News / Media References
Please see here for our mentions in major news / media publications.
Peer-reviewed academic research publications
Profiling IoT-based botnet traffic using DNS
Owen Dwyer, Angelos Marnerides, Vasileios Giotsas, and Troy Mursch
This work provides a novel DNS-based profiling scheme over real datasets of Mirai-alike botnet activity captured on honeypots that are globally distributed. We firstly discuss features used in profiling botnets in the past and indicate how profiling IoT-based botnets in particular can be improved by leveraging DNS information out of a single DNS record. We further conduct an evaluation of our developed feature set over various Machine Learning (ML) classifiers and demonstrate the applicability of our scheme. Our resulted outputs indicate that the proposed feature set can significantly reduce botnet detection time whilst simultaneously maintaining high levels of accuracy of 99% on average under the random forest formulation.
Identifying infected energy systems in the wild
Angelos Marnerides, Vasileios Giotsas, and Troy Mursch
A plethora of Mirai-like variants have emerged in the last two years that are capable to infiltrate any type of device. In this paper we provide a 7-month retrospective analysis of Internet-connected energy systems that are infected by Mirai-like malware variants. By utilizing network measurements from several Internet vantage points, we demonstrate that a number of energy systems on a global scale were infected during the period of our observation. Our work offers a first look in compromised energy systems by malware infections, and offers insights on the lack of proper security practices for systems that are increasingly dependent on internet services and more recently the IoT. In addition, we indicate that such systems were infected for relatively large periods, thus potentially remaining undetected by their corresponding organizational units.
A first look at browser-based cryptojacking
Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, and Jeremy Clark
In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code-bases. In addition, we conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for non-consenting users.
Bad Packets is featured, cited, or mentioned in the following publications.
The Wall Street Journal – Your Computer May Be Making Bitcoin for Hackers
The Wall Street Journal – Major Companies Shared Vulnerability Used in Travelex Cyberattack
The Washington Post – Hackers have turned Politifact’s website into a trap for your PC
The Washington Post – Salon.com wants to use your PC to mine cryptocurrency
WIRED – Your Browser Could Be Mining Cryptocurrency For a Stranger
WIRED – Hackers Hit Make-A-Wish Website With Cryptojacking Scheme
WIRED – Nationwide Bomb Threats Look Like A New Spin On An Old Bitcoin Scam
WIRED – When Facebook Goes Down, Don’t Blame Hackers
WIRED – Clever New DDoS Attack Gets a Lot of Bang for a Hacker’s Buck
Forbes – Hackers Are Targeting D-Link Home Routers: Here’s How To Secure Yours
Forbes – Gmail, Netflix and PayPal Users Targeted In DNS Hijacking Campaign
Forbes – Firefox Extensions Are Broken — Here’s What To Do
Forbes – Facebook Changes The Way It Ranks Videos…And Other Small Business Tech News This Week
Forbes – U.S. Government Issues Powerful Security Alert: Upgrade VPN Or Expect Cyber-Attacks
Forbes – FBI Warned Of Fraudster’s Paradise: Up To 130,000 Hacked Asus Routers On Sale For A Few Dollars
Krebs on Security – Website Flaw Let True Health Diagnostics Users View All Medical Records
Krebs on Security – Who and What Is Coinhive?
Krebs on Security – Who’s Behind the Screencam Extortion Scam?
Krebs on Security – Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted
Krebs on Security – Crypto Mining Service Coinhive to Call it Quits
Krebs on Security – Booter Boss Interviewed in 2014 Pleads Guilty
BBC – Salon magazine mines crypto-cash with readers’ PCs
BBC – Vision Direct hack puts customers’ money at risk
S&P Global Market Intelligence – Travelex showdown highlights growing ‘professionalization’ of cyber gangs
S&P Global Market Intelligence – Fresh cyber threats stalk financial services industry following Travelex fiasco
Cybersecurity and Infrastructure Security Agency (CISA) – Continued Exploitation of Pulse Secure VPN Vulnerability
ZDNet – Thousands of etcd installs are leaking secret server keys online
ZDNet – Over 115,000 Drupal sites still vulnerable to critical flaw
ZDNet – MikroTik routers enslaved in massive Coinhive cryptojacking campaign
ZDNet – A mysterious grey-hat is patching people’s outdated MikroTik routers
ZDNet – Cybercrime and malware, 2019 predictions
ZDNet – Hackers ramp up attacks on mining rigs before Ethereum price crashes into the gutter
ZDNet – Chinese websites have been under attack for a week via a new PHP framework bug
ZDNet – Over 19,000 Orange modems are leaking WiFi credentials
ZDNet – Hackers are going after Cisco RV320/RV325 routers using a new exploit
ZDNet – It took hackers only three days to start exploiting latest Drupal bug
ZDNet – Coinhive cryptojacking service to shut down in March 2019
ZDNet – Operator of eight DDoS-for-hire services pleads guilty
ZDNet – Hackers have started attacks on Cisco RV110, RV130, and RV215 routers
ZDNet – New Mirai malware variant targets signage TVs and presentation systems
ZDNet – Cisco bungled RV320/RV325 patches, routers still exposed to hacks
ZDNet – Hacker group has been hijacking DNS traffic on D-Link routers for three months
ZDNet – Backdoor code found in popular Bootstrap-Sass Ruby library
ZDNet – A hacker is wiping Git repositories and asking for a ransom
ZDNet – Firefox add-ons disabled en masse after Mozilla certificate issue
ZDNet – Over 25,000 smart Linksys routers are leaking sensitive data
ZDNet – A botnet is brute-forcing over 1.5 million RDP servers all over the world
