Malicious WordPress plugin can secretly mine crypto

Cybercriminals are now targeting WordPress websites using malicious plugins to plant cryptojacking malware. According to a new report, the plugins are also being used to give the attackers access to the compromised server. These plugins have been increasing over the past few months, probably as a result of their success.

The report by website security company Sucuri revealed that interest in WordPress plugins by attackers has steadily risen in the past few months. These plugins always appear harmless at first glance, but they are used by the attackers as “a backdoor for the attacker to maintain access to the compromised website environment, even after the initial infection vector has been cleaned up.”

In the past, these plugins have been used for different purposes, including in August this year when Sucuri discovered that they were being used to encrypt blog content.

The blog post stated, “We recently discovered a number of compromised websites containing a plugin called “wpframework”. This plugin is being planted by bad actors to gain and maintain unauthorized access to the site environment.” The plugin contains the following information on its header:

Malicious WordPress plugin can secretly mine crypto

Once a website owner installs the plugin, it first checks to see if there are any disabled functions. It then scans for the usual, including system and passthru functions which give the attackers command execution ability on the compromised server.

Unlike most backdoors that only focus on a PHP execution, this plugin changes permissions upon downloading and runs a Linux executable binary file which the researchers identified as a cryptominer.

The report concluded, “What is especially concerning about this particular fake plugin is that it can be easily used to just run just about any code through the eval function. The good news is that monitoring for changes to the active plugins on your website and unauthorized access is a good way to mitigate risk and prevent this from happening.”

As CoinGeek recently reported, last week saw the discovery of the first cryptojacking worm known as Graboid as well as the use of WAV files to spread cryptojacking malware.

Malicious code hiding in WAV audio can mine crypto

Security researchers have discovered a new campaign by cybercriminals that’s hiding cryptojacking malware in WAV audio files. This comes just days after the first cryptojacking worm, known as Graboid, was discovered by another group of security experts, indicating just how rapidly the tactics are shifting. In this new campaign, the criminals were reportedly weaving in a loader component for decoding and executing malicious content throughout the file’s audio data.

This new campaign was discovered by Cylance, a California-based subsidiary of BlackBerry that develops antivirus programs. In a blog post, the researchers revealed that some of the WAV files contain code associated with the XMRig Monero CPU miner. Others contained Metasploit code used to establish a reverse shell, effectively giving the attackers unrestricted access to their victim’s machine.

The researchers stated, “Both payloads were discovered in the same environment, suggesting a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network.”

What makes the attack very difficult to detect is that embedding the malware has no effect on the quality of the files.

“When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise),” the report stated.

Even more significantly, this type of attack proves that cybercriminals can hide malware into any type of file, the researchers noted. The report noted, “These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format. Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging.”

The practice of hiding malware in plain sight isn’t a new concept. However, this marks the first time that audio files have been used to spread crypto mining malware, proving just how popular cryptojacking has become.

The report concluded, “Analysis revealed that the malware authors used a combination of steganography and other encoding techniques to deobfuscate and execute code. These strategies allowed attackers to conceal their executable content, making detection a challenging task.”

As CoinGeek recently reported, security researchers from Palo Alto Networks’ Unit 42 recently discovered a new cryptojacking worm which they named Graboid. Thought to be the first of its kind, the worm uses its hosts to mine Monero while spreading to other systems.

Google chops all crypto mining extensions from Chrome Store

Google chops all crypto mining extensions from Chrome Store

It’s good news for a lot of Google Chrome users, bad news for developers who don’t know how to play by the rules. All Chrome web browsers that mine cryptocurrencies are now banned from the Google Chrome Web Store. The decision was made in an effort to prevent cryptojacking, the practice of using a target computer for multiple mining operations.

While Google wasn’t opposed to Chrome extensions that mined crypto, it had placed limits on the functionality. Developers had to describe the mining activity, had to agree that the extension’s only purpose was to mine, and the extension could only conduct one type of mining operation. When Google discovered that the vast majority of developers weren’t playing nicely—90% of them, in fact—it decided to pull the plug.

One such extension is, or was, Archive Poster. According to its description, it was a way for users to easily interact with posts on social media platform Tumblr. However, the extension was found to participate in cryptojacking activity, mining the altcoin Monero. It has now been removed from the Chrome Store.

There are many reasons why Google’s decision is necessary. Apart from the deliberate attempts to bypass controls, cryptojacking extensions can slow down computers, increase the amount of electricity that the computer uses and, sometimes, even cause computer batteries to melt from overheating. The entire time, the user is unaware of what’s going on and has never agreed to participate in the mining activity.

