CyberSecurity news

FlagThis - #cryptomining

@www.microsoft.com //
Microsoft Threat Intelligence is reporting a significant rise in cyberattacks targeting unsecured Kubernetes clusters. These attacks are primarily aimed at illicit cryptocurrency mining, with threat actors exploiting vulnerabilities such as unsecured workload identities and inactive accounts to gain unauthorized access to containerized environments. Data from Microsoft indicates that a concerning 51% of workload identities remained inactive in the past year, creating numerous potential entry points for attackers. The increasing adoption of containers-as-a-service among organizations has expanded the attack surface, making it more attractive for cybercriminals seeking to profit from stolen computing resources.

The dynamic nature of Kubernetes environments poses significant challenges for security teams. The rapid deployment and scaling of containers make it difficult to detect runtime anomalies and trace the origins of security breaches. Attackers often exploit misconfigured resources, outdated container images, inadequate network segmentation, and overly permissive access controls to infiltrate these environments. Observed attack vectors include compromising cloud credentials, deploying malicious container images, exploiting the Kubernetes API, conducting node-level and pod escape attacks, and injecting unauthorized network traffic. A recent example involved the use of the AzureChecker.exe tool to launch password spray attacks against cloud tenants, leading to the creation of cryptomining containers within compromised resource groups.

To combat these evolving threats, Microsoft has been working with MITRE to update the Kubernetes threat matrix and the ATT&CK for Containers matrix. This provides a structured framework for organizations to systematically assess and mitigate attack surfaces in containerized environments. Security best practices highlighted include implementing immutable container policies, enforcing strong authentication, employing rigorous vulnerability management, using admission controllers, establishing image assurance policies, and continuously monitoring API activity. Furthermore, a Docker malware campaign has been discovered exploiting Teneo Web3 nodes by faking heartbeat signals to earn crypto, showcasing the diverse methods attackers are using to generate revenue from compromised container environments.

Recommended read:
References :
  • www.microsoft.com: Understanding the threat landscape for Kubernetes and containerized assets
  • Cyber Security News: Cyberpress: Unsecured Kubernetes Clusters Targeted by Threat Actors for Crypto Mining
  • The Hacker News: Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals
  • Microsoft Security Blog: Understanding the threat landscape for Kubernetes and containerized assets

@gbhackers.com //
Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.

The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password.

Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign.

Recommended read:
References :
  • cyberpress.org: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: Attackers Exploit SourceForge Platform to Distribute Malware
  • Securelist: Attackers distributing a miner and the ClipBanker Trojan via SourceForge
  • The Hacker News: The Hacker News Article on Cryptocurrency Miner and Clipper Malware Spread via SourceForge
  • Cyber Security News: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: GBHackers article on Attackers Exploit SourceForge Platform to Distribute Malware
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • The DefendOps Diaries: Unmasking the SourceForge Malware Campaign: A Deceptive Attack on Users
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • www.bleepingcomputer.com: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • securityonline.info: For many developers, SourceForge has long been a cornerstone of open-source collaboration — a trusted hub to host and distribute software. But for cybercriminals, it has recently become a platform to stage deception.
  • securityonline.info: SourceForge Used to Distribute ClipBanker Trojan and Cryptocurrency Miner
  • Cyber Security News: Cybersecurity News article on SourceForge malware distribution
  • Tech Monitor: Threat actors exploit SourceForge to spread fake Microsoft add-ins

@blog.extensiontotal.com //
Multiple malicious Visual Studio Code (VSCode) extensions have been identified, posing a significant threat to developers. Discovered on April 4, 2025, these extensions, found on the Microsoft VSCode Marketplace, masquerade as legitimate development tools. They include names such as "Discord Rich Presence" and "Rojo – Roblox Studio Sync" and operate by surreptitiously downloading and executing a PowerShell script. This script then disables Windows security features, establishes persistence through scheduled tasks, and installs the XMRig cryptominer, designed to mine Ethereum and Monero, all without the user's knowledge.

The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion.

This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats.

Recommended read:
References :
  • blog.extensiontotal.com: reports on a VSCode extension cryptojacking campaign.
  • Secure Bulletin: reports on the malicious VSCode extensions and a growing threat to developers
  • The DefendOps Diaries: Discusses safeguarding VSCode and addressing the threat of malicious extensions.
  • BleepingComputer: Details how malicious VSCode extensions infect Windows with cryptominers.
  • www.csoonline.com: CSOOnline reports the malicious tools.
  • securebulletin.com: Malicious VSCode extensions: a growing threat to developers
  • bsky.app: Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
  • www.scworld.com: Cryptojacking facilitated by nefarious VS Code extensions
  • aboutdfir.com: Malicious VSCode extensions infect Windows with cryptominersÂ
  • securityonline.info: Malicious VSCode Extensions Caught Mining Crypto with XMRig

info@thehackernews.com (The@The Hacker News //
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.