ZDNet – Oracle patches another actively-exploited WebLogic zero-day
ZDNet – Canonical GitHub account hacked, Ubuntu source code safe
ZDNet – Brazil is at the forefront of a new type of router attack
ZDNet – Security bugs in popular Cisco switch brand allow hackers to take over devices
ZDNet – Hackers mount attacks on Webmin servers, Pulse Secure, and Fortinet VPNs
ZDNet – A Chinese APT is now going after Pulse Secure and Fortinet VPN servers
ZDNet – Anonymous researcher drops vBulletin zero-day impacting tens of thousands of sites
ZDNet – Dutch police take down hornets’ nest of DDoS botnets
ZDNet – Nasty PHP7 remote code execution bug exploited in the wild
ZDNet – A hacking group is hijacking Docker systems with exposed API endpoints
ZDNet – 20 VPS providers to shut down on Monday, giving customers two days to save their data
ZDNet – VPN warning: REvil ransomware targets unpatched Pulse Secure VPN servers
ZDNet – Proof-of-concept code published for Citrix bug as attacks intensify
ZDNet – A hacker is patching Citrix servers to maintain exclusive access
ZDNet – Hackers target unpatched Citrix servers to deploy ransomware
ZDNet – Hackers are hijacking smart building access systems to launch DDoS attacks
ZDNet – Multiple nation-state groups are hacking Microsoft Exchange servers
ZDNet – Fintech company Finastra announces mysterious security breach
ZDNet – UK electricity middleman hit by cyber-attack
ZDNet – US Cyber Command says foreign hackers will most likely exploit new PAN-OS security bug
ZDNet – Ransomware gang demands $7.5 million from Argentinian ISP
ZDNet – Ransomware gang publishes tens of GBs of internal data from LG and Xerox
ZDNet – Hacker leaks passwords for 900+ enterprise VPN servers
ZDNet – Barnes & Noble confirms cyberattack, suspected customer data breach
CTV News – Raising The Alarm About Cryptojacking
Bad Packets co-founder Troy Mursch spoke with CTV’s Scott Laurie and shared the basics of cryptojacking. What it is, how it happens, and how to prevent it.
Associated Press – How your smart fridge might be mining bitcoin for criminals
Ars Technica – Now even YouTube serves ads with CPU-draining cryptocurrency miners
Ars Technica – Thousands of servers found leaking 750MB worth of passwords and keys
Ars Technica – Drupal warns of new remote-code bug, the second in four weeks
Ars Technica – Hundreds of big-name sites hacked, converted into drive-by currency miners
Ars Technica – Three months later, a mass exploit of powerful Web servers continues
Ars Technica – Ongoing DNS hijackings target unpatched consumer routers
Ars Technica – >20,000 Linksys routers leak historic record of every device ever connected
Ars Technica – Hackers are actively trying to steal passwords from two widely used VPNs
Ars Technica – Critical vulnerability in vBulletin is being actively exploited
Ars Technica – Unpatched Citrix vulnerability now exploited, patch weeks away
Ars Technica – As attacks begin, Citrix ships patch for VPN vulnerability
Ars Technica – Exploit code for wormable flaw on unpatched Windows devices published online
Ars Technica – Attackers are trying to exploit a high-severity zeroday in Cisco gear
The Daily Beast – How a High-School Dropout Hacked a Million Devices
Yahoo! Finance – Thousands of Linksys routers leaked detailed device connection records
Yahoo! Finance – Cryptojacking still huge, but in decline, says new report
Yahoo! Finance – Malicious cryptojacking code found in 11 Ruby libraries
Yahoo! Finance – T-Mobile Outage Disrupts Wireless Network Across US, Companies Deny DDoS Attack
Fortune – Popular Google Chrome Extension Caught Mining Cryptocurrency on Thousands of Computers
TechCrunch – Cryptojacking malware was secretly mining Monero on many government and university websites
TechCrunch – Vision Direct reveals breach that skimmed customer credit cards
ComputerWeekly – Cyber gangsters demand payment from Travelex after ‘Sodinokibi’ attack
ComputerWeekly – Citrix NetScaler vulnerabilities won’t be patched until end of January
ComputerWeekly – Travelex hackers shut down German car parts company Gedia in massive ‘cyber attack’
ComputerWeekly – Cyber gangsters hit UK medical firm poised for work on Coronavirus with Maze ransomware attack
ComputerWeekly – Insurance firm Chubb may be latest Maze ransomware victim
ComputerWeekly – IT services company Cognizant warns customers after ‘Maze’ ransomware attack
ComputerWeekly – Ransomware-stricken Travelex up for sale
ComputerWeekly – Maze ransomware attack will cost Cognizant at least $50m to $70m
ComputerWeekly – Questions raised after UK’s electrical grid shrugs off cyber attack
AT&T ThreatTraq – Vulnerability in Cisco RV320, RV325 Routers
The AT&T ThreatTraq team discuss our findings regarding opportunistic scanning activity targeting vulnerable Cisco routers.
CERT/CC – Pulse Secure VPN contains multiple vulnerabilities
CERT/CC – VPN – A Gateway for Vulnerabilities
CERT/CC – F5 BIG-IP contains multiple vulnerabilities including unauthenticated remote command execution
Global News – Slow phone or computer? How to avoid getting ‘cryptojacked’
CBC News – ‘Cryptojacking’ hacker trend turns Canadians into cryptocurrency miners
Engadget – Over 21,000 Linksys routers leaked their device connection histories
Engadget – International money transfer service Travelex held ransom by hackers
Daily Mail – Facebook says ‘server configuration change’ to blame for its biggest EVER blackout
PC Magazine – Political Fact-Checking Site Hacked to Mine Cryptocurrency
PC Magazine – Coinhive Tries to Appease Critics With Opt-in Crypto Miner
PC Magazine – Why Hackers Love Cryptocurrency Miner Coinhive
PC Magazine – Chrome Extension Hacked to Secretly Mine Cryptocurrency
PC Magazine – Cryptocurrency Miner invades 4,000 Sites Via Third-Party Tool
PC Magazine – Can Cryptocurrency Mining Save The Media Industry?
