Crypto-Crooks Steal Monero Using Compromised FTP Server Swarm | Hacked: Hacking Finance


Crypto-Crooks Steal Monero Using Compromised FTP Server Swarm

Posted on .

Crypto-Crooks Steal Monero Using Compromised FTP Server Swarm


This article was posted on Monday, 21:24, UTC.

Cyber-thieves are making away with the cryptocurrency Monero after compromising file transfer protocol servers with a malware that exploits its target’s CPU and power resources.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Monero, a relatively new cryptocurrency that can still be mined on PCs profitably, has captured the attention of malware authors and cybercriminals who have devised an exploit to infect FTP servers to steal the cryptocurrency.

Attila Marosi, a senior researcher from cybersecurity firm Sophos uncovered [PDF] the malware, dubbed Mal/Miner-C. It uses an effective technique to spread and get new nodes to calculate hashes for cryptocurrency as a means of a compromise. The malware also attempts to duplicate itself when spotting open or vulnerable FTP folders, Marosi added.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //


The senior researcher estimated Mal/Miner C had, so far, mined Monero worth 76,599 EUR, or approximately $86,000. Furthermore, the malware had infected enough machines to earn 428 EUR or $480 every day.

Another startling fact from Marosi’s findings had the researcher state:

Here is what the full Monero mining community looks like: 2.5% of the whole mining capacity comes from infected machines.

The Vulnerability – a Seagate NAS Drive

The report put the spotlight on Seagate Central, a network attached storage (NAS) device which contains a fundamental design flaw. The vulnerability leaves the device open to exploit from hackers who could upload malware to any device configured to allow remote file access to the drive.

With remote access enabled, the FTP servers allows anonymous users to gain access to a public folder, leaving the door ajar to upload any file. In the case of Mal/Miner-C, attackers uploaded a file that resembles a screensaver – Photo.scr, within the folder – Photos. With the premise being innocuous, targets who fall for the exploit trigger the malware by simple double-clicking on the file.

While disabling remote access to the drive can prevent the vulnerability, it also disables remote access to the drive. This defeats the entire purpose of a NAS drive and isn’t the solution. Inevitably, attackers took note.

“Most[ly] all of these devices have already been infected by this threat,” Marosi wrote.

Using IoT search engine Censys, Marosi scanned the internet and some 3 million FTP servers to spot instances of the threat. While 2.1 million FTP servers were active during the test, over 207,000 of those active servers allowed anonymous remote access. Over 7,000 of those anonymous user-friendly servers also had write access enabled. Of that number, 5,137 servers were already compromised with Mal/Miner-C.

While the Seagate Central isn’t the only vulnerable NAS drive, it represents a vast majority of those exploited.

Mal/Miner C targeted as its primary pool, Marosi discovered. Further research revealed that the infected servers have the ability to generate 431,000 hashes per second when mining Monero. That’s roughly half of the entirety of which registers 861,000 hashes per second.

No Server too Small

Alarmingly, attackers have already targeted and compromised over 70% of the servers with write access-enabled, the report’s findings stated.

Furthermore, Marosi added:

If you’ve ever assumed that you’re too small and insignificant to be of interest to cybercriminals, and thus that getting security settings right is only really for bigger organizations, this should convince you otherwise.

Very bluntly put, if you’re not part of the solution, you’re very likely to become part of the problem.

 Images from Shutterstock and Monero.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

There are no comments.

View Comments (0) ...
The team:
Dmitriy Lavrov
Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
Jonas Borchgrevink
Jonas Borchgrevink is the founder of and He is a serial entrepreneur, trader and investor. He shares his own personal journey on // -- Discuss and ask Read More
Mate Csar
Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
Mati Greenspan
Senior Market Analyst at // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
Rakesh Upadhyay
Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
Pamela Meropiali
Account Manager
Pamela Meropiali is responsible for users on // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
Joseph Young
Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
Press Release: eSentire Endpoint Managed Detection and ResponseTM, Powered by Carbon…