Information Technology

Operators of the LemonDuck botnet are targeting Docker instances in a cryptocurrency mining campaign.

LemonDuck is cryptocurrency mining malware wrapped up in a botnet structure. The malware exploits older vulnerabilities to infiltrate cloud systems and servers, including the Microsoft Exchange ProxyLogon bugs, EternalBlue, and BlueKeep.As noted by Microsoft’s security team in 2021, the threat actors behind the malware are known to be selective when it comes to timing and may trigger an attack when teams are focused on “patching a popular vulnerability rather than investigating compromise.” LemonDuck has expanded its operations from Windows machines also to include Linux and Docker. In an ongoing, active campaign, Crowdstrike says that Docker APIs are being targeted to obtain initial access to cloud instances. Docker is used for running containers in the cloud. On Thursday, the cybersecurity researchers said that LemonDuck will take advantage of misconfigurations in instances that cause API exposure to deploy exploit kits and load malware. In a case observed by the team, an exposed API was abused to run a custom Docker ENTRYPOINT instruction and download “core.png,” an image file disguised as a Bash script. The file was downloaded from a domain in LemonDuck’s “vast” command-and-control (C2) infrastructure. “CrowdStrike found multiple campaigns being operated via the domain targeting Windows and Linux platforms simultaneously,” the researchers noted. Core.png will launch a Linux cronjob inside the vulnerable container and then download a secondary Bash file, “a.asp,” the main LemonDuck payload. The cronjob will trigger LemonDuck. The malware will first kill several processes, including network connections, rival cryptocurrency mining operations, and existing ties to mining pools. LemonDuck will also target known daemons tasked with monitoring, such as Alibaba Cloud’s monitoring service. Now the server has been prepared, a cryptocurrency mining operation begins. XMRig, used to generate Monero (XMR), is launched with a configuration set to proxy pools — an attempt to hide the true cryptocurrency wallet address of the attacker. LemonDuck doesn’t stop at just one Docker instance, however. The malware will also search for SSH keys in the file system to log into other servers and repeat its malicious operations. “Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers, the researchers say. “Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like LemonDuck, which started targeting Docker for cryptomining on the Linux platform.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Written by

Jack Wallen, Contributing Writer

Jack Wallen
Contributing Writer

Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul.

Full Bio

Tell me, what is the password for your bank account? If you can rattle off that password without thinking, chances are pretty good it’s not nearly strong enough. Any password you can memorize (unless you have an amazing memory) is probably weak. 

Whether you like it or not, it’s way past time you stopped using passwords like password, 12345, qwerty, 111111, 000000, iloveyou, 666666, qwertyuiop, dragon, monkey, or qazwsx. Believe it or not, that list comes from the Nordpass most common password list. That’s right, even with password breaches and massive service hacks becoming the norm, people are still using such simplistic passwords.I get it, I really do. We’re all so busy we don’t have time to add yet another complication to our daily workflow.Also: LastPass vs 1Password: Battle of the password manager titansBut let me ask you a very simple question: Do you really want to prevent bad actors from accessing your accounts and services? The answer should be a resounding, “Yes!” otherwise your approach to security is not in line with modern existence.You might think that to be hyperbole but it’s not. It’s 2022 and if you’re still using weak passwords, it’s only a matter of time before someone hacks any number of your accounts. Consider this, according to Hive Systems, if you use password as an account password, it only takes about 5 seconds to crack it. If your password is 12345678, it can be cracked instantly. If, however, that password is an 11 character combination of upper case, lowercase, numbers, and symbols, that password would take years to crack.Of course, at this point, you’re thinking, “I don’t want to have to memorize a bunch of impossible passwords.” Good thing you don’t have to. In fact, when you employ a password manager, you only have to memorize one password. That one password will unlock a vault containing all of those passwords you’ve created and are next to impossible to memorize.Let’s step back a bit.How does this even work?If you’re new to the world of password managers, let me explain to you how they work. Think of the password manager as a safe, where you can store all of your important bits. Those bits are individual entries for all of the accounts and services you use. You’d create an entry for:Your bankFacebookTwitterInstagramTiktokAmazonAny work systems you useNetflixHuluIn other words, a password manager keeps all of your passwords locked away in a virtual safe and only you have the key to open it. That key is yet another password but it’s the only one you have to memorize. To make this even easier, if you’re using a password manager on your mobile device, you can set it up to unlock using either biometrics (such as a fingerprint or face scanner) or your phone password/PIN. Even better, most password managers include a feature called a random password generator. So when you’re setting up a new account, you don’t have to worry about creating a complicated, strong password. Instead, you let the password manager create the password for you. Using this feature ensures you will not only be using very strong passwords, but it helps keep you from reusing passwords from one site/service to the next. With the help of a password manager, every site/service you use will have its own strong and unique password.If you want to keep your accounts from being hacked, that is the single most important first step you can take. Also: 1Password review: Pretty close to perfectBut the fun doesn’t end there. With some password managers, you get browser integration which means you land on a site that requires a password, and the password manager (once you enter the vault unlock password) will auto-fill the credentials for you. The implications of that are important:You don’t have to have your browser save your password (which can be a security risk).You get the added benefit of using very strong passwords.You only have to type a single password for everything.At this point, you’re probably thinking, “But my web browser has a built-in password manager!” Although that’s true, those built-in password managers aren’t nearly as secure as a stand-alone password manager, nor do they include all the bells and whistles found within a good password manager. If you want the most secure browser experience, you won’t ever allow your browser to save your passwords, and you’ll instead use a password manager with browser integration.Convinced yet? If not, let me spell it out for you in terms that will hopefully open your eyes to why a password manager is an absolute necessity these days:If you don’t use one, eventually one or more of your accounts will get hacked.It’s as simple as that.So, what password managers should you consider? Take a look at what ZDNet believes to be the best password managers on the market.What are you waiting for? Install a password manager and start using very strong and unique passwords for all of the sites and services you use.You’ve been warned.

