Threatpost reports that researchers have discovered ongoing cyberattacks on enterprises running virtual networks through VMWare‘s vSphere container-based environment, which they have injected with the XMRig commercial cryptominer.
Threat actors have been observed modifying vSphere virtual networks using malicious shell scripts to allow them to run the cryptomining software undetected, said Siddharth Sharma of Uptycs.
“In this campaign as we saw the attackers tried to register the XMRig miner itself as a service (daemon), which runs whenever the system gets rebooted,” Sharma said.
“The shell script also contains commands which download the miner, the config file and the user mode rootkit from the attacker’s web server. The attackers used [the] wget utility to fetch the malicious components and chmod utility to make the components executable,” according to the report.
The script reloads the service once the cryptominer has been dropped, allowing the miner to activate. The attacker’s wallet has received 8.942 XMR, valued at around $1,790, as of the report’s publication.
Ahead of its imminent approval, the Biden administration's proposed executive order mandating U.S. cloud infrastructure-as-a-service providers to strengthen the verification of their users' identities has received industry opposition due to the increased financial and logistical burdens that would arise from such a rule, according to The Record, a news site by cybersecurity firm Recorded Future.
U.S. independent record label Empire Distribution, which has worked with Kendrick Lamar, Snoop Dogg, and 50 Cent, had its sensitive data exposed as a result of an environment file misconfiguration, Cybernews reports.