ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
Saturday Nov 25th 2017
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Event

Submit an event for consideration on ETHNews

Submit Event

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Events
Contact Us

GuardiCore Labs Discovers “Bondnet” – A Botnet For Mining Cryptocurrencies

By

Jordan

Daniell

WriterETHNews.com

An Israeli cybersecurity firm has exposed the infection of thousands of compromised servers used to mine different virtual currencies. The hacker(s) responsible employed an ingenious methodology and have been cashing out for around a thousand dollars a day since December 2016.

GuardiCore employees are world-class cybersecurity professionals based out of Tel Aviv and San Francisco. The firm uses in-house innovations to detect and stop advanced threats to data centers in real-time. A recent posting is their latest effort to inform and educate likeminded parties about the dangers affecting networks and ecosystem synergy.  

The hack, conducted remotely by an entity known as leebond986 and/or Bond007.01, was a financial shakedown using over 15,000 computers across major institutions, high-profile companies, and universities to mine VCs, primarily Monero, as well as to install malware, host command and control servers, and initiate further attacks.

Detection

GuardiCore Software, installed on servers around the globe, alerted company analysts about the Bondnet early on. By streaming the initial threat information through the GuardiCore Global Sensor Network, investigators were able to compile live metrics regarding the unknown malware and attack vectors for investigation after the fact. The postmortem seems to point to a single actor who initiated a botnet recruitment scheme from Hong Kong utilizing a known configuration weakness in phpMyAdmin. The attacker also deployed dynamic-link-libraries alongside an encoded Visual Basic script, which went undetected by multiple antivirus and malware repositories installed across the infected network.

The complexity of the overarching strategy used by Bond007.01 is contrasted by the simplicity of the constructs employed and an apparent habit for reusing code. Moreover the reused code was copied and pasted from Chinese websites over and over again despite the fact that non-Chinese sites are equally available to them, leading GuardiCore to suspect the attack came from China. Adding to this hypothesis is the fact that the BondNet command and control server is compiled on a Chinese computer, and the code handles desktop victims from China in a different manner compared to all other victims.

Infection Scheme

Using a combination of technical wizardry and weak password cracking to attack mostly Windows servers, vectors were uncovered involving known phpMyAdmin config bugs, exploits in JBoss, Oracle Web Application testing Suite, ElasticSearch, MSSQL, Apache Tomcat, Oracle Weblogic as well as other popular services. According to the GuardiCore post, the thread running through these exploits is a compilation of “Visual Basic files that download and install a remote access Trojan (RAT) and a cryptocurrency miner.”      

BondNet007.01’s Motivation

GuardiCore classifies this attack as a low-risk high-reward scheme. Whoever Bond007.01 is, they have been earning around a thousand dollars a day from mining Monero and other virtual currencies since December 2016. While experts continue to insightfully retrace the attacker’s steps, economic gain is the leading theory behind Bond007.01’s hack. For more information about Bondnet, including how to check whether your computer is infected, GuardiCore has provided a detection & cleanup script on their website.

Jordan Daniell

Jordan Daniell is a writer living in Los Angeles. He brings a decade of business intelligence experience, researching emerging technologies, to bear in reporting on blockchain and Ethereum developments. He is passionate about blockchain technologies and believes they will fundamentally shape the future. Jordan is a full-time staff writer for ETHNews.

ETHNews is commited to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest GuardiCore, Botnet or other Ethereum technology news.