Sophisticated mining botnet identified after 2 years

[ad_2][ad_1]

Cybersecurity company Guardicore Labs revealed the identification of a malicious crypto-mining botnet that has been operating for nearly two years on April 1.

The threat actor, nicknamed “ Vollgar ” based on his mining of the little-known altcoin, Vollar (VSD), targets Windows machines running MS-SQL servers, of which Guardicore estimates there are only 500,000 in all. the world.

However, despite their scarcity, MS-SQL servers offer significant processing power as well as typically storing valuable information such as usernames, passwords, and credit card details.

Sophisticated crypto-mining malware network identified

Once a server is infected, Vollgar diligently and completely kills the processes of other threat actors before deploying more backdoors, remote access tools (RATs), and crypto miners.

60% were infected with Vollgar for only a short time, while about 20% were infected for up to several weeks. 10% of the victims were found to have been reinfected by the attack. The Vollgar attacks originated from more than 120 IP addresses, most of which are located in China. Guardicore predicts that most addresses correspond to compromised machines that are used to infect new victims.

Guidicore places some of the blame on corrupt hosting companies turning a blind eye to the threat actors who inhabit their servers, stating:

“Unfortunately, ignorant or negligent registrars and hosting companies are part of the problem, as they allow attackers to use IP addresses and domain names to host entire infrastructures. If these vendors continue to look the other way, large-scale attacks will continue to thrive and operate under the radar for long periods of time. “

Vollgar mines or two crypto assets

Guardicore cybersecurity researcher, Ophir Harpaz, told Cointelegraph that Vollgar has numerous qualities that differentiate it from most cryptojacking attacks.

“First, it mines more than one cryptocurrency: Monero and the VSD alternative currency (Vollar). Additionally, Vollgar uses a private pool to orchestrate the entire mining botnet. This is something that only an attacker with a very large botnet would consider doing. “

Harpaz also notes that unlike most mining malware, Vollgar tries to establish multiple sources of potential revenue by distributing more RATs to malicious crypto miners. “That access can easily be translated into cash on the dark web,” he adds.

Vollgar has been operating for nearly two years

Although the researcher did not specify when Guardicore first identified Vollgar, he says an increase in botnet activity in December 2019 led the company to take a closer look at the malware.

“A thorough investigation of this botnet revealed that the first recorded attack was in May 2018, which sums up nearly two years of activity,” Harpaz said.

Cyber ​​security best practices

To prevent Vollgar infection and other crypto mining attacks, Harpaz urges organizations to look for blind spots in their systems.

“I would suggest starting with netflow data collection and getting a comprehensive view of which parts of the data center are exposed to the internet. You can’t enter a war without intelligence; mapping all traffic inbound to your data center is intelligence. you need to fight the war against cryptominers “.

“Next, defenders should verify that all accessible machines are running with up-to-date operating systems and strong credentials,” he adds.

Opportunistic scammers exploit COVID-19

In recent weeks, cybersecurity researchers have sounded the alarm of a rapid proliferation of scams seeking to leverage coronavirus fears.

Last week, UK county regulators warned scammers were impersonating the Center for Disease Control and Prevention and the World Health Organization to redirect victims to malicious links or to fraudulently receive donations like Bitcoin (BTC ).

In early March, a screen lock attack was identified that was circulating under the pretext of installing a heat map tracking the spread of the coronavirus called “CovidLock”.

[ad_2]Source link