PC Magazine – 400 Websites Secretly Served Cryptocurrency Miners to Visitors
PC Magazine – 200K MikroTik Routers Exploited to Serve Cryptocurrency Miner
PC Magazine – Hacker Using MikroTik Routers to Eavesdrop on Internet Traffic
PC Magazine – Vision Direct Hack Exposed Users Card Numbers and CVV Codes
PC Magazine – Coinhive Cryptocurrency Mining Service to Shut Down
Threatpost – Cryptojacking Attack Found on Los Angeles Times Website
Threatpost – Ad Network Circumvents Ad-Blocking Tools To Run In-Browser Cryptojacker Scripts
Threatpost – Rarog Trojan ‘Easy Entry’ For New Cryptomining Crooks, Report Warns
Threatpost – Muhstik Botnet Exploits Highly Critical Drupal Bug
Threatpost – Cryptojacking Campaign Exploits Drupal Bug, Over 400 Websites Attacked
Threatpost – Drupalgeddon 2.0 Still Haunting 115K+ Sites
Threatpost – Newsmaker Interview: Troy Mursch on Why Cryptojacking Isn’t Going Away
Threatpost – Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally
Threatpost – Thousands of MikroTik Routers Hijacked for Eavesdropping
Threatpost – VisionDirect Blindsided by Magecart in Data Breach
Threatpost – Newsmaker Interview: Troy Mursch on Top Botnet Trends
Threatpost – 19K Orange Livebox Modems Open to Attack
Threatpost – Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution
Threatpost – Hackers Abuse Google Cloud Platform to Attack D-Link Routers
Threatpost – New Mirai Samples Grow the Number of Processors Targets
Threatpost – Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw
Threatpost – Forbes Becomes Latest Victim of Magecart Payment Card Skimmer
Threatpost – Wikipedia, World of Warcraft Downed By Weekend DDoS Attacks
Threatpost – Sodinokibi Ransomware Behind Travelex Fiasco: Report
Threatpost – Card Skimmer Hits Australian Bushfire Donation Site
Threatpost – Unpatched Citrix Flaw Now Has PoC Exploits
Threatpost – Citrix Accelerates Patch Rollout For Critical RCE Flaw
Threatpost – DHS Urges Pulse Secure VPN Users To Update Passwords
Threatpost – Admins Urged to Patch Critical F5 Flaw Under Active Attack
The Next Web – CBS’s Showtime caught secretly stealing visitors’ CPU power to mine cryptocurrency
The Next Web – Researcher finds 50,000 sites infected with cryptocurrency mining malware
The Next Web – Google Play is hosting a disturbing amount of cryptocurrency malware
The Next Web – UNICEF wants your CPU power to mine cryptocurrency for children in Bangladesh
The Next Web – Nearly 400 Drupal sites infected with malware that secretly mines cryptocurrency
The Next Web – The US-China Association of Commerce site is running cryptocurrency mining malware
The Next Web – 200,000 routers in Brazil were secretly hijacked to mine cryptocurrency
The Next Web – Browser mining is generating over $250K worth of cryptocurrency every month
The Next Web – Twitter is now recommending users follow cryptocurrency scambots
The Next Web – Google Play promised to ban cryptocurrency mining apps, but we found tons
The Next Web – 30 days after the ban, Google Play still hosts cryptocurrency mining apps
The Next Web – The crypto-jacking epidemic continues, 280K infected routers detected to date
The Next Web – Monero slams crypto-jackers after mining malware hits government sites
The Next Web – Crypto-jacking epidemic spreads to 30K routers across India
The Next Web – 415,000 routers worldwide hijacked to secretly mine cryptocurrency
The Next Web – Hackers mass-scan for Docker vulnerability to mine Monero cryptocurrency
The Telegraph – Cryptojacking: The hackers mining digital currencies from your computer
The Telegraph – Hackers who hit grid taunt Elexon with dark web files
The Register – CBS’s Showtime caught mining crypto-coins in viewers’ web browsers
The Register – Real Mad-quid: Murky cryptojacking menace that smacked Ronaldo site grows
The Register – More and more websites are mining crypto-coins in your browser to pay their bills, line pockets
The Register – Pulitzer-winning website Politifact hacked to mine crypto-coins in browsers
The Register – Mirai, Mirai, pwn them all, who’s the greatest botnet on the whole?
The Register – What do Vegas hookers, Colombian government, and 30,000 other sites have in common? Crypto-jacking miners
The Register – Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners
The Register – Guys, you’re killing us! LA Times homicide site hacked to mine crypto-coins on netizens’ PCs
The Register – Opt-in cryptomining script Coinhive ‘barely used’ say researchers
The Register – Cluster-f*ck! Etcd DBs spaff passwords, cloud keys to world by default
The Register – That Drupal bug you were told to patch weeks ago? Cryptominers hope you haven’t bothered
The Register – OMG, that’s downright Wicked: Botnet authors twist corpse of Mirai into new threats
The Register – Drupal drisputes dreport of widespread wide-open websites
The Register – Japanese Coinhive JS injector slapped with suspended sentence
The Register – Why is my cheapo Android red hot and switching off Wi-Fi?