In making the announcement of the ban, the company’s Extensions Platform Product Manager, James Wagner, said, “The extensions platform provides powerful capabilities that have enabled our developer community to build a vibrant catalog of extensions that help users get the most out of Chrome. Unfortunately, these same capabilities have attracted malicious software developers who attempt to abuse the platform at the expense of users. This policy is another step forward in ensuring that Chrome users can enjoy the benefits of extensions without exposing themselves to hidden risks.”

Any extensions that are found to have violated Google’s terms will be removed between now and the end of June. Additionally, extensions will be more closely reviewed prior to being added to the store to ensure that they meet the guidelines. The tech giant suggests that all users monitor their computers’ CPU usage to determine if it’s higher than normal, and report any suspicious activity to Google.

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true Bitcoin as intended by the original Satoshi white paper.  Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.


Microsoft highlights growing cryptojacking

Microsoft highlights growing cryptojacking, ransomware threats

Tech giant Microsoft has drawn attention to the growing risks posed by cybercriminals using cryptocurrencies, including cryptojacking and ransomware attacks, in a blog post published this week.

The post, drafted by Alden Pornasdoro, Michael Johnson, and Eric Avena of Microsoft’s Windows Defender Research security unit, highlighted a number of ways criminals are currently leveraging cryptocurrencies for nefarious ends.

Chief amongst these threats, the post spoke of hackers stealing processing power for cryptocurrency mining through browser exploits—a technique known as ‘cryptojacking’. In addition, they also identified more straightforward ransomware attacks, where criminals withhold data or access in order to extort cryptocurrency payments from unsuspecting users.

The global tech giants have been at the forefront of developing technologies for cybersecurity in recent years, with Windows Defender Research in particular responsible for research and specialist cybersecurity output.

The blog post speaks to corporate network administrators in particular, advising on how best to guard against these increasingly frequent threats.

According to the extensive findings covered in the post, the increase in interest around cryptocurrency markets in recent years has created more new opportunities for criminals, particularly through deploying these types of techniques.

“Cybercriminals gave cryptocurrencies a bad name when ransomware started instructing victims to pay ransom in the form of digital currencies, most notably Bitcoin, the first and most popular of these currencies. It was not an unexpected move—digital currencies provide the anonymity that cybercriminals desire. The sharp increase in the value of digital currencies is a windfall for cybercriminals who have successfully extorted Bitcoins from ransomware victims,” according to the blog post.

The security experts also noted seeing “a wide range of malicious cryptocurrency miners, some of them incorporating more sophisticated mechanisms to infect targets, including the use of exploits or self-distributing malware. We have also observed that established malware families long associated with certain modus operandi, such as banking trojans, have started to include coin mining routines in recent variants.”

With reports of cryptocurrency frauds and hacks seemingly gaining pace, the findings are unlikely to prove too controversial. According to the research team, it’s indicative of a strong surge in criminal interest.

“These developments indicate widespread cybercriminal interest in coin mining, with various attackers and cybercriminal groups launching attacks,” according to the post.

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true  Bitcoin as intended by the original Satoshi white paper.  Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.
Tesla becomes latest victim of ‘cryptojackers’

Tesla becomes latest victim of ‘cryptojackers’

Elon Musk’s electric vehicle company, Tesla, has become the latest company to fall victim to hackers looking to mine cryptocurrency, according to a new report.

The Palo Alto-based company was uncovered as a victim of so-called ‘cryptojacking’ in a report published by cybersecurity company RedLock, which suggested an infiltration of Tesla systems to power the mining process.

The research team identified an infiltration in Tesla’s Kubernetes console, which was not secured by a password, as well as finding traces of hackers within Tesla’s AWS environment—a potentially significant breach of Tesla systems.

This would have allowed the hackers to access some sensitive information, with access to an Amazon S3 bucket holding significant telemetric data, according to the report. Researchers also identified a level of sophistication in the attack, which has not yet been seen in attacks of this kind.

The IP address of the mining pool was obscured by the Cloudflare CDN, a factor which the team noted would make it impossible for companies looking to detect similar attacks through IP data. It was also apparent that the hackers had attempted to keep resource usage low to avoid triggering suspicion, in yet another marker of the level of planning that appears to have gone into the attack.

Fortunately for Tesla, the team at RedLock was quick to refer the matter to them, flagging the issue immediately with the technical team there. According to the report, Tesla was able to quickly rectify the issue, preventing the hackers from accessing further resources from their system.

The development, which may come as an embarrassment for Tesla given its reputation for pioneering innovative new technologies, serves as a reminder to all businesses and large organisations over the critical importance of cybersecurity.

The report of the attack on Tesla comes amidst a flurry of this type of incident in recent months. Other victims include Showtime and, where hackers used the same technique to inject browser-based mining scripts under the radar.

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true Bitcoin as intended by the original Satoshi white paper.  Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.