Jack Wallen: How To More

Businesses in farming and agriculture have been warned that they should be prepared to face an increase in ransomware attacks at critical – like spring planting or harvest. The alert by the FBI suggests that ransomware gangs see farming and agriculture as a lucrative target where victims could be more willing to pay a ransom for a decryption key because of the time-sensitive nature of the industry. Ransomware attacks targeting agriculture could disrupt planting and harvesting operations, potentially impacting the food supplies, not only for people, but also for farm animals, something which could disrupt the wider food supply chain, as well as causing financial damage to farmers.Since 2021, multiple agricultural cooperatives have fallen victim to ransomware attacks, particularly during the spring planting and autumn harvesting seasons. The alert details how there were six recorded ransomware attacks against grain cooperatives during the fall 2021 harvest and two attacks early this year. The attacks in the fall took place in the space of a few weeks between September and October and involved several different ransomware variants, including Conti, BlackMatter, Suncrypt, Sodinokibi (REvil), and BlackByte. Some of the victims had to halt production. The alert doesn’t mention if any of the victims paid the ransom.  SEE: Cybersecurity: Let’s get tactical (ZDNet special report)More recently, a Lockbit 2.0 ransomware attack against a multi-state grain company in March 2022 affected grain processing, along with additional services relating to delivering seeds, fertilizer, and logistics services which were all disrupted by the attack. The FBI alert also notes how in February 2022, a company supplying feed milling and other agricultural services detected and reported unauthorised intrusions into the network which could have been an attempt to deploy a ransomware attack. The attempted incident was stopped before additional damage was done. “Although ransomware attacks against the entire farm-to-table spectrum of the food and agriculture sector occur on a regular basis, the number of cyber attacks against agricultural cooperatives during key seasons is notable,” said the alert. The FBI says cyber criminals will continue to exploit network, system, and application vulnerabilities within the farming and agricultural sectors – but that there are several steps organisations can take to help avoid falling victim to ransomware attacks. These include implementing network segmentation, installing security updates for operating systems, software and firmware as soon as they’re released and using multi-factor authentication whenever possible. It’s also recommended that strong passwords are applied to accounts, data is regularly backed up and stored offline and that organisations should implement a recovery plan, so they know what to do if they do fall victim to a ransomware attack.MORE ON CYBERSECURITY More

Decentralized finance (DeFi) project Beanstalk has lost $182 million in a flash loan attack.