The Register – Sextortion scum armed with leaked credentials are persistent pests
The Register – Miscreants sweep internet for unpatched Cisco kit, fears over bugged Chinese parts, Roger Stone nabbed…
The Register – Bank-card-slurping malware sneaks into Forbes’ mag subscription website
The Register – CIA traitor spy thrown in the clink for selling secrets to China. Stack Overflow, TeamViewer admit: We were hacked…
The Register – That Pulse Secure VPN you’re using to protect your data? Better get it patched – or it’s going to be ransomware time
The Register – If you haven’t shored up that Citrix hole, you were probably hacked over the weekend: Exploit code now available
Bleeping Computer – The Internet Is Rife With In-Browser Miners and It’s Getting Worse Each Day
Bleeping Computer – Cryptojacking Craze: Malwarebytes Says It Blocks 8 Million Requests per Day
Bleeping Computer – Cookie Consent Script Drops In-Browser Cryptocurrency Miner
Bleeping Computer – Cryptojacking Script Found in Live Help Widget, Impacts Around 1,500 Sites
Bleeping Computer – Mirai Activity Picks up Once More After Publication of PoC Exploit Code
Bleeping Computer – Cryptojackers Found on Starbucks WiFi Network, GitHub, Pirate Streaming Sites
Bleeping Computer – Chrome Extension with 100,000 Users Caught Pushing Cryptocurrency Miner
Bleeping Computer – Using the Chrome Task Manager to Find In-Browser Miners
Bleeping Computer – Firefox Working on Protection Against In-Browser Cryptojacking Scripts
Bleeping Computer – Unicef’s TheHopepage May Be the First Good Use of In-Browser Mining
Bleeping Computer – Drupal Sites Fall Victims to Cryptojacking Campaigns
Bleeping Computer – Google Agrees to Pay $11 Million to Owners of Suspended AdSense Accounts
Bleeping Computer – Two Months Later, Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon 2
Bleeping Computer – You Can File Complaints About Cryptojacking With the FTC
Bleeping Computer – Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers
Bleeping Computer – Coinhive Raking In Over $250,000 per Month From In-Browser Cryptomining
Bleeping Computer – Mirai IoT Malware Uses Aboriginal Linux to Target Multiple Platforms
Bleeping Computer – Over 3,700 MikroTik Routers Abused In CryptoJacking Campaigns
Bleeping Computer – VisionDirect Data Breach Caused by MageCart Attack
Bleeping Computer – Orange LiveBox Modems Targeted for SSID and WiFi Info
Bleeping Computer – Hackers Targeting Cisco RV320/RV325 Routers Using New Exploits
Bleeping Computer – Coinhive In-Browser Cryptomining Service Shuts Down on March 8
Bleeping Computer – Cisco Botches Fix for RV320, RV325 Routers, Just Blocks ‘curl’ User Agent
Bleeping Computer – Confluence Servers Hacked to Install Miners and Rootkits
Bleeping Computer – Linksys Smart Wi-Fi Routers Leak Info of Connected Devices
Bleeping Computer – Hackers Inject Magecart Card Skimmer in Forbes’ Subscription Site
Bleeping Computer – Botnet Uses Recent vBulletin Exploit to Block Other Hackers
Bleeping Computer – Sodinokibi Ransomware Hits Travelex, Demands $3 Million
Bleeping Computer – Australia Bushfire Donors Affected by Credit Card Skimming Attack
Bleeping Computer – US Govt Warns of Attacks on Unpatched Pulse VPN Servers
Bleeping Computer – FBI Says State Actors Hacked US Govt Network With Pulse VPN Flaw
Bleeping Computer – Hackers Are Securing Citrix Servers, Backdoor Them for Access
Bleeping Computer – Citrix Releases Scanner to Detect Hacked Citrix ADC Appliances
Bleeping Computer – Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
Bleeping Computer – Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now
Bleeping Computer – UK Fintech Firm Finastra Hit By Ransomware, Shuts Down Servers
Bleeping Computer – Chubb Cyber Insurer Allegedly Hit By Maze Ransomware Attack
Bleeping Computer – US govt: Hacker used stolen AD credentials to ransom hospitals
Bleeping Computer – Toll Group hit by ransomware a second time, deliveries affected
Bleeping Computer – Business services giant Conduent allegedly hit by Maze Ransomware
Bleeping Computer – US aerospace services provider breached by Maze Ransomware
Bleeping Computer – Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Bleeping Computer – PoC exploits released for SAP Recon vulnerabilities, patch now!
Bleeping Computer – Business giant Dussmann Group’s data leaked after ransomware attack
Bleeping Computer – World’s largest cruise line operator Carnival hit by ransomware
Bleeping Computer – Leading US video delivery provider confirms ransomware attack
Bleeping Computer – US staffing firm Artech discloses ransomware attack, data breach
Bleeping Computer – Staples data breach caused by bug in order tracking system
Bleeping Computer – Ray-Ban owner Luxottica reportedly hit with cyberattack
Bleeping Computer – Ransomware hits US-based Arthur J. Gallagher insurance giant
Bleeping Computer – Largest cruise line operator Carnival confirms ransomware data theft
Bleeping Computer – Barnes & Noble hit by cyberattack that exposed customer data
Decipher – Attackers Targeting Vulnerability in Pulse Secure VPN
Decipher – Too Many Exchange Servers Remain Unpatched
Decipher – CISA Urges Resetting Active Directory After Patching VPN
The Verge – Popular ‘cryptojacking’ service Coinhive will shut down next week
International Business Times – Hackers covertly hide code on Politifact to hijack your PC, secretly mine cryptocurrencies
International Business Times – Popular Chrome extension with over 105,000 users found secretly mining cryptocurrency
International Business Times – Salon to readers: Let us use your PC to mine cryptocurrency in exchange for an ad-free website
International Business Times – Mozilla Firefox Will Block Cryptocurrency Mining Malware Scripts From Web Browser
Newsweek en Español – SEP, UNAM y la Liga MX, fueron intervenidas para generar dinero con un código malicioso (SEP, UNAM and Liga MX, were intervened to generate money with a malicious code)
The Hacker News – Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit
The Hacker News – Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware
The Hacker News – New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide
The Hacker News – CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers
Avast Blog – MikroTik mayhem: Cryptomining campaign abusing routers
Avast Blog – The End of Coinhive; The end of cryptojacking?
