The amount of illegal cryptocurrency mining that is now taking place makes keeping track a difficult task, but here is a quick roundup of what was has been spotted over the last few days.
- Cisco Talos has detailed a six-month long investigation into a specific mining campaign that used phishing scams, tied to Google Ad words to lure victims that stole tens of millions of dollars.
- Meanwhile, Trend Micro has found and explored miners exploiting two vulnerabilities found in Apache CouchDB to install cryptominers on systems.
- A third method making news from IBM X-Force is the Trickbot trojan being used to create a man in the middle attack to steal credentials from people as they purchase bitcoin.
While Trend Micro did not have a monetary amount stolen by those using the Apache CouchDB vulnerabilities, the number of detected attacks has spiked during the last three weeks.
The flaws at issue are Apache CouchDB JSON Remote Privilege Escalation Vulnerability (CVE-2017-12635) and Apache CouchDB _config Command Execution (CVE-2017-12636). Both of which were patched in November 2017.
Trend found that CVE-2017-12635 is first exploited to configure a CouchDB account with admin abilities which is then used to authenticate the remote code execution flaw in CVE-2017-12636. Once inside a system the malware injected detects and disables competing miners and then downloads and executes Coinhive.
CouchDB is a somewhat popular data base management system and is used by some large corporations giving those looking to take advantage of unpatched systems access to some pretty powerful resources, Trend noted.
“However, in our view, the system being targeted is not as important as the existence of vulnerabilities that can be exploited,” the report said, “As long as there's a chance to exploit an RCE (remote code execution), the threat actors will take advantage of it.”
Using a remote code execution flaw to run a cryptominer is even more attractive because it is a low-risk operation, but also high reward because the price of the various digital currencies are climbing.
The TrickBot trojan began its life attacking banking and financial interests, but IBM's X-Force Team has found the group behind it has expanded into the cryptocurrency stealing business. This particular case has TrickBot being used to place itself in the middle of a cryptocurrency transaction and steal from those purchasing Bitcoin and Bitcoin cash using a credit card.
“This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet,” X-Force said.
TrickBot is a great tool here, IBM said, as it is uses webinjections to implant itself in both the bitcoin wallet and payment card websites where it can grab the information needed to steal the currency. Unlike the Ad Words scam, TrickBot requires a relatively high level expertise from the criminal.
“Having researched the attack tactics TrickBot applied to this cryptocurrency coin theft, we can see that, while it relies on existing mechanisms, the scheme required extensive research of the targeted sites, their web logic and the security controls they use,” IBM said.