Jan 18, 2024NewsroomServer Security / Cryptocurrency

Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy.

“This is the first documented case of malware deploying the 9Hits application as a payload,” cloud security firm Cado said, adding the development is a sign that adversaries are always on the lookout for diversifying their strategies to make money off compromised hosts.

9Hits advertises itself as a “unique web traffic solution” and an “automatic traffic exchange” that allows members of the service to drive traffic to their sites in exchange for purchasing credits.

This is accomplished by means of a software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, for which they earn credits to pay for generating traffic to their sites.

The exact method used to spread the malware to vulnerable Docker hosts is currently unclear, but it’s suspected to involve the use of search engines like Shodan to scan for prospective targets.

The servers are then breached to deploy two malicious containers via the Docker API and fetch off-the-shelf images from the Docker Hub library for the 9Hits and XMRig software.

“This is a common attack vector for campaigns targeting Docker, where instead of fetching a bespoke image for their purposes they pull a generic image off Dockerhub (which will almost always be accessible) and leverage it for their needs,” security researcher Nate Bill said.

The 9Hits container is then used to execute code to generate credits for the attacker by authenticating with 9Hits using their session token and extracting the list of sites to visit.

The threat actors have also configured the scheme to allow visiting adult sites or sites that show popups, but prevent it from visiting cryptocurrency-related sites.

The other container is used to run an XMRig miner that connects to a private mining pool, making it impossible to determine the campaign’s scale and profitability.

“The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left,” Bill said.

“The result of this is that legitimate workloads on infected servers will be unable to perform as expected. In addition, the campaign could be updated to leave a remote shell on the system, potentially causing a more serious breach.”

Dec 20, 2023The Hacker NewsBrandjacking / Cyber Threat

Hands-On Review: Memcyco’s Threat Intelligence Solution

Website impersonation, also known as brandjacking or website spoofing, has emerged as a significant threat to online businesses. Malicious actors clone legitimate websites to trick customers, leading to financial scams and data theft causing reputation damage and financial losses for both organizations and customers.

The Growing Threat of Website Impersonation and Brandjacking

Research shows a new phishing site is created every 11 seconds in 2023. Typically, even though the company is a victim of spoofing, the customer holds them responsible for the data breach.

Current market solutions rely on threat intelligence tools that search for fake sites and attempt takedowns. However, takedown processes can be time-consuming, leaving fake sites active and the scope of attacks remains unknown during the critical window of exposure, the time between when the fake site is up and until it is down.

1. Bad actor researches a business to target and uses the information gathered to create a spoof of the original website.
2. Organizations’ customers fall into the trap and are conned into sharing personal data.
3. Companies are unaware and cannot see the scope of the attack. They don’t know who was attacked or the compromised customers’ details.

Exposing the Challenge of Unseen Threats in the World of Website Impersonation

Even though organizations spend millions on threat intelligence solutions to protect their domains and reputations, they only have visibility to the suspicious domains that are discovered but have no visibility at all to how many users were attacked, who fell for the scam and what is the potential damage. Without customers complaining, companies are left in the dark. During that time of exposure to a still active spoofed site, the company and its customers are vulnerable (even if the impersonating site is detected). Now, there’s a new approach available to the market addressing this challenge.

A New Perspective; Redefining Protection with Memcyco

Memcyco, a Tel Aviv-based Real-Time Website Spoofing Protection Solution, redefines protection against website impersonation. The solution safeguards customers and organizations from the moment the attack’s window of exposure opens, irrespective of its duration. This article will delve into Memcyco’s Proof of Source Authenticity (PoSA) solution, offering an in-depth breakdown of its capabilities.

Safeguarding Simplicity with Agentless Installation

To protect websites from spoofing, Memcyco’s solution is easily installed within minutes on the authentic site or its network. Various attack scenarios were tested to evaluate its effectiveness. Let’s get into the findings of their process next.

1. Detecting and Preventing Website Spoofing in Real Time

In order to simulate impersonation attacks on customers we created clones of the protected site using several available “spoof kits”.

We then navigated to the cloned site as if clicking on the fake site URL – the way an innocent customer would do if they got the fake site URL in an email or text message which they trust to be from the real organization.

Immediately upon attempting to load the URL the following message appears:

Simultaneously, the Memcyco console provides Security Operations teams with detailed attack information.

Image source: Memcyco

2. Memcyco’s Proof of Source Authenticity (PoSA) Technology

Memcyco’s PoSA raises alerts over other significant events that may lead up to an attack – such as attempts to build an impersonating website. Such reconnaissance efforts by the bad actor raise the following alert:

Image source: Memcyco

3. Enhancing Digital Trust: Proving The Authenticity Of The Real Site With A Digital Watermark

Memcyco enhances user trust without requiring customers to rely on security checklists in order to determine if the site they are on is fake or real. Memcyco’s product verifies site authenticity by displaying a unique-to-the-user digital watermark to prove the site’s authenticity to customers.

Image source: Memcyco

4. Memorable and Personalized User Authentication

Organizations invest a lot in educating their customers to be on the vigil for scams of this type, essentially trying to turn them into cyber-savvy users who can spot a fake email and site and avoid scams. Memcyco offers a simple solution to this “fake or real” conundrum that doesn’t depend on the user’s ability and willingness to exercise a security checklist every time they access the brand site.

To do so Memcyco can display a digital watermark to prove the site’s authenticity to customersUsers are provided a unique secret presented within the watermark and they can personalize this secret for easy recognition. The PoSA watermark secret is unforgetable and unique to each user. Imposter sites cannot replicate it, ensuring users only see their own code on the authentic site. The watermark secret can be personalized by customers to something they can easily recall – either a text code or an image.

.

Image source: Memcyco

5. Beyond the Surface: Navigating Back-End Dashboard Tools for Attack Visibility

Memcyco’s PoSA solution includes back-end dashboard and reporting tools for real-time brand impersonation monitoring and post mortem attack analysis. A global view of attack locations and counters help businesses stay informed and provides full visibility of the attack’s magnitude and its details.

Image source: Memcyco

6. Workflow Activation Through Seamless Integration with SIEMs

PoSA integrates with SIEMs for workflows like URL takedown and account takeover prevention. Memcyco alerts kick-start these processes.

Memcyco’s Benefits in Defending Against Website Impersonation

• Less data leakage and privacy issues
• Fewer financial losses for the company’s customers
• Lower cost for the company
• Improved customer retention and engagement
• Support in keeping up with regulation
• Protection of brand reputation

Summarizing Memcyco’s Solution for Website Spoofing

Memcyco’s solution goes beyond takedown approaches, actively protecting its customers and their customers during the critical window of exposure. It is an agentless solution that promises to reduce brand reputation damage and protect consumers from scams. With its features and real-time capabilities, Memcyco is a refreshing change when it comes to phishing, website spoofing and ATO (Account Take Over). It redefines website spoofing protection with maximum attack visibility and protection for companies and their customers.