NEW MONERO CRYPTO MINING BOTNET LEVERAGES ANDROID DEBUGGING TOOL

by Christopher Kanaracus em 05/02/2018 no site Threatpost

A new botnet that distributes malware for mining Monero cryptocurrency has emerged, infecting Android devices through a port linked with a debugging tool for the OS, according to researchers at Qihoo 360 Netlab.

Dubbed ADB.Miner by 360 Netlab, the botnet is gaining entry to Android devices–mostly smartphones and TV boxes–through port 5555, which is associated with Android Debug Bridge, a command-line tool that is used for debugging, installing apps and other purposes.

ADB typically communicates with devices via USB, but it’s also possible for it to use wifi with some setup, according to Android documentation.The botnet propagates itself in “worm”-like fashion, looking for open 5555 ports on other devices, most of which are Android-based, 360 Netlab researcher Hui Wang said in a blog post.

Notably, it uses some port scanning code from the Mirai botnet, which is the first time Mirai code has been used to target Android devices, he claimed. Mirai, which emerged in August 2016, has historically been used to attack Linux devices.

Most of the Android devices being targeted by ADB.Miner are located in China and South Korea, but 360 Netlab is not identifying any of them at this time.

“Overall, we think there is a new and active worm targeting android system’s adb debug interface spreading, and this worm has probably infected more than 5,000 devices in just 24 hours,” Wang wrote. In fact, 5555 port scanning traffic has hit the top 10, according to 360 Netlab’s own scanning data.

The botnet is distributing malicious code that is mining Monero coins, but as of yet none have been paid out, according to Wang.

Cybercriminals have been increasingly turning to cryptocurrency mining via botnets, with Monero a favored target. Those behind the massive Smominru botnet have generated as much as $3.6 million since May through an army of more than 500,000 infected machines, according to Proofpoint.

Crypto mining botnets have clear advantages over other types of attacks, such as ransomware, since they don’t necessarily require social engineering and by their nature are meant to operate stealthily, stealing nothing from victims but CPU cycles. In fact, crypto miners may be the “new payload of choice” for cybercriminals, researchers at Cisco Talos said recently.

CISCO ISSUES NEW PATCHES FOR CRITICAL FIREWALL SOFTWARE VULNERABILITY

by Christopher Kanaracus em 06/02/2018 no site Threapost

Cisco has released new patches for a critical vulnerability in its Adaptive Security Appliance software after further investigation revealed additional attack vectors.

The company first announced the vulnerability, CVE-2018-0101, on Jan. 29. It received a Common Vulnerability Scoring System base score of 10.0, the highest possible, and was initially discovered by Cedric Halbronn from NCC Group.

“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” said Omar Santos, principal engineer with Cisco’s product security incident response team, in a blog post. Cisco also found additional denial of service conditions. A “new comprehensive fix” is now available, Santos said.

The vulnerability is linked to ASA’s XML parser. An attacker could exploit it by crafting a malicious XML file and sending it through a vulnerable interface, whereupon they could “execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests,” Cisco said in its security advisory. Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services must be enabled on an interface for the vulnerability to be exploited.

There are no known incidents of the vulnerability being exploited, but Cisco is urging customers to apply the updated patches. It now affects 15 products that run ASA software, including a wide range of Firepower Security Appliance versions, ASA 5500-X Series Next-Generation Firewalls and ASA 5500 Series Adaptive Security Appliances.

Cisco has come under fire for its handling of the situation. Sysadmin Colin Edwards, who blogs frequently on network and security issues, said far too much time had passed–80 days, by his measure–between when Cisco released its first patches for the vulnerability and when it published the security advisory.

“I can understand some of the challenges that Cisco and their peers are up against,” Edwards wrote. “[But] eighty days is a long time, and it’s a particularly long time for a vulnerability with a CVSS Score of 10 that affects devices that are usually directly connected to the Internet.”

“Yes, customers need to take responsibility for installing patches in a timely manner,” he added. “However, customers also need to have access to adequate information so that they can appropriately prioritize among myriad workloads.” The Jan. 29 advisory provided information that was “critical for customers to have at their disposal,” Edwards wrote.

Cisco published its security advisory immediately after finding out there was public knowledge of the vulnerability, which falls in line with its disclosure policy, Santos wrote: “Cisco recognizes the technology vendor’s role in protecting customers, and we won’t shy away from our responsibility to constantly be transparent with up-to-date information.”

CRYPTO MINERS MAY BE THE ‘NEW PAYLOAD OF CHOICE’ FOR ATTACKERS

Por  Christopher Kanaracus em 01/02/2018 no site Threatpost.

Ransomware has been a favorite and time-tested tool for cybercriminals, but the rise of cryptocurrency has given them a broad new target with key strategic advantages, leading to a sharp uptick in crypto mining botnets, researchers at Cisco Talos say.

Attackers “are beginning to recognize that they can realize all the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks,” Talos researchers write in a new report.

One prominent example of a cryptocurrency mining botnet is Smominru, which has made as much as $3.6 million since May mining Monero, researchers at Proofpoint say.

Monero has emerged as a favorite among mining botnet creators, and an average-sized system comprised of about 2,000 victims could mine about $200,000 worth of Monero per year, according to Talos’s report.

Mining cryptocurrency of any type is a compute-intensive process, making the prospect of stealing CPU cycles from other machines, rather than make the large upfront investment in infrastructure and ongoing one in electricity costs a tempting one for criminals.

These botnets typically use pool-based mining, which pulls together the computing resources of all the infected systems. “This is similar to launching DDoS attacks “where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker’s control,” Talos says.

But in sharp contrast to DDoS attacks, the goal of a successful crypto botnet is to remain undetected, allowing it to run for months or even years, generating cash for its owners all the while.

To that end, attackers are learning and adapting as time goes on, specifying parameters aimed at hiding the botnet malwares on infected systems. For example, limits can be put on CPU usage and system temperature. “If the mining software is executed without these options, victims might notice significant performance degradation on their systems,” Talos’s researchers write.

Mining software is typically being distributed via spam emails that contain attachments such as malicious Word documents. Talos found an example from late 2017 that used a job application spoof.

Attackers are also using exploits to take advantage of vulnerabilities. One high-profile example came in December when hackers exploited vulnerabilities in Oracle WebLogic and PeopleSoft systems to install Monero miners, generating more than $200,000 before being discovered.

Another reason mining botnets are coming into favor is that they’re the “polar opposite” of ransomware from a management perspective, since once systems are infected there is no command-and-control activity involved, Talos adds.

None of this is to say that ransomware is going away, as it will remain effective for more targeted attacks, “but as a payload to compromise random victims, its reach definitely has limits,” they wrote. “Crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue.”