It might seem more like a corporate heist than a typical cyberattack. Still, this security incident was possible after the unknown threat actor secured the project voting rights necessary to transfer reserve funds away from the project’s liquidity pools.On April 19, Beanstalk, a credit-based stablecoin protocol project based on Ethereum, said the platform was subject to a flash loan attack two days previously. The cyberattack exploited the project’s protocol governance mechanism. According to a post-mortem conducted by Omniscia, the exploit occurred due to the recent implementation of the Curve LP Silos, “ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds.” Flash loan functions in DeFi projects allow users to borrow large amounts of virtual funds for a short period of time. In Beanstalk Farm’s case, voting powers were based on the amount of tokens held. Omniscia says that after the attacker secured a flash loan — and, therefore, extensive voting rights normally used to accept or decline changes in the protocol’s code — an emergency governance mechanism was abused to ‘vote’ for a malicious proposal and allow themselves to send funds to a wallet they controlled. The flash loan was then repaid. According to PeckShield, who first spotted the attack, total losses reached $182 million, with the attacker able to pocket roughly $80 million. Other losses were due to the fees required to execute the flash loan. Stolen assets were then liquidated into Ethereum (ETH). Beanstalk says approximately $76 million in non-Beanstalk assets were stolen from liquidity pools. Beanstalk was paused following the discovery of the attack, but this was not enough to prevent the theft or claw back the stolen funds. Remaining BEANs in the exploiter contract have been burned. In a tweet, Beanstalk offered the attacker 10% of the stolen funds as a bug bounty if they returned 90%. Notably, the thief also appears to have sent $250,000 to the Ukrainian relief fund Ukraine Crypto Donation. “Beanstalk Farms, the decentralized development team working on Beanstalk, is preparing a strategy to safely re-launch a more secure Beanstalk with a path forward,” the project says. There are several goals on the roadmap: attracting investment to restart Beanstalk; preserving “as much of each Farmers’ Stalk, Seed, and Pod positions as possible,” and “aligning new capital with previous Stalk and Pod holders.” “This eye-watering amount of money stolen will not only bite financially but in it will potentially chip away at the trust too,” commented Jake Moore, Global Cyber Security Advisor at ESET. “Attackers are heavily targeting crypto finance systems due to the extremely high rewards whilst often leaving no remanence of evidence whatsoever.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

LinkedIn users are being urged to watch out for suspicious emails because the professional networking website is one of the most popular brands targeted by cyber criminals in phishing attacks.According to cybersecurity researchers at Check Point, who analysed phishing emails sent during the first three months of this year, over half of all phishing attacks (52%) attempted to leverage LinkedIn. 

ZDNet Recommends

The phishing emails are designed to look like they come from LinkedIn, but if the recipient clicks the link, they’re sent to a login page designed to look like LinkedIn, and if they enter their email address and password, they’ll be handing them to the attacker, who can use that information to log in to the victim’s LinkedIn account. SEE: A winning strategy for cybersecurity (ZDNet special report)The attacks aren’t particularly sophisticated. But by targeting a commonly used service like LinkedIn, there’s a good chance that some of the recipients won’t spot that what they’re interacting with is a phishing attack. “These phishing attempts are attacks of opportunity, plain and simple. Criminal groups orchestrate these phishing attempts on a grand scale, with a view to getting as many people to part with their personal data as possible. Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn,” said Omer Dembinsky, data research group manager at Check Point Software. While LinkedIn was the most commonly spoofed brand for phishing attacks during the reporting period, it’s far from the only known company that cyber criminals are attempting to leverage in attacks. Some of the other brands cyber criminals spoof in phishing emails include DHL, Google, Microsoft, FedEx, WhatsApp, Amazon and Apple. In many cases, the aim, like the LinkedIn attacks, is to steal usernames and passwords, although researchers warn that, in some cases, malicious links and attachments are used to deliver malware. Cyber criminals send out mass-phishing campaigns because, unfortunately, they tend to work – people are clicking malicious links and downloading attachments. But there are often tell-tale signs that an email could be a malicious phishing message.  “Employees should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users, in particular, should be extra vigilant over the course of the next few months,” said Dembinsky. LinkedIn provides users with the ability to use multi-factor authentication, which, if applied, can provide an extra barrier against phishing attacks. “Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification,” a LinkedIn spokesperson told ZDNet in an email.”To learn more about how members can identify phishing messages, see our Help Center here,” they added.Some of the warning signs that an email might be an attempted phishing attack can include the message containing bad spelling, grammar, and a message that isn’t addressed to you personally, or a message claiming to be urgent that needs to be acted upon immediately. Messages asking you to download an attachment to install a software update should also be treated with caution.A common tactic used in phishing emails is to tell users that their account has been hacked. If you are worried that an email with a cybersecurity warning that says you need to change your password might be legitimate, the best course of action is to avoid the URL in the email and visit the website directly. If there really is an issue, the website will tell you and you can take the necessary action. MORE ON CYBERSECURITY More

