1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Windows Server instances on AWS hijacked to mine cryptocurrency

    From TechnologyDaily@1337:1/100 to All on Tue Aug 10 11:30:04 2021
    Windows Server instances on AWS hijacked to mine cryptocurrency

    Date:
    Tue, 10 Aug 2021 10:21:48 +0000

    Description:
    A new campaign is targeting Windows Server VMs on AWS to mine monero.

    FULL STORY ======================================================================

    Cybersecurity researchers at Splunk have shared details about what they believe to be a re-emergence of a cryptocurrency botnet thats specifically going after Windows Server running on Amazons cloud computing platform,
    Amazon Web Services ( AWS ).

    Based on their detailed analysis, Splunk's Threat Research Team (STRT) says the campaign against AWS IP address space seems to originate from Chinese and Iranian IP addresses.

    The malicious actors behind this botnet specifically target Windows Server operating systems with Remote Desktop Protocol , reads Splunks advisory . TechRadar needs you!

    We're looking at how our readers use VPNs with streaming sites like Netflix
    so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

    Click here to start the survey in a new window << Protect your devices
    with these best antivirus software These are the best malware removal
    software on the market Here are the best ransomware protection tools

    After homing in on the targets, the attackers brute force their way into the virtual machines ( VM ) and proceed to install cryptomining tools to mine for the Monero cryptocurrency. Telegram-powered C2 infrastructure

    Interestingly, the STRT shares that all the compromised VMs had the
    executable binary for the Telegram Desktop client. The researchers reason
    that the attackers used this to help tie the compromised VMs into their botnet.

    Threat actors abuse the Telegram API of the apps desktop version, to execute commands on the compromised hosts and turn them into bots, which can then be made to automatically download additional tools and payloads.

    According to STRT, the crypto wallet that the mined Monero is transferred to was also used in previous campaigns dating back to 2018.

    Noting the other similarities between the current attack and the previous campaigns, including the use of similar exploitation techniques, STRT
    believes the current campaign is being conducted by the same threat actors that were behind the earlier campaigns.

    Since the attacks dont seem to be exploiting a software vulnerability, and
    are brute-forcing their way into the hosts, the researchers suggest admins review their passwords.

    As seen during our research, the best way to prevent these attack vectors is first patching your Windows servers and applying the latest security updates. The use of weak passwords is also a big factor in getting your servers compromised, suggests STRT, adding that the use of Network Level Authentication (NLA) will also help thwart brute force attacks. Check our
    list of the best firewall apps and services



    ======================================================================
    Link to news story: https://www.techradar.com/news/windows-server-instances-on-aws-hijacked-to-min e-cryptocurrency/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)