Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

iOS

10/24/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

iPhones Increasingly Vulnerable to Coinhive Cryptomining Malware

In their most recent Global Threat Index, Check Point researchers found a 400% increase in Coinhive attacks against iPhones by bad actors using the popular cryptomining malware.

Apple's iPhones are increasingly becoming a target of bad actors using the popular Coinhive malware designed to steal CPU cycles to illegally mine for cryptocurrencies, according to researchers at Check Point.

In the cybersecurity solution provider's most recent Global Threat Index, the researchers found an almost 400% increase in cryptomining attacks against iPhones, particularly during the last two weeks of September.

The rise in attacks on the Apple smartphone coincided with a significant increase in attacks against people using the Apple Safari browser.

The researchers found that were unsure of the reason behind the growth in attacks against the iPhone and noted that the attacks aren't using new functionalities in the campaigns. However, the attackers are using Coinhive, which was first seen in September 2017 and has been atop Check Point's index since December. Coinhive is the most popular malware for cryptomining, which itself has become the most dominant threat against enterprises since late last year, overtaking ransomware.

In a blog post outlining the findings in Check Point's index, researchers wrote that the increased attacks on iPhones "serves to remind us that mobile devices are an often-overlooked element of an organization's attack surface. It's critical that mobile devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses."

In an email to Security Now, Omer Dembinsky, Check Point's team leader for products R&D and data research, wrote that that "cryptomining activity has been witnessed in the past on Apple devices (although in lower volumes), and it is by no means immune to these type of attacks. It is true that many of the mobile cyber threats are more targeted towards Android, but as cyber criminals are always looking for ways to expand their reach, it is very possible to see these types of sudden spikes if a specific effort is done by the attacking side."

The reach of Coinhive continues to be strong. The analysts found that the mining malware now impacts 19% of organizations around the world, a status that was accomplished in just over a year. The popularity of the malware comes in part from efforts to get the name into the market, Dembinsky said. (See Cryptomining Malware, Cryptojacking Remain Top Security Threats.)

"Coinhive was the first 'brand' of cryptominer to make a name for itself, and as such is many times the default choice by threat actors," he wrote.

Cryptoloot is another mining malware that is emerging as a competitor to Coinhive. Like other cryptomining malware, Cryptoloot uses the CPU or GPU power of a victim's system and resources that reside in it to mine for cryptocurrencies like Bitcoin, Monero and Ethereum. The researchers wrote that Cryptoloot is "trying to pull the rug under [Coinhive] by asking a lower percentage of revenue from websites."

"The Cryptoloot strategy was the same since the beginning as part of trying to compete in the field," Dembinsky told Security Now. "The situation is very similar to many markets where there is a strong product (Coinhive in this case) and the others try to employ different strategies to compete."

Coinhive and Cryptoloot were not the only mining malware in Check Point's list of the Top 10 "most wanted" malware. Also included on the list were:

  • JSEcoin, a JavaScript miner that can be embedded in websites. In return for letting the miner run on their systems, JSEcoin enables users to have an ad-free online experience and to gain in-game currency, according to the researchers.
  • XMRig, an open source software that steals CPU power to mine Monero. It was first seen in the wild in May 2017.

Trojans aimed at financial institutions also were popular on Check Point's list. Included in the Top 10 was Ramnit, a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data, and Emotet, a Trojan that targets Windows-based systems and attacks customers of certain bands. It uses various APIs to monitor and log network traffic, then create a Run key registry entry to get started once the system reboots, according to researchers.

Ramnit and Emotet are examples of the rising popularity of banking Trojans among threat actors. Researchers with Proofpoint and Kaspersky Lab in separate reports noted a rise in the use of banking Trojans, with Proofpoint analysts saying banking Trojans were the most popular type of malware in the second quarter, accounting for 42% of malware the company had detected. (See DanaBot Banking Trojan Is Now Finding Its Way to the US.)

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13151
PUBLISHED: 2020-08-05
Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use ...
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...