The Hive threat group is targeting vulnerable Microsoft Exchange Servers to deploy ransomware.First spotted in June 2021, Hive is a Ransomware-as-a-Service (RaaS) model in which cyberattackers can utilize the Hive ransomware strain in attacks.

The threat actors operate a leak site, accessible via a .onion address, which aims to ‘name and shame’ ransomware victims. Additionally, the malware operators practice double-extortion, in which sensitive corporate data is stolen from a victim organization before disk encryption. If a victim refuses to pay for a decryption key, the cyberattackers will plaster their name across the leak site and set a timer before the data is leaked. This piles on the pressure and gives the attackers more opportunities for extortion. Hive’s past victims include non-profit entities, the energy sector, financial companies, and healthcare providers.”While some ransomware groups operating as RaaS networks claim to steer clear of targeting specific sectors such as hospitals or other critical industries to avoid causing harm to people, Hive’s attacks against healthcare providers in 2021 showed that the operators behind it have no regard for such humanitarian considerations,” Trend Micro said in a March 2022 investigation of the group. The FBI issued an alert on Hive activity in August 2021, followed by the HHS this April (.PDF), who cautioned that the RaaS outfit is an “exceptionally aggressive, financially-motivated ransomware group.” In new research published on April 19 by the Varonis Forensics Team, a recent ransomware incident has allowed the company to examine the group’s tactics and procedures in depth. An unnamed customer’s networks were infiltrated, and the attack was complete in 72 hours. The intrusion began with the exploitation of ProxyShell, a set of critical vulnerabilities in the Microsoft Exchange Server patched by the vendor in 2021. The security flaws could lead to the remote, full compromise of Exchange servers. Once exploited, a webshell backdoor is executed to maintain persistence and grant the attack group a path into the server to deploy Powershell code with SYSTEM-level privileges. Hive launches a Cobalt Strike beacon in the next step and creates a new administrator user account. Mimikatz comes into play, and the domain Administrator NTLM hash is stolen. “By stealing the domain Administrator NTLM hash and without needing to crack the password, the operator managed to reuse it via Pass-The-Hash attack and take control of the domain admin account,” the researchers say. Pass-The-Hash techniques can dupe a target system into launching authenticated sessions on a network without requiring a password crack. Hive will then perform reconnaissance on the server, collect information, and deploy the ransomware payload. The Go-based Hive ransomware payload, buried in a file called “windows.exe,” will encrypt files, delete shadow copies, disable security solutions, and clear Windows event logs. The malware will also try to disable the Windows Security Accounts Manager (SAM) to stop alerts from being sent to SIEM. Once encryption is complete, Hive posts a ransomware note, telling its victim that all data is encrypted and files have been stolen. Hive then urges its victim to contact the “sales department” at a .onion address accessible via the Tor network to gain an encryption key and stop “personal data, financial reports, and important documents” from being leaked online. Hive then provides instructions and a set of ‘guidelines’ for organizations to follow, including: Do not modify, rename or delete *.key. files. Your data will be undecryptable.Do not modify or rename encrypted files. You will lose them.Do not report to the Police, FBI, etc. They don’t care about your business. They simply won’t allow you to pay. As a result, you will lose everything.”Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,” the researchers say. “The impact of an attack can be detrimental. It may potentially harm an organization’s reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.” Varonis recommends that system administrators make sure their Exchange servers have been patched. Admins may also wish to enforce frequent password rotations, block SMBv1, and use SMB signing. It is also recommended that organizations consider zero-trust models to restrict employee account privileges to only access the resources they need in their roles, thereby reducing the potential attack surface if the account is compromised.   See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Federal Trade Commission (FTC) has fined Warrior Trading $3 million for operating day trading programs considered “misleading” to consumers.