Marion Star – Researcher: Marion website was infected, site visitors exploited for digital money
La Stampa – Truffe, crimini e ricatti online: dove nascono, come funzionano e perché sono difficili da fermare (Scams, crimes and blackmail online: where they are born, how they work and why they are difficult to stop)
La Stampa – Qualcuno potrebbe minare criptovalute col tuo browser, ecco come funziona il fenomeno (Someone could Mine cryptocurrencies with your browser, here’s how the phenomenon works)
AppleInsider – 25,000 Linksys routers are reportedly leaking details of any device that has ever connected to it
Computing.co.uk – Warning over spike in attacks on exposed Docker platforms
Computing.co.uk – Travelex ignored September warning over ‘insecure’ VPN server software
Computing.co.uk – Cyber criminals demand $3 million in ransom from Travelex after infecting its network with Sodinokibi ransomware
Computing.co.uk – Dutch NCSC: Turn off Citrix ADC and Gateway servers NOW as mitigation measures are not effective
Computing.co.uk – Almost 500 Citrix servers in the UK vulnerable to ransomware
Computing.co.uk – Hackers are exploiting a vulnerability to hijack building access control systems
Computing.co.uk – Almost 6,000 unpatched Citrix NetScaler servers remain vulnerable to critical security flaw
Computing.co.uk – Pulse Secure: 2,500 VPN servers worldwide vulnerable to CVE-2019-11510 critical security flaw
Computing.co.uk – Maze ransomware group claims to have encrypted Chubb cyber insurer’s systems
Computing.co.uk – Hackers are mass-scanning the internet to discover Microsoft Exchange servers vulnerable to RCE bug
Computing.co.uk – ‘Patch critical SAP RECON vulnerability immediately’, urges CISA
Computing.co.uk – Passwords for over 900 Pulse Secure VPN enterprise servers revealed on hacker forum
SiliconANGLE – No longer the bridesmaid, Drupal is now favored for cryptomining attacks
SiliconANGLE – Vulnerable Docker instances targeted in cryptocurrency mining campaign
SiliconANGLE – Patch now: Critical flaw in Citrix actively targeted by hackers
SiliconANGLE – Customer data stolen in ransomware attack on cruise operator Carnival
TechRepublic – L.A. Times website injected with Monero cryptocurrency mining script
TechRepublic – Drupalgeddon 2 wreaking havoc on 900+ sites because IT still hasn’t applied updates
TechRepublic – Certificate issue disabling add-ons in Firefox and Tor Browser finally fixed
Tripwire – LA Times homicide website throttles cryptojacking attack
Tripwire – Barnes & Noble warns customers it has been hacked, customer data may have been accessed
Graham Cluley – Elementary vulnerability exposed sensitive medical records on healthcare data website
Graham Cluley – Stop dilly-dallying. Block all ads on YouTube
Graham Cluley – Unpatched D-Link routers targeted in malicious DNS hijacking campaign
Graham Cluley – Travelex still offline after discovering malware on New Year’s Eve, and other banks’ currency services are also affected
Graham Cluley – Shitrix: Hackers target unpatched Citrix systems over weekend
Infosecurity Magazine – LA Times Hit with Crypto-Mining Software
Infosecurity Magazine – Crypto Crime: Hunting for Cryptocurrency Mining in Your Enterprise (Webinar)
Infosecurity Magazine – Nearly 20,000 Orange Modems Leaking Wi-Fi Passwords
Infosecurity Magazine – Attackers Target Home Routers with DNS Hijacking
Infosecurity Magazine – Forbes Site Up, Then Down Again after Magecart Attack
Infosecurity Magazine – Top Ten: News Stories of 2019
Infosecurity Magazine – Citrix Admins Urged to Act as PoC Exploits Surface
Infosecurity Magazine – Travelex Begins Reboot as VPN Bug Persists
Infosecurity Magazine – Maze Authors Claim to Have Hit Insurer Chubb
Infosecurity Magazine – IT Services Firm Conduent Felled by Maze Ransomware
Help Net Security – Compromised MikroTik routers power extensive cryptojacking campaign
Help Net Security – Cisco botched patches for its RV320/RV325 routers
Help Net Security – Consumer routers targeted by DNS hijacking attackers
Help Net Security – Attackers are targeting vulnerable Fortigate and Pulse Secure SSL VPNs
Help Net Security – PHP RCE flaw actively exploited to pop NGINX servers
Help Net Security – Travelex extorted by ransomware gang, services still offline a week after the hit
Help Net Security – Exploits for Citrix ADC and Gateway flaw abound, attacks are ongoing
Help Net Security – Attackers probing for vulnerable Microsoft Exchange Servers, is yours one of them?
