Security News

A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. Proxyjacking allows the attacker to rent the compromised host out to a proxy network, making it possible to monetize the unused bandwidth.

Digital threat actors are adopting evolving tactical behaviors, opting for different types of malicious attacks compared to previous years, according to SonicWall. Overall intrusion attempts were...

The Scarleteel threat targets AWS Fargate environments for data theft and more malicious types of attacks such as cryptojacking and DDoS. Learn how to mitigate this threat. Sysdig, a cloud and container security company, has released a new report on the Scarleteel threat that targets specific AWS environments for data theft and additional malicious activities.

Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services Fargate. SCARLETEEL was first exposed by the cybersecurity company in February 2023, detailing a sophisticated attack chain that culminated in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit off the compromised systems' resources illegally.

Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service attacks. "The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report.

New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines. Researchers at Fortinet's FortiGuard Labs have been tracking RapperBot activity since June 2022 and reported that the Mirai-based botnet focused on brute-forcing Linux SSH servers to recruit them for launching distributed denial-of-service attacks.

With this cryptojacking attack, the threat actor scans for Kubernetes instances with the authentication parameter set as "-anonymous-auth=true". As stated by CrowdStrike researchers Benjamin Grap and Manoj Ahuje, "a user with sufficient privileges who runs 'kubectl proxy' can unintentionally expose a secure Kubernetes API on the host where kubectl is running, which is a less obvious way to expose the secure Kubernetes cluster bypassing authentication."

The cryptojacking group known as TeamTNT is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems. Specifically, the early phase of the attack chain involved the use of a cryptocurrency miner, which the cloud security firm suspected was deployed as a decoy to conceal the detection of data exfiltration.

Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report shared with The Hacker News.

The first known cryptojacking operation mining the Dero coin has been found targeting vulnerable Kubernetes container orchestrator infrastructure with exposed APIs. The researchers say the attacks start with the threat actors scanning exposed, vulnerable Kubernetes clusters with authentication set to -anonymous-auth=true, allowing anyone anonymous access to the Kubernetes API. After gaining access to the API, the threat actors will deploy a DaemonSet named "Proxy-api" that allows the attackers to engage the resources of all nodes in the cluster simultaneously and mine Dero using the available resources.