PacketWatch Team Sixty43
17 min read
Cyber Threat Intelligence Report
This week, we briefed our clients on recent supply chain attacks to raise awareness and help organizations identify whether they have been attacked.
History Repeats Itself
During the surge of Bitcoin prices in 2017, nefarious actors hacked everything from web servers to browsers in an attempt to mine cryptocurrency. We even saw one of our client’s network routers be co-opted as coin miners!
We anticipate a similar surge of mining attacks in the coming weeks and months as cryptocurrency values soar once again, and new varieties flood the market. For example, Bitcoin’s value has skyrocketed to almost $40,000 in recent weeks, which will undoubtedly result in an increase in coin-mining hacking attempts.
Ideal targets are unpatched software systems and IoT devices. It’s not always possible to patch older software systems, and let’s face it; most organizations don’t know everything on their network. That’s where a combination of defenses can help.
Advanced endpoint protection, such as CrowdStrike Falcon, is something that we use and strongly recommend. Having such Endpoint Detection & Response (EDR) capabilities on your hosts is becoming an absolute “must” in this day and age of memory-resident file-less and polymorphic malware. Unlike traditional anti-virus that relies on matching signatures of known malware, EDR monitors file activity, processes, and communications on a host to detect known and unknown threats and will automatically block suspicious activity in real-time.
Unfortunately, not every endpoint can have EDR installed, such as printers, IoT, and other network-connected devices, and that’s where network monitoring becomes a key companion capability. PacketWatch monitors and records all network traffic and can spot the telltale signs of coin-mining activity, even on those devices that cannot be protected by EDR.
In December 2020, an enterprise-sized organization hired PacketWatch to help battle an incident that involved such a compromise. In this example, a PHP exploit was used to compromise a server and install a Bitcoin miner.
Using PacketWatch’s full packet capture to replay the coin-miner traffic, analysts were able to reverse engineer the scripts executed. As soon as the attackers compromised the Server, they also began running scripts to remove other competing coin miners that might be present in the environment, after which the script would harden the asset to prevent further intrusions. This level of visibility gave investigators a complete picture of the incident and left no questions about what had occurred and what the attackers were after. The client was able to clean the identified server and return to normal operation quickly.
17 min read
Cyber Threat Intelligence Report
This week, we briefed our clients on the findings from Google's 2025 ransomware investigations. We highlighted the key TTPs used by ransomware...
16 min read
Cyber Threat Intelligence Report
This week, we briefed our clients on a wave of new phishing campaigns worth noting due to their large scale and varied techniques—here are the TTPs.