Security researchers have discovered an ongoing cryptojacking campaign which infects unpatched computers of businesses from all over the world with XMRig Monero miners using Equation group's leaked exploit toolkit. The cybercriminals behind this cryptomining campaign use the NSA-developed EternalBlue and EternalChampion SMB exploits to compromise vulnerable Windows computers, exploits which were leaked by the Shadow Brokers hacker group in April 2017. While Microsoft patched the security flaws these tools abused to break into Windows machines there are still a lot of exposed computers because they haven't been updated to newer OS versions not being impacted by these very dangerous vulnerabilities. "The campaign seems to be widespread, with targets located in all regions of the world. Countries with large populations such as China and India also had the most number of organizations being targeted," said Trend Micro's researchers, the ones who unearthed this ongoing cryptojacking campaign targeting companies from all over the world. In addition, "businesses across a wide range of industries, including education, communication, and media, banking, manufacturing, and technology" are being targeted in these attacks, with the bad actors focusing on victims who use "obsolete or unpatched software." An auto-spreading EternalBlue-based backdoor and a variant of the Vools Trojan is used as the main tool to deploy roughly 80 variants of the XMRig cryptocurrency miners on infected computers, using five different mining configurations with similar usernames and identical passwords. Complete details can be found on OUR FORUM.

The U.S. Federal Bureau of Investigation (FBI) issued a public service announcement regarding TLS-secured websites being actively used by malicious actors in phishing campaigns. Internet users are accustomed by now to always look at the padlock next to the web browser's address bar to check if the current page is served by a website secured using a TLS certificate. Users also look for after landing on a website is the "https" protocol designation in front of the hostname which is another hint of a domain being "secure" and the web traffic is encrypted. However, this exposes them to phishing campaigns designed by threat actors to use TLS-secure landing pages which exploit the users' trust to deceive them into trusting attacker-controlled sites and handing over sensitive personal information. "They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts, " as the FBI says in the PSA. "These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure." While in a lot of cases bad actors will get their own SSL certificates to secure pages used in their campaigns to try and trick their targets, there is also a lot of them who just abuse pages hosted on cloud services which automatically inherit the certificates. For instance, during the last two months, crooks have been observed while hosting malware and command-and-control servers on Microsoft’s Azure cloud services as well as websites used to deliver tech support scams. Get better informed by visiting OUR FORUM.