The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat.

Recommended read:
References :
  • securityonline.info: Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
  • www.scworld.com: Additional details on Outlaw Linux cryptomining botnet emerge
  • Cyber Security News: Attackers aim to find zero-days in the PAN-OS gateways they can exploit.
  • The Hacker News: Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials.

SC Staff@scmagazine.com //
An ongoing cryptomining campaign, attributed to the threat actor JINX-0126, has successfully compromised over 1,500 internet-exposed PostgreSQL servers. Attackers are exploiting instances with weak credentials, allowing them to deploy XMRig-C3 cryptocurrency miners using fileless techniques. This campaign is an evolution of the PG_MEM malware activity, initially detected in August, and demonstrates sophisticated evasion tactics. These include deploying binaries with unique hashes per target and executing the miner payload filelessly.

Cloud security firm Wiz, has identified that attackers are abusing the "COPY ... FROM PROGRAM SQL" command to execute arbitrary shell commands. Once authenticated, attackers conduct reconnaissance, deploy a shell script to eliminate competing cryptominers, and deliver the pg_core binary. A Golang binary called "postmaster" is also downloaded, enabling persistence, privilege escalation, and the execution of a new XMRig cryptominer variant, highlighting the risks of weak PostgreSQL configurations in cloud environments. This campaign could have leveraged over 1,500 compromised machines.

Recommended read:
References :
  • gbhackers.com: A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, leveraging fileless techniques to deploy cryptomining payloads.
  • The Hacker News: Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign
  • www.scworld.com: More than 1,500 internet-exposed PostgreSQL instances have been compromised with cryptocurrency mining malware as part of an ongoing JINX-0126 attack campaign, which is an evolution of PG_MEM malware activity initially detected by Aqua Security in August, The Hacker News reports.
  • Wiz Blog | RSS feed: Cloud environments at risk: Attackers target weak PostgreSQL instances with fileless cryptominer payloads.
  • securityonline.info: PostgreSQL Servers Hacked: 1,500+ Cloud Systems Mining Crypto via CPU_HU
  • Security Risk Advisors: CPU_HU Fileless Cryptominer Targets PostgreSQL Servers, Affects Over 1,500 Victims
  • Cyber Security News: Fileless Malware Infects 1,500+ PostgreSQL Servers
  • Cyber Security News: 1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack
  • The Hacker News: Report attributes the campaign to JINX-0126 and involves the use of XMRig-C3 cryptominers.

@securityonline.info //
A global attack campaign named StaryDobry has been discovered, utilizing trojanized game installers to deploy the XMRig cryptocurrency miner on compromised Windows systems. Attackers uploaded poisoned installers for popular games such as BeamNG.drive, Garry's Mod, and Dyson Sphere Program to torrent sites, luring users into downloading them. Once executed, these installers initiate a complex infection chain, ultimately leading to the installation of the XMRig miner. The campaign, detected by Kaspersky on December 31, 2024, lasted for a month and has primarily targeted individual users and businesses.

Researchers have identified that the attack chain employs several evasion techniques, including anti-debugging checks and geolocation verification. The malware gathers a fingerprint of the machine, decrypts an executable, and modifies Windows Shell Extension Thumbnail Handler functionality. The campaign focused on gaming PCs with 8+ core CPUs to maximize mining efficiency. While the perpetrators remain unknown, the presence of Russian language strings suggests the involvement of Russian-speaking actors. The most affected countries included Russia, Brazil, Germany, Belarus, and Kazakhstan.

Recommended read:
References :
  • securityonline.info: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
  • The Hacker News: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack
  • www.scworld.com: Global XMRig attack campaign involves trojanized game installers
  • Talkback Resources: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack [net] [sys] [mal]
  • Talkback Resources: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign [net] [mal]
  • Talkback Resources: StaryDobry campaign targets gamers with XMRig miner [mal]
  • gbhackers.com: A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of popular games.
  • BleepingComputer: A large-scale malware campaign dubbed StaryDobry has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
  • securityonline.info: Cybercriminals launched a mass infection campaign, dubbed StaryDobry, leveraging the holiday season’s increased torrent traffic The
  • www.bleepingcomputer.com: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
  • Anonymous ???????? :af:: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.