Help Net Security – Attackers are breaching F5 BIG-IP devices, check whether you’ve been hit
BGR – Thousands of Linksys routers leaked detailed device connection records
BankInfoSecurity – Cryptojacking: Mitigating the Impact
BankInfoSecurity – Hacked MicroTik Routers Serve Cryptocurrency-Mining Malware
BankInfoSecurity – Magecart Spies Payment Cards From Retailer Vision Direct
BankInfoSecurity – Hackers Target Fresh Drupal CMS Flaw to Infiltrate Sites
BankInfoSecurity – Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs
BankInfoSecurity – Chinese APT Group Began Targeting SSL VPN Flaws in July
BankInfoSecurity – Router Cryptojacking Campaigns Disrupted
BankInfoSecurity – Unpatched VPN Servers Hit by Apparent Iranian APT Groups
BankInfoSecurity – Facilities Maintenance Firm Recovering From Malware Attack
BankInfoSecurity – Insurer Chubb Investigating ‘Security Incident’
BankInfoSecurity – CISA Warns Patched Pulse Secure VPNs Still Vulnerable
BankInfoSecurity – Cisco Alert: Hackers Targeting Zero-Day Flaws in IOS XR
BankInfoSecurity – Iranian Hackers Exploiting Unpatched Vulnerabilities
The Daily Swig – Google begins enforcing JavaScript for logins
The Daily Swig – Vision Direct poked in the eye by credit card breach
The Daily Swig – Information disclosure vulnerability impacts 25,000 Linksys routers
The Daily Swig – Travelex ransomware attack: Pulse Secure VPN flaw implicated in security incident
The Daily Swig – What is Sodinokibi? The ransomware behind the Travelex attack
The Daily Swig – Pastebin hints at new research subscription model after axing scraping API
Computer Business Review – Microsoft Exchange Server Vulnerability: Mass Scanning Starts as Exploit Details Land
Computer Business Review – Finastra, World’s Third Largest Fintech, Hit by Ransomware
Computer Business Review – Second Critical Electricity Network Provider Hacked in 8 Weeks
Computer Business Review – IT Services Giant Conduent Suffers Ransomware Attack, Data Breach
TechRadar – More than 20,000 Linksys routers hit by serious security exploit
Naked Security – Unsecured AWS led to cryptojacking attack on LA Times
Naked Security – Shodan and passwords sitting in a tree, S-H-O-W-I-N-G!
Naked Security – REvil ransomware exploiting VPN flaws made public last April
CoinDesk – ‘Cryptojacking’ Software Attack Hits Hundreds of Websites
Liftr News – Report: Cryptojacking Trend Hits LA Times
Security Now! – Episode #662 – Drupal Sites Fall Victims to Cryptojacking Campaigns
Security Now! – Episode #667 – Drupalgeddon2 appears to be a fixture of the Internet
Security Now! – Episode #699 – Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653
Security Now! – Episode #729 – The mixed-Blessing of “Wide Open” Source projects…
Security Now! – Episode #749 – Windows 7 – R. I. P.
DataBreachToday – Cryptocurrency Miners Exploit Widespread Drupal Flaw
DataBreachToday – Websites Still Under Siege After ‘Drupalgeddon’ Redux
DataBreachToday – Cryptojackers Keep Hacking Unpatched MikroTik Routers
DataBreachToday – Surge in JavaScript Sniffing Attacks Continues
DataBreachToday – Unpatched VPN Servers Targeted by Nation-State Attackers
DataBreachToday – NSA Is Latest Intelligence Agency to Sound VPN Patch Alarm
DataBreachToday – Patch or Perish: VPN Servers Hit by Ransomware Attackers
DataBreachToday – Severe Citrix Flaw: Proof-of-Concept Exploit Code Released
DataBreachToday – Citrix Releases First Patches to Fix Severe Vulnerability
DataBreachToday – Hacked Law Firm May Have Had Unpatched Pulse Secure VPN
DataBreachToday – US Cyber Command Alert: Patch Palo Alto Networks Products
DataBreachToday – Twitter Hack: A Sign of More Troubles Ahead?
