Researchers at Trend Micro recently discovered a new strain of Android miner dubbed ANDROIDOS HIDDENMINER that can brick infected devices
Crooks are looking with increasing interest cryptocurrency mining malware developed for mobile devices.
Researchers at Trend Micro recently discovered a new strain of Android malware dubbed ANDROIDOS HIDDENMINER that abuse device CPU to mine Monero cryptocurrency.
HiddenMiner also implements evasion techniques, it is able to bypass automated analysis by checking if it’s running in a virtualized environment by abusing an Android emulator detector found on Github.
“We uncovered a new Android malware that can surreptitiously use the infected device’s computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER.” reads the analysis published by Trend Micro.
“This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLockerAndroid ransomware).”
The experts were able to find the Monero mining pools and wallets connected to the HiddenMiner malware, they learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This information suggests that the operators are currently active.
HiddenMiner abuse the device’s CPU power to mine Monero, unfortunately, the computational effort is so important that the CPU can overheat causing the device to lock, fail, and be permanently damaged.
“There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted.” continues the analysis.
“Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”
This behavior was already observed in the past, the Loapi Monero-mining malware caused a device’s battery to bloat.
HiddenMiner, like Loapi, uses to lock the device screen after revoking device administration permissions.
The ANDROIDOS HIDDENMINER is currently being delivered through a fake Google Play update app, experts found it on third-party app marketplaces.
The miner is mainly affecting users in India and China, but experts fear it could rapidly target other countries.
Malware developers are abusing Device Administration Permission, experts pointed out that users can’t uninstall an active system admin package until device administrator privileges are removed first.
Victims of the HiddenMiner’s cannot remove the miner from device administrator as it employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. Experts explained that it exploits a vulnerability found in Android operating systems except for Nougat and later versions.
“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave.” concluded Trend Micro. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”
MITRE is evaluating a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) for APT detection.
MITRE is going to offer a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) to evaluate products based on their ability in detecting advanced persistent threats.
“MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.” reads the MITRE’s official page. “ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.”
The MITRE ATT&CK service will evaluate endpoint detection and response products for their ability to detect advanced threats.
“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.
Duff explained MITRE will adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.
In my opinion, sharing information about attackers’ TTPs is essential and such kind of initiative is very important for cyber security community.
Jessica Payne from Microsoft Windows Defender praised the MITRE ATT&CK service.
The knowledge base was initially collected as a tool to allow red team members to communicate more easily with blue team members and corporate executives, it comes from publicly available sources.
“ATT&CK provides a common framework for evaluating post-breach capabilities,” said Duff. “We believe that objective and open testing based on ATT&CK will advance capabilities and help drive the entire endpoint detection and response market forward.”
According to Duff, internal MITRE information doesn’t contaminate the knowledge base.
In this phase, MITRE intends to evaluate its service and its efficiency, the first case study will be based on APT3/Gothic Panda and will evaluate the ability of products in detecting this threat.
“As part of their participation in MITRE’s impartial cyber evaluation, cybersecurity vendors will be provided clear articulation of their capabilities, as well as access to MITRE’s cyber experts’ feedback for improving their products.” reads the statement published by MITRE. “Details captured will include the ATT&CK technique tested, specific actions the assessors took to execute, and details on the product’s ability to detect the emulated adversary behavior.”
MITRE, for this first round, call for vendors to contribute until April 13, 2018.
The security researcher Dhiraj Mishra (@mishradhiraj_) has studied how VPNs & Privacy Browsers leak users’ IPs via WebRTC
You might have heard about VPN’s & Privacy Browsers leaking users’ IPs via WebRTC [1
reserved, wrote a Metasploit Module
for this issue which uses WebRTC and collects the leak private IP address, however this module may be implemented as a new library in (browser_exploit_server.rb
) in MSF.
#cheers What is WebRTC ?
WebRTC (Web Real-Time
Communication) provides supports to web browser on a real-time communication via API.So let’s get started….There are “multiple” online services
available which uses WebRTC function. Even if you are using VPN’s or Privacy based browsers it leaks your actual public and private IP address.I think this is more of a privacy issue rather than security if we talk specifically in browser-based bug bounty, however, such information can help an attacker to do further recon/attack if they are in the same network.Most of the browser have WebRTC enabled by default,Mozilla Team says :This is a well-known property of webrtc – see the duplicate bug.
Chrome Team says : We’ve already done what we plan to do, following the guidelines in https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-04. And we offer a “Network Limiter” extension (https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia?hl=en) to turn on more restrictive modes.
Don’t forget Facebook even they have Webkits and it is vulnerable too.
Facebook Team says :
Thank you for your report. We’ve looked into your finding but determined the information being leaked is not sensitive enough to warrant a bounty. We may consider leakage of a victims referrer header, but it would have to display a full and potentially sensitive path. However, we have protections in place which prevent this from happening. Although this finding doesn’t qualify we still appreciate your time and effort sending it in.
Okay if your an android lover, you would be aware with android webkit though, The android webkit also leaks IP address as well, I tested this on Nokia 8 android 8.1.0 and the issue still exists.
Android Team says:
The Android security team has conducted an initial severity assessment on this report. Based on our published severity assessment matrix (1) it was rated as not being a security vulnerability that would meet the severity bar for inclusion in an Android security bulletin.
