Coinhive Now Affecting 23% of the World’s Organizations

Crypto-mining malware has continued to grow globally, with 23% of organizations worldwide affected by the Coinhive variant during January.

That’s according to Check Point’s Global Threat Impact Index, which shows three different variants of crypto-mining code in its top 10 most-prevalent rankings. In addition to Coinhive impacting more than one in five organizations, JSEcoin (a JavaScript miner that can be embedded in websites) was in fifth place and Cryptoloot (which targets PCs) was in ninth.

Coinhive, January’s No. 1 most-prevalent malware, performs online mining of Monero cryptocurrency when a user visits a web page. Implanted JavaScript uses the computational resources of the end user’s machines to mine coins, impacting system performance. While it’s offered as a legitimate service for webmasters looking for a monetization alternative to advertising, criminals often embed it into websites without the site knowing, and unscrupulous websites use it without letting site visitors know.

“Over the past three months crypto-mining malware has steadily become an increasing threat to organizations, as criminals have found it to be a lucrative revenue stream,” said Maya Horowitz, threat intelligence group manager at Check Point. “It is particularly challenging to protect against, as it is often hidden in websites, enabling hackers to use unsuspecting victims to tap into the huge CPU resource that many enterprises have available. As such, it is critical that organizations have the solutions in place that protect against these stealthy cyber-attacks.”

In addition to crypto-miners, Check Point researchers also discovered that 21% of organizations have still failed to deal with machines infected with the malware. Fireball, which came in at No. 2 in the rankings, manipulates victims’ browsers and turns their default search engines and homepages into fake search engines, which simply redirect the queries to either or to generate ad revenue. It also can be used as a full-functioning malware downloader capable of executing any code on victims’ machines. It was first discovered in May 2017 and severely impacted organizations during summer of 2017.

The Rig Exploit Kit came in third for January, impacting 17% of organizations. Rig delivers exploits for Flash, Java, Silverlight and Internet Explorer.

On the mobile front, Lokibot, an Android banking Trojan, was the most popular malware used to attack organizations’ mobile estates. The code steals information, but it can also turn into a ransomware that locks the phone.

Lokibot was followed by the Triada and Hiddad mobile malwares in January. Triada is a modular backdoor for Android, which grants superuser privileges to downloaded malware. Hiddad is also an Android malware, focused on trojanizing legitimate apps then releasing them to a third-party store.


By:  Tara Seals US/North America News Reporter, Infosecurity Magazine

U.S. warns public about attacks on energy, industrial firms

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

U.S. Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC)

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

    The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

The report said the attacker was the same as one described by Symantec in a September report that warned advanced hackers had penetrated the systems controlling operations of some U.S. and European energy companies.

Symantec researcher Vikram Thakur said in an email that much of the contents of Friday’s report were previously known within the security community.

Cyber-security firm CrowdStrike said the technical indicators described in the report suggested the attacks were the work of a hacking group it calls Berserk Bear, which is affiliated with the Russian Federation and has targeted the energy, financial and transportation industries.

“We have not observed any destructive action by this actor,” CrowdStrike Vice President Adam Meyers said in an email.

By: Jim Finkle in Toronto; Additional reporting by Gary McWilliams in Houston; Editing by Nick Zieminski and James Dalgleish


Top Priorities of the Intelligence Community’s New CIO

The intelligence community is getting a new, permanent CIO. On Aug. 18, the White House announced that President Donald Trump would nominate John Sherman to be CIO in the Office of the Director of National Intelligence (ODNI).

Aerial View- CIA head quarters at Langley, VA


As The Wall Street Journal notes, Sherman replaces Raymond Cook, who left the post in January after holding the position for two years under former President Barack Obama. Then, Jennifer Kron took over the CIO role on an interim basis. However, she just formally left ODNI to go on detail with the National Geospatial-Intelligence Agency (NGA) in Australia, where she will work with the Australian government to set up a new office of national intelligence and improve information sharing, Federal News Radio reports.

If Sherman gets confirmed by the Senate, as excepted, he will have a lot on his plate, including managing the IC Information Technology Enterprise. ICITE is a platform of nine shared services, from security to networking, email and virtual desktops, all delivered via a private cloud.

Sherman knows his way around the intelligence community — he’s a 20-year veteran of the IC. He currently serves as the deputy director of the CIA’s Open Source Enterprise, where he has been involved in incorporating open-source intelligence and capabilities into ICITE. Sherman previously served in senior executive positions at NGA.

Here are what will likely be Sherman’s top IT priorities.

Expand the Use and Capabilities of ICITE

At the top of the priority list is ICITE, which ODNI started in 2012. As Federal News Radio notes, ICITE’s goal is “standardizing the IT infrastructure for all 17 intelligence agencies at the [Top Secret / Sensitive Compartmented Information] level to improve efficiency, information sharing and cybersecurity.”

Sherman is already deeply familiar with ICITE, given his work at the CIA. Intelligence agencies have made progress on moving away from siloed IT environments, and it will be Sherman’s job to help shepherd that process along.

However, moving from legacy infrastructure to a new cloud and cross-IT environment will take years, as FedTech recently reported. Staffers are not required to use ICITE, though Kron told FedTech IC employees may be unknowingly using aspects of it, such as its identification and authentication services. Instead, the IC is migrating its legacy systems during normal refresh cycles.

Still, there are clear signs of movement toward a more shared IT operating environment. For example, the National Security Agency offers a government-provided cloud, or GovCloud, Nextgov notes. Additionally, the publication notes, the Defense Intelligence Agency and NGA are partnering to provide a desktop environment service to the IC, which tens of thousands of users have joined over the last few years, as Federal News Radio reports.

ICITE may also become more broadly accessible. In August, Kron said the IC is working on a “multi-fabric initiative” to identify which services can be made unclassified, FCW reports.

Sherman will need to keep the momentum moving forward on streamlining the IC’s technology environments.

What’s Next for Intelligence Community R&D?

As FCW reports, the IC’s CIO also “has procurement authority across intelligence agencies when it comes to enterprise architecture, and is authorized to weigh in on IT procurement of all types while having a voice in R&D efforts to make sure they align with the overall goals of the intelligence community.”

The Trump administration has signaled that increased physical and cybersecurity are among its tech R&D priorities, a directive that will likely impact the intelligence community.

“Agencies should invest in R&D to increase the security and resilience of the Nation’s critical infrastructure from both physical threats and cyber-attacks, which have increased rapidly in number and complexity in recent years,” according to an Aug. 17 memorandum from Mick Mulvaney, director of the Office of Management and Budget, and Michael Kratsios, deputy assistant to the president in the Office of Science and Technology Policy.


By: Phil Goldstein