Starcraft fans use NSA exploits to mine XMR

According to F5 Network analysts, hackers were able to mine over $8000
19 December 2017   2291

Analysts of F5 Networks reported the detection of a malicious campaign for hacking servers running Windows and Linux. It was called Zealot (this term comes from popular videogame Starcraft.).

For attacks, unknown criminals use exploits from the arsenal of the US National Security Agency, published by the hacker group The Shadow Brokers. At the final stage of the infection, PowerShell is used, with the help of which a Monero crypto currency miner is installed on the compromised device. 

Analysts of F5 Networks note that an unknown group can replace Monero's miner at any time for any other malware.

Zealot seems to be the first Struts campaign using the NSA exploits to propagate inside internal networks. There were other malware campaigns like NotPetya and WannaCry ransomware, and also Adylkuzz cryptominer launching attacks by directly4 scanning the Internet for SMBs to exploit with the NSA tools the ShadowBrokers released. The Zealot campaign, however, seems to be opening new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities. The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders.
 

F5 Networks Research

Researchers managed to track several crypto-currency wallets of the group, which are used to output the enigmatic Monero. Currently, they contain about $ 8,500. At the same time, the income of the grouping can be much higher, since the attackers use a lot of wallets and experts admit that for certain not everyone was able to find out.

Monero Team to Kill Coin Burning Bug

A scenario of a hypothetical attack described by one of the participants of Monero's subreddit helped to identify the bug
26 September 2018   473

Developers of the Monero cryptocurrency have eliminated a bug that could allow intruders to "burn" funds in organizations' wallets, while sacrificing only a small amount in the form of transaction commissions. This is reported in the official announcement of the project.

A scenario of a hypothetical attack described by one of the participants of Monero's subreddit allowed to identify the bug.

Practically speaking this bug is exploited as follows. An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange's hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange's wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker's action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.
 

dEBRUYNE at Get Monero

Monero developers note that this method does not allow the attack organizer to directly receive the XMR coins deposited in this way. However, an attacker can withdraw XMR through bitcoins, and the exchange will remain with 999 non-consumable or "burned" outputs from 1 XMR.

The created fix was privately distributed to exchanges and large merchants, in order not to attract unnecessary attention to the time of elimination of problems. According to the developers, the exploit was not used to perform real attacks.

In early August, because of the critical bug in the code of Monero, which allows to manipulate the amount of transactions, Livecoin suffered losses exceeding $ 1.8 million.