DataBreachToday – Users Urged to Patch Critical Flaw in SAP NetWeaver AS
Dark Reading – Cryptojacking Threat Continues to Rise
Dark Reading – 5 Steps to Fight Unauthorized Cryptomining
Dark Reading – Cisco Router Vulnerability Gives Window into Researchers’ World
Dark Reading – Ongoing DNS Hijack Attack Hits Consumer Modems and Routers
Dark Reading – Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks
Dark Reading – Website Collecting Australian Fire Donations Hit by Magecart
Dark Reading – Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Dark Reading – Barnes & Noble Warns Customers About Data Breach
New Scientist – You may be making cryptocurrency for hackers without realising
Techdirt – Covert Cryptocurrency Miners Quickly Become A Major Problem
Techdirt – Cryptocurrency Mining Company Coinhive Shocked To Learn Its Product Is Being Abused
Business Insider – A hacker has been using the Los Angeles Times’ website to mine the cryptocurrency Monero
Business Insider – If your computer has slowed, you might be mining crypto coins for someone else — here’s how to stop it
Business Insider Netherlands – Ernstig beveiligingslek in Citrix treft Nederlandse bedrijven en instellingen (Serious vulnerability in Citrix affects Dutch companies and institutions)
CSO – What is cryptojacking? How to prevent, detect, and recover from it
CSO – How to detect and prevent crypto mining malware
CSO – Don’t Let Your Website Become A Crypto Goldmine For Hackers
CSO – Cisco business routers targeted after patch, at least 9,000 vulnerable
WeLiveSecurity – US and UK government websites hijacked to mine cryptocurrency on visitors’ machines
WeLiveSecurity – Coinhive cryptocurrency miner to call it a day next week
The Sacramento Bee – UC San Francisco med school pays $1.14 million to retrieve data from cyberattackers
BTCMANAGER – Cryptojacking Strikes Again! Hackers Target Government Websites to Mine Monero
BTCMANAGER – Monero Mikrotik Madness: Carrier-Grade Cryptojacking Scheme
BTCMANAGER – Hackers Unfazed by Crypto Price Crash as they Double Down on Wallet Attacks
Mashable – Chrome extension is secretly mining cryptocurrency
Motherboard – ‘One of the Biggest’ Coinhive Users Made $7.69 In 3 Months
SC Media – Cryptojacking campaign hits 400 Drupal-based sites, many run by governments and universities
SC Media – 2018 – The year that was: Top Cyberthreats
SC Media – Attackers scanning unpatched Cisco small business routers after exploit code published
SC Media – Cisco may have released a faulty patch in most recent update
SC Media – Cybercriminals launch attacks on home routers via Google Cloud Platform
SC Media – More than 25,000 Linksys Smart Wi-Fi Routers leaking data
SC Media – D-Link wireless modems found to leak passwords
SC Media – Thousands of businesses at risk via Pulse Secure VPN flaw
SC Media – Sodinokibi ransomware ID’d as cause of Travelex business disruptions
SC Media – Travelex recovering from ransomware, but more firms at risk of VPN exploit
SC Media – Patch now, Microsoft Exchange servers open to remote hacking due to major flaw
SC Media – Carnival must right the ship after breaches threaten travelers’ trust
SecurityIntelligence – Does the Rise of Crypto-Mining Malware Mean the End of Ransomware?
Financial Post – Vulnerabilities found in Citrix and Pulse Secure products
TechTarget – New cloud threats as attackers embrace the power of cloud
TechTarget – Pulse Secure VPN vulnerability targeted with ransomware
HackRead – After The Pirate Bay, Showtime Websites Also Found Mining Cryptocoins
HackRead – Chrome Extension with 105,000 installs is a Cryptocurrency Miner
HackRead – Hackers are using YouTube Ads to Mine Monero Cryptocurrency
HackRead – LA Times website hacked to mine Monero cryptocurrency
HackRead – Cryptojacking campaign hits 400 Drupal-based sites, many run by governments and universities
HackRead – The Pirate Bay is silently mining cryptocurrency without user consent
HackRead – VisionDirect hacked: Hackers infect domains with malicious Google Analytics code
HackRead – The Pirate Bay’s preferred cryptominer Coinhive shutting down next week
SecurityWeek – Many Drupal Sites Still Vulnerable to Drupalgeddon2 Attacks
SecurityWeek – Hackers Target Cisco Routers via Recently Patched Flaws
SecurityWeek – Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users
SecurityWeek – Hundreds of Git Repositories Held for Ransom
SecurityWeek – One Million Devices Vulnerable to BlueKeep as Hackers Scan for Targets
SecurityWeek – Pulse Secure Says Majority of Customers Patched Exploited Vulnerability
SecurityWeek – vBulletin Patches Vulnerability Exploited in the Wild
SecurityWeek – APTs Exploiting Enterprise VPN Vulnerabilities, UK Govt Warns
SecurityWeek – NSA: Multiple State-Sponsored APTs Exploiting Enterprise VPN Flaws
SecurityWeek – Pulse Secure VPN Vulnerability Exploited to Deliver Ransomware
SecurityWeek – Hackers Scanning for Apache Tomcat Servers Vulnerable to Ghostcat Attacks
SecurityWeek – BIG-IP Vulnerability Exploited to Deliver DDoS Malware
Tom’s Guide – These D-Link Routers Are Under Attack: What to Do
Tom’s Guide – Thousands of Linksys Routers Leaking Sensitive Data: What to Do Now
Tom’s Guide – VPN security alert: 900 servers hit by huge data breach
Security Boulevard – 5 Cryptojacking Consequences CISOs Can’t Ignore
Security Boulevard – Coinhive to shut down all its cryptojacking services on March 8!
Security Boulevard – Cisco merely blacklisted a curl instead of actually fixing the vulnerable code for RV320 and RV325
Security Boulevard – Git Code Repos Held to Ransom – Thousands Hacked
Security Boulevard – Attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note
Security Boulevard – Forbes subscribers warned of Magecart threat skimming credit card details
Security Boulevard – Egyptian DDoS Campaign Observations
Security Boulevard – A zero-day pre-auth vulnerability is currently being exploited in vBulletin, reports an anonymous researcher
Security Boulevard – Pulse Secure VPN Server Exploit Opens the Way for Sodinokibi Ransomware; Travelex Falls Victim
Security Boulevard – Nexus Intelligence Insights: What’s in a Ghostcat? CVE-2020-1938 Apache Tomcat – Local File Inclusion Potentially Leads to RCE
Security Boulevard – Coronavirus: Its Four Most Prevalent Cyber Threats
Security Boulevard – F5 BIG-IP Has Huge, Enormous, Bad, Scary Security Holes (Patch NOW)
SmarterMSP – Threat Watch: Cryptojacking
Tom’s Hardware – Showtime Uses Online Viewers’ CPUs To Mine Cryptocurrency
Tom’s Hardware – The Rise Of Cryptojacking And How To Stop It
Gizmodo en Español – Es una plaga: Movistar infecta “por error” su propia web para minar criptomonedas a través de sus usuarios (It’s a plague: Movistar infects its own website “by mistake” to mine cryptocurrencies through its users)
CriptoNoticias – “No hay que tomarse los mineros web a la ligera” asegura Troy Mursch, investigador de ciberseguridad (We shouldn’t take web miners lightly,” says Troy Mursch, cybersecurity researcher.)
