Researchers Say 50,000 Servers Worldwide Infected With Privacy Coin Cryptojacking Malware

Published at: May 29, 2019

As many as 50,000 servers worldwide have allegedly been infected with an advanced cryptojacking malware that mines the privacy-focused open source cryptocurrency turtlecoin (TRTL). The news was revealed in an analysis by international hacker and cybersecurity expert group Guardicore Labs on May 29.

As reported, cryptojacking is an industry term for stealth crypto mining attacks which work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

Having first detected the campaign in April and traced its origins and progress, Guardicore Labs believes the malware has infected up to 50,000 Windows MS-SQL and PHPMyAdmin servers over the past four months worldwide. The analysts backdated attacks to late February, noting the campaign’s precipitous expansion at a rate of over “seven hundred new victims per day.”

Between April 13 and May 13, the number of infected servers reportedly doubled to hit 47,985.

Guardicore Labs notes that the malware campaign is not a regular typical crypto-miner attack, as it relies on techniques commonly seen in advanced persistent threat groups, including fake certificates and privilege escalation exploits.

The researchers have nicknamed the campaign “Nansh0u,” after a text file string ostensibly used in the attacker’s servers. It is believed to have been devised by sinophone threat actors, as the tools in the malware were reportedly written in the Chinese-based programming language EPL. Moreover, a number of log files and binaries on the servers reportedly included Chinese strings. As the analysis explains:

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”

In terms of geographic spread, the majority of targeted victims were reportedly in China, the United States and India — although the campaign is thought to have diffused across as many as 90 countries. The exact profitability of the cryptojacking is more difficult to ascertain, the report notes, as funds mined are in the privacy coin turtlecoin.

In a warning to organizations, the researchers underscored that “this campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows.”

The privacy-centric coin monero (XMR) has historically been particularly prevalent in cryptojacking campaigns, with researchers reporting in mid-2018 that around 5% of the currency in circulation had been mined through malware.

A potential switch for XMR to a new proof-of-work algorithm this October would ostensibly make it harder to conceal malicious mining attempts, as Cointelegraph recently reported.

Tags
Related Posts
Bitcoin Ransomware and Remote Working: What the Future Holds
The new work-from-home culture is gaining more traction than ever before as businesses, government departments and schools try to remain afloat while flattening the pandemic curve. This migration to remote working is a double-edged sword that creates a fertile land for cybercriminals to thrive on. There is no way that cyberattacks can be eliminated completely. The best that companies can do is minimize the frequency of the threats. What is ransomware? Cybercriminals use malicious software code to block people or organizations from accessing their computer systems until a ransom has been paid. Cryptocurrencies such as Bitcoin (BTC) have made it …
Technology / Aug. 21, 2020
Hackers Stole and Encrypted Data of 5 U.S. Law Firms, Demand 2 Crypto Ransoms
Hackers compromised five United States law firms and demanded two 100 Bitcoin (BTC) (over $933,000 at press time) ransoms from each firm: one to restore access to the data, one to delete their copy instead of selling it. According to data shared with Cointelegraph by cybersecurity firm Emsisoft, the hacker group — called Maze — already started publishing part of the data stolen from the aforementioned firms. Two of the five law firms were hacked within the 24 hours leading to Feb. 1. The hackers published the data on two websites that were shared with the author of this article, …
Bitcoin / Feb. 3, 2020
Many cloud servers are still at high risk of being hijacked for crypto mining
According to a study published by cybersecurity firm, Aqua Security, cloud servers remain a major target for cryptojacking — a type of attack whose main motivation is to mine cryptocurrencies. The “2020 Cloud Native Threat Report” states that between the second half of 2019 and the first half of 2020, attacks of this nature surged by 250%. In total, 95% of the 16,371 attacks registered during this period were related to cryptojacking. The perpetrators of this type of exploit rely heavily on the use of XMRig, a well-known Monero (XMR) mining app, to deploy the attacks. Aqua Security explained: “Although …
Technology / Sept. 14, 2020
Aviation Database Struck By Unknown Ransomware Gang
Smartwatch maker and data-syncing service provider, Garmin, was the subject of a ransomware attack that took down several of its services on July 23, which managed to encrypt its internal network. According to a series of tweets published by the company, the Garmin Connect website and mobile app were affected by the hackers, plus the call centers and every customer support resources like replying emails, online chats, and handling calls. However, the nature of the attack was unveiled by ZDNet, who also stated that the cybercriminals also targeted flyGarmin, the company’s service that supports its line of aviation navigational equipment. …
Technology / July 25, 2020
Binance CEO Suggests Crypto Exchanges Are Safer Than Keeping One’s Keys
Changpeng Zhao, the co-founder and CEO of cryptocurrency exchange Binance, suggested that for most, keeping crypto assets on an exchange is safer than keeping the keys themselves. Zhao gave his comments in a tweet on Jan. 19 after famous crypto skeptic and gold bug Peter Schiff complained that he lost access to his Bitcoin (BTC). Invoking the phrase “SAFU” — a slanger term in the crypto community for “safe,” Zhao said: “Many hardcore crypto [organizations] advocate storing your own keys. But the truth is, today most people are not able to secure a key even from themselves (losing it). A …
Bitcoin / Jan. 20, 2020