Pheewww ! then what, I started targeting privacy browser and the very first browser came in my mind was DuckDuck Go which has 1,000,000+download rate in Android market and being an privacy based browser the WebRTC was enabled over there and it leaks your IP address, I reported the same to DD Go Security Team.
Duck Duck Go Team says:
Hi again Dhiraj,
Thank you for trying out the new browser and for sending this report,
including the security team. They’re currently looking into this and
I’ll let you know if any further information is needed.
There’s a similar discussion in the Firefox Focus for Android repository
on GitHub, so we’ll keep an eye on that too:
Hmmmm cool, then CVE-2018-6849was assign for this issue, However I keep on taking follow up for them but they are taking too long time to patch. #Unpatched
Then I thought of creating module for this, many thanks to Brendan Coles who helped me in this and even suggested this can be used has a functionality to a HTTP library would be more useful, as it could be leveraged by existing exploits and info gathering modules.
|Working of my MSF Module on DuckDuck Go Privacy Browser
In between RageLtMan also gave his thoughts that “I could actually see a benefit to this being in lib for use by things like #8648. I can inject the separate script ref in the response via the MITM mechanism, but would be cool to just generate and serve the JS directly (for any script we think will have more than 2 weeks of lifetime in browsers). Thanks for the PR”
So lets see, I started with private IP leak vulnerability which turned to CVE-2018-6849, which gave rise to a Metasploit module, which will in turn became a part of MSF library,
now that’s cool. Hope you like the read……
About the Author: Security Researcher Dhiraj Mishra ()
The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the SWIFT servers at the Malaysian central bank.
The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the Malaysian central bank.
According to Malaysian governor, the hackers attempted to steal money through fraudulent wire transfers, the good news is that the attack failed.
Bank Negara Malaysia confirmed that no funds were lost in the cyber attack, the hackers sent fake wire-transfer requests over the SWIFT bank messaging network to the target bank in order to trick it to transfer the money.
“We issued a general alert reminder as soon as we got BNM advisory to be extra careful over the long holiday. Although banks already do that as SOP (standard operating procedure),”Bangko Sentral ng Pilipinas Governor Nestor Espenilla said in a phone message.
“Information sharing is part of enhanced defensive protocols against cyber-crime,”.
At the time of writing is still unclear who is behind the attack or the way the hacker breached the SWIFT systems used by the bank.
“Bank Negara did not say who was behind the hack or how they accessed its SWIFT servers. The central bank, which supervises 45 commercial banks in Malaysia, said on Thursday there was no disruption to other payment and settlement systems the central bank operates because of the cyber attack.” reported the Straits Times.
Bank Negara said it had taken additional security measures to protect its stakeholders.
“All unauthorised transactions were stopped through prompt action in strong collaboration with SWIFT, other central banks and financial institutions,” it said in a statement.
The Philippine banks were also involved in the clamorous 2016 cyber heist
when hackers stole US$81 million from the Bangladesh central bank
, at the time the hackers transferred money into several accounts at Manila-based Rizal Commercial Banking Corp (RCBC) and then used them into the local casino industry.
The Philippine central bank fined RCBC a record one billion pesos (US$20 million) in 2016 for the failure to prevent the fraudulent transfers of money.
RCBC sustained that a rogue employee was responsible for the movement.
Mr Abu Hena Mohd. Razee Hassan, deputy governor of Bangladesh Bank, said the latest attack against the Malaysian central bank showed that the SWIFT platform remained vulnerable.
“After the attack on our central bank, SWIFT took several measures to protect the system globally but yet this is happening, meaning criminals have more ability and more capable weapons,” Mr Razee Hassan told Reuters in Dhaka.
“So this is the time to further improve the financial transfer system globally.”
Airbnb China announced that it will share user data belonging to Chinese users with the Government to comply with national laws and regulations.
Airbnb announced that it will share user data belonging to Chinese users with the Government. The company is notifying the Chinese users it will share guest’s information with local authorities to comply with national laws and regulations.
According to an email obtained by TechNode, Airbnb hosts with a listing in China were notified by the company by email that their information could be shared with Chinese authorities without further notice starting from 30 March 2018.
“Online short-term rental services operate in a gray area in China, which has strict regulations for hospitality businesses. Guests must check in with a valid ID such as Chinese identification cards or passports and their information are recorded by hotels in a central register operated by local police bureaus.” reads a blog post published by Technode.com.
“For foreign visitors, the rules are even stricter. They need to be registered within 24 hours of arrival into China. If international visitors are not staying at a hotel or guesthouse, they must report to the police and depending on the local regulation, provide documentation such as rental contracts or property titles.”
Previously, the Airbnb hosts were submitting passport and other required traveler information.
Airbnb China implemented a “deactivate my China listing” button to allow hosts to remove their listing.
National laws and regulations require the hotel and lodging industry to share data with the government. The Chinese Government aims to automate the information sharing so that traveler’s data are directly available for government agencies.
“Like all businesses operating in China, Airbnb China must comply with local laws and regulations,” said Airbnb spokesman Jake Wilczynski. “The information we collect is similar to information hotels in China have collected for decades.”
In China, Airbnb faces tough competition from local companies Xiaozhu and Tujia, both complying with government laws.