On April 19, the US regulator said Warrior Trading, based in Great Barrington, Mass., made “misleading and unrealistic claims” to potential customers interested in day trading.Day trading is a stock market tactic involved in selling and purchasing securities, with positions closed before market close. While this speculative activity can be profitable, it may also be riskier than longer-term investments — especially if you don’t do the appropriate research beforehand. According to the FTC (.PDF), Warrior Trading and its CEO Ross Cameron allegedly “convince[d] consumers to pay hundreds or thousands of dollars for a trading system that ultimately failed to pay off for most customers.” Consumers were sold trading strategies through online programs, ebooks, a live chat platform for members, and “masterclasses.” The programs were promoted through social media platforms including Facebook, YouTube, and Instagram. Warrior Trading also made use of online advertisements. According to the regulator, examples include: “Learn to Trade With Certainty Towards The Financial Freedom You’ve Always Wanted” “Learn How I Made over $101,280.47 in Verified Profits Day Trading Part Time in Under 45 Days Using 3 Simple Strategies that You Can Use Immediately to Increase profits and Reduce Losses NOW!”The FTC’s complaint claims that Cameron called his program “profitable” and “scalable,” but the watchdog took umbrage with these phrases and said the sales pitch violates the FTC Act and the Telemarketing Sales Rule (TSR). Furthermore, the US agency alleged that the “vast majority of customer accounts actually lost money, with numerous consumers losing thousands of dollars trading on top of the thousands they paid Warrior Trading.” A court order requires Warrior Trading to pay roughly $3 million in refunds and the firm has been barred from making “baseless” claims about the potential to earn revenue on the stock market through the company’s strategies. In addition, the organization is prohibited from making any future “misrepresentations through telemarketing about investment opportunities, including the earnings potential or amount of risk a consumer might face.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said the ruling was a “heavy price” for Warrior Trading to pay and highlights an ongoing “crackdown” by the FTC on “false earnings claims and phony opportunities.” ZDNet has reached out to Warrior Trading and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s financial intelligence and regulatory body Austrac has released two financial crime guides to help businesses detect and prevent criminal abuse of digital currencies and ransomware. Each guide offers practical advice to help businesses identify if a payment is related to a ransomware attack, or if someone is using digital currencies and blockchain technology to commit crimes such as money laundering, scams, or terrorism financing. Some of the specific indicators Austrac advises to watch out for when identifying if someone is using digital currencies for terrorism financing, for instance, is when transactions to crowdfunding or online fundraising campaigns are linked to ideologically or religiously motivated violent extremism focused forums, or when a customer account receives multiple small deposits, which are immediately transferred to private wallets. When it comes to identifying potential scams related to digital currencies, Austrac listed that some of the potential indicators could include a customer not fitting the “usual profile” of a digital currency trader or investor; when a customer shows little knowledge regarding digital currency during on-boarding but purchases digital currency quickly and sends the funds to another digital currency address; and when a customer advises that they are employed to purchase digital currency on-behalf of another individual or company.Meanwhile, some indicators of detecting when a person is a victim of a ransomware attack, according to Austrac, includes when a customer increases the limit on their account and then quickly sends funds to a third party; following an initial large digital currency transfer, a customer has little or no further digital currency activity; and when a newly on-boarded customer wants to make an immediate and large purchase of digital currency, followed by an immediate withdrawal to an external digital currency address. “Financial service providers need to be alert to the signs of criminal use of digital currencies, including their use in ransomware attacks,” Austrac CEO Nicole Rose said.The guides have been released in response to the increase in cyber threats to Australia. According to the Australian Cyber Security Centre, 500 ransomware attacks were reported in the 2020-21 financial year, an increase of nearly 15% from the previous year. Just last week, IDCare reported that over 5,000 customer details of former cryptocurrency exchange Alpha were exposed online. According to IDCare, these details included the driver licence, passport, proof of age, and national identity card images of 232 Australians and 24 New Zealanders. IDCare initially uncovered the breach in late January when it saw a post for sale on a Chinese-speaking forum for $150, before it was eventually posted to be accessed for free on another online forum called Breached. “This event poses a serious risk to the identities of any involved. Due to the nature of the identity documents discovered, we urge anyone who had any dealings with AlphaEx to contact us,” IDCare said. IDCare at the time of issuing its statement said its attempts to contact affected individuals directly had not been successful, nor had its attempts to engage with the former operators of AlphaEx “with some speculation detected online about the merits of their operations”.Related Coverage  More