersky Lab (Kaspersky) revealed in the summer of 2017 several large botnets from thousands of infected computers for use in mining cryptocurrencies - the so-called mining.

Experts stated that recently the number of cybercrimes related to mining has increased. Hackers install special malware on the computers of citizens and organizations, which, without the knowledge of the owners, participates in the extraction of virtual currency.

According to experts, this most often happens through the installation files of any other programs downloaded by users on the Internet, as well as through vulnerabilities in ON^[33]

German Klimenko: 20-30% of all computers in Russia are infected with the virus for mining bitcoins

Advisor to the President of Russia on the Internet German Klimenko in an interview with RNS in July said that 20-30% of all computers in Russia are infected with a virus for mining bitcoins. "The regions are smaller due to the lack of traffic quality, but it is believed that 20-30% of devices are infected with this virus - iPhones and Macs are smaller," Klimenko explained to RBC.^[34]

Photo: ystav.com

According to him, we are talking about a business virus that steals data - for example, debit cards - and resells them. At the same time, users manually launch the virus on their devices - by installing various extensions.

The adviser to the President of Russia on the Internet also noted that installing viruses for mining cryptocurrencies is currently the most profitable business for hackers.

"The most common and most dangerous virus should be considered the virus that opens the server and puts a bitcoin mining program on it," German Klimenko pointed out, answering a question from an RNS journalist about whether to expect a more powerful repetition of a hacker attack of viruses similar to WannaCry.

Opinions of information security market players

Kaspersky Lab confirmed Klimenko's words about the prevalence of viruses - bitcoin miners, but did not provide data on the scale of infection.

"We do not have information about all computers in Moscow and Russia. We can only talk about our users. Among them, 6% in 2017 were attacked in order to install miners, which makes this a fairly common type of malicious programs, "said Anton Ivanov, an expert at Kaspersky Lab (quoted by Interfax).

As he added, the activities of such malware significantly affect the performance of computers, since they use the computing power of the device.

For his part, Vyacheslav Medvedev, a leading analyst at Dr.Web 's development department, told RBC that "if it were about 20-30%, it would be an epidemic, and everyone would know about it. There are mining infections, but it is impossible to say that a third of users are infected with them. " According to him, miners account for about a third of the percentage of all malware found.

Notes