CriptoNoticias – Página web de Movistar España minaba monero de sus usuarios con Coinhive (Movistar Spain web page mines Monero from its users with Coinhive)
Inverse – Chrome Extension Secretly Used People’s Computers to Mine Cryptocurrency
Inverse – Tesla Latest Victim of Cryptojacking Attack, and More Could Come Soon
Inverse – Cryptojacking Attacks Continue as “Los Angeles Times” Falls Prey to Hackers
Inverse – Why This Cryptocurrency Mining Calendar App Wasn’t Such a Great Idea
Heise online – Chrome-Extension Archive Poster sammelt heimlich Kryptowährung (Chrome Extension Archive Poster secretly collects cryptocurrency)
Heise online – Drupal-Lücken: Lenovo versäumt Webseiten-Update und fängt sich Krypto-Miner ein (Drupal Gaps: Lenovo fails website update and captures crypto-miner)
Heise online – Jetzt patchen! Angreifer machen Jagd auf Cisco-Router (Patch now! Attackers hunt down Cisco routers)
Heise online – 20.000 Linksys-Router leaken angeblich Daten von verbundenen Geräten (20,000 Linksys routers are reportedly leaking data from connected devices)
Heise online – Jetzt patchen! Attacken auf VPN-Server mit Pulse Connect Secure (Patch now! Attacks on VPN server with Pulse Connect Secure)
Heise online – Jetzt patchen: Exploit-Code für ältere Windows-SMBv3-Lücke veröffentlicht (Patch now: Exploit code for older Windows SMBv3 vulnerability released)
Heise online – Jetzt patchen! Exploit-Code für kritische SAP-Lücke aufgetaucht (Patch now! Exploit code for critical SAP vulnerability exposed)
Golem.de – Proxy-Server fügen Kryptominer ein (Proxy servers add cryptominer)
Golem.de – Linksys-Router leaken offenbar alle verbundenen Geräte (Linksys routers apparently leak all connected devices)
Cointelegraph – ‘Attack Or Business Opportunity?’: Academics Question Ethics Of Coinhive Cryptojacking
Cointelegraph – Coinhive Code Found On 300+ Websites Worldwide In Recent Cryptojacking Campaign
Cointelegraph – Report: Number of Routers Affected by Crypto Malware Doubled Since August, Reaching 415K
Security Affairs – A new Mirai variant is rapidly spreading, around 100,000 IPs running the scans in the past 60 hours
Security Affairs – Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks
Security Affairs – Thousands of unpatched MikroTik Routers are involved in new cryptocurrency mining campaigns
Security Affairs – Over 19,000 Orange Livebox ADSL modems leak WiFi credentials
Security Affairs – Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Security Affairs – Initial fixes for Cisco RV320 and RV325 routers were incomplete
Security Affairs – DNS hijacking campaigns target Gmail, Netflix, and PayPal users
Security Affairs – Magecart hackers inject card Skimmer in Forbes Subscription Site
Security Affairs – Internet scans found nearly one million systems vulnerable to BlueKeep
Security Affairs – Bad Packets warns of over 14,500 Pulse secure VPN endpoints vulnerable to CVE-2019-11510
Security Affairs – Botnet exploits recent vBulletin flaw to protect its bots
Security Affairs – Albany County Airport authority hit by a ransomware attack
Security Affairs – CISA warns that Pulse Secure VPN issue CVE-2019-11510 is still exploited
Security Affairs – Experts warn of mass scans for Apache Tomcat Ghostcat flaw
Security Affairs – Nation-state actors are exploiting CVE-2020-0688 Microsoft Exchange server flaw
Security Affairs – UK Fintech company Finastra hit by a cyber attack
Security Affairs – SeaChange video delivery software solutions provider hit by Sodinokibi ransomware
Security Affairs – Elexon, a middleman in the UK power grid network hit by cyber-attack
Security Affairs – Experts warn of massive internet scans for SAP systems affected by RECON Vulnerability
Security Affairs – Maze Ransomware operators published data from LG and Xerox
Security Affairs – Hackers hit Luxottica, production stopped at two Italian plants
BizTech – How Cryptojacking Could Harm Your IT Environment
ExtremeTech – Showtime Caught Mining Cryptocurrency With Viewers’ PCs
Complex – Showtime’s Website Might Have Been Hacked to Mine Cryptocoin
Podcasts
PQ 148: How To Monitor Cryptojacking With Paessler PRTG
Threatpost Podcast – Bad Packets Report Founder on Rising Cryptojacking Attacks
Webinars
Crypto Crime: Hunting for Cryptocurrency Mining in Your Enterprise
Bad Packets Cofounder Troy Mursch discusses the key factors contributing to the rise of malicious cryptocurrency mining, the symptoms of cryptojacking, and brief history of the topic in this webinar hosted by Infosecurity Magazine.
Guest Blogs
- How Cryptojacking Impacts You, and What You Can Do About It
- Cryptojacking campaigns continue to target vulnerable websites
- How to use reverse DNS records to identify mass scanners
- How to use name server records to locate malicious domains en masse
Case studies
PRTG: Helping A Leading Independent Security Analyst Detect And Prevent Cryptojacking
In this case study, presented by Paessler, I document my use of PRTG to detect and monitor high-profile websites infected with cryptojacking malware.
Interviews
No Incident Unnoticed: Interview with Troy Mursch from Bad Packets Report