Some websites are using your CPU for crypto mining

Be careful, because nowadays some websites attackers can use your PC for mining cryptocurrency
30 November 2017   2732

In the previous research conducted by security IT-companies, it was found that a miner could be run as long as the web browser was running. Should you close the browser and mining activity stops as well. However, as per the latest technique spotted by Malwarebytes, some suspicious website owners can mine crypto coins like Monero even after browser software is closed.

How it works and is it possible to prevent it?

It was found that when a user visits a website, there is a light growth in the CPU activity. As the activity is not maxed, the user doesn’t notice anything strange. Once the user closes the browser application, the CPU activity is still remains higher than normal and cryptomining process continues. So what’s the trap? How are webcriminals capable to do this?

Actually, even when you close the browser, there’s one hidden pop-under window that still remains open. It’s sized to fit under the taskbar and hides behind the clock. The coordinates of this window might be different, but it all in all follows x -100 and y -40 position principle.

Persisting hidden cryptomining

You can broaden the taskbar to spot the window, enabling transparency might also help you.

To spot that sort of activity, you can run Task Manager and ensure that there are no browser processes hiddenly running. You can also look for the highlighted browser icon in the taskbar field.

Exim Mail Servers to Undergo Massive Attacks

Hackers are using fixed vulnerability, which was found last week, but still more than 3.6M mail servers in the global network remain potentially vulnerable
14 June 2019   307

Cybereason security researchers warned mail server administrators about the discovery of a massive automated attack that exploits a critical vulnerability (CVE-2019-10149) of Exim that was discovered last week. During the attack, hackers seek to execute their code as root and install malware for mining cryptocurrency on the server.

According to the Shodan service, more than 3.6 million mail servers in the global network remain potentially vulnerable, and are not updated to the latest release of Exim 4.92. About 2 million potentially vulnerable servers are located in the USA, 192 thousand in Russia. According to RiskIQ, version 4.92 has already switched 70% of servers to Exim.

Vulnerable Exim Servers
Vulnerable Exim Servers

Administrators are advised to urgently install updates that were prepared last week (Debian, Ubuntu, openSUSE, Arch Linux, Fedora, EPEL for RHEL / CentOS). If there is a defeated version of Exim in the system (from 4.87 to 4.91 inclusive), you need to make sure that the system is no longer compromised by checking the crontab for suspicious calls and to ensure that there are no additional keys in the /root/.ssh directory. The attack can also be indicated by the presence in the log of the firewall of activity from the hosts an7kmd2wp4xo7hpr.tor2web.su, an7kmd2wp4xo7hpr.tor2web.io and an7kmd2wp4xo7hpr.onion.sh, which are used for during the malware download process.

The first attacks on Exim servers were recorded on June 9th. By June 13, the attack became widespread. After exploiting the vulnerabilities through the tor2web gateways, the Tor hidden service (an7kmd2wp4xo7hpr) downloads a script that checks for OpenSSH (if not installed), changes its settings (allows root login and key authentication) and sets the root user for the root user access to the system via SSH.

After setting up the backdoor, a port scanner is installed in the system to identify other vulnerable servers. It also searches the system for existing mining systems that are deleted if detected. At the last stage, the own miner is loaded and registered in the crontab. The miner is loaded under the guise of an ico-file (in fact, is a zip-archive with the password "no-password"), in which the executable file in ELF format for Linux with Glibc 2.7+ is packed.