{"id":86902,"date":"2023-11-11T07:00:00","date_gmt":"2023-11-11T05:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=86902"},"modified":"2025-09-13T08:25:41","modified_gmt":"2025-09-13T05:25:41","slug":"stealthy-cloud-crypto-miner-ukraine-blocks-pirate-sites-and-other-cybersecurity-developments","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/stealthy-cloud-crypto-miner-ukraine-blocks-pirate-sites-and-other-cybersecurity-developments\/","title":{"rendered":"Stealthy cloud crypto miner, Ukraine blocks pirate sites, and other cybersecurity developments"},"content":{"rendered":"<p>We round up the week&#8217;s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>SafeBreach unveils stealthy cloud-based cryptocurrency miner.<\/li>\n<li>Ransomware operators attacked vulnerable Atlassian Confluence servers.<\/li>\n<li>China&#8217;s largest bank by assets, ICBC, halted operations following a cyber incident.<\/li>\n<li>Marina Bay Sands resort confirmed a data breach affecting 665,000 customers.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>SafeBreach unveils stealthy cloud-based cryptocurrency miner<\/strong><\/h2>\n<p>Security researchers at SafeBreach have created a fully stealthy cloud cryptocurrency miner built on Microsoft Azure Automation.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">See how Security Researcher Ariel Gamrian and VP of Security Research Tomer Bar developed the first free and fully undetectable cloud-based cryptocurrency miner leveraging Microsoft Azure\u2019s Automation Service: <a href=\"https:\/\/t.co\/SX2HzjQq0E\">https:\/\/t.co\/SX2HzjQq0E<\/a> <a href=\"https:\/\/t.co\/QA14ona0BX\">pic.twitter.com\/QA14ona0BX<\/a><\/p>\n<p>\u2014 SafeBreach (@safebreach) <a href=\"https:\/\/twitter.com\/safebreach\/status\/1722275456031084713?ref_src=twsrc%5Etfw\">November 8, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>They discovered a pricing calculator flaw that granted unlimited access to computing resources.<\/p>\n<p>An alternative method involved creating a test mining task, marking it as \u201cFailure,\u201d and then launching a new fictitious task. In this way the researchers achieved covert code execution in the Azure environment.<\/p>\n<p>A similar result was achieved using the Azure Automation feature, which allows uploading user Python packages.<\/p>\n<p>The SafeBreach team released a <span data-descr=\"Proof-of-Concept\" class=\"old_tooltip\">Proof-of-Concept<\/span> named CloudMiner. However, according to Microsoft, the method may still be exploitable.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Ransomware operators targeted vulnerable Atlassian Confluence servers<\/strong><\/h2>\n<p>Analysts at GreyNoise warned of active exploitation of a critical vulnerability in Atlassian Confluence&#8217;s space for team collaboration.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">novel confluence auth bypass is happening in the wild re: CVE-2023-22518 <a href=\"https:\/\/t.co\/3UirShUG2u\">https:\/\/t.co\/3UirShUG2u<\/a> <a href=\"https:\/\/t.co\/VMawNmaLSh\">pic.twitter.com\/VMawNmaLSh<\/a><\/p>\n<p>\u2014 Andrew Morris (@Andrew___Morris) <a href=\"https:\/\/twitter.com\/Andrew___Morris\/status\/1721164901052268590?ref_src=twsrc%5Etfw\">November 5, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The vulnerability allows bypassing authentication, elevating user privileges, and destroying data on vulnerable servers. According to Rapid7, operators of the Cerber ransomware have already exploited it.<\/p>\n<p>The issue affects all versions of Confluence Data Center and Confluence Server.<\/p>\n<p>Atlassian urged users to apply patches; if this is not possible, back up unpatched instances and block internet access to them.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Media: ICBC halts operations after cyber incident<\/strong><\/h2>\n<p>Operational activity at ICBC, the largest bank by assets in China, was halted after a suspected ransomware attack, the Financial Times reports.<\/p>\n<p>According to the report, the incident prevented the bank from settling US Treasury trades with other market participants.<\/p>\n<p>Cyber expert Kevin Beaumont noted that ICBC&#8217;s Citrix server was last connected on November 6 and lacked patches for the Citrix Bleed authentication-bypass vulnerability, and was later taken offline.<\/p>\n<p><iframe src=\"https:\/\/cyberplace.social\/@GossiTheDog\/111382220085861321\/embed\" class=\"mastodon-embed\" style=\"max-width: 100%; border: 0\" width=\"400\" allowfullscreen=\"allowfullscreen\"><\/iframe><script src=\"https:\/\/cyberplace.social\/embed.js\" async=\"async\"><\/script><\/p>\n<p>The bank did not comment on the situation.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Marina Bay Sands confirms data breach affecting 665,000 customers<\/strong><\/h2>\n<p>The famed Singapore resort Marina Bay Sands (MBS) <a href=\"https:\/\/www.marinabaysands.com\/company-information\/data-security-notice.html\">said<\/a> the data breach affected 665,000 of its customers. The incident occurred on October 20.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/297465324.webp\" alt=\"297465324\" class=\"wp-image-219849\"\/><figcaption class=\"wp-element-caption\">Data: Booking.com.<\/figcaption><\/figure>\n<p>Attackers gained access to MBS&#8217;s loyalty program and stole customer phone numbers, email addresses, and their status in the program.<\/p>\n<p>Administration at the resort said that Sands Rewards Club member information was not compromised. The investigation continues.<\/p>\n<p>As of writing, no ransomware group has claimed responsibility for the attack.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Russian firms faced extortion over the threat of DDoS attacks<\/strong><\/h2>\n<p>A hacker going by the name Medivik is extorting Russian companies to avoid conducting a <span data-descr=\"distributed denial of service\" class=\"old_tooltip\">DDoS<\/span> attack. This was reported by the F.A.C.C.T team.<\/p>\n<p>According to them, since September the attacker has carried out 19 confirmed DDoS attacks. Victims include banks, food manufacturers, and gaming sites. In one incident, the ransom was 25,000 rubles.<\/p>\n<p>Additionally, the hacker is selling access to his botnet for a modest fee.<\/p>\n<h2 class=\"wp-block-heading\"><strong>In Ukraine, 16 pirate sites blocked for movie viewing<\/strong><\/h2>\n<p>The National Council of Ukraine on Television and Radio Broadcasting <a href=\"https:\/\/webportal.nrada.gov.ua\/mediaregulyator-vnis-16-mediaservisiv-do-pereliku-servisiv-derzhavy-agresora\/\">added<\/a> 16 popular pirate sites for watching movies and series to the banned list due to ties to Russia.<\/p>\n<p>Following monitoring, the agency found ownership structure discrepancies and a focus on the Russian audience.<\/p>\n<p>The list includes:<\/p>\n<ul class=\"wp-block-list\">\n<li>24TV;<\/li>\n<li>Amediateka;<\/li>\n<li>Baskino;<\/li>\n<li>Filmix;<\/li>\n<li>HD REZKA;<\/li>\n<li>KINOGO;<\/li>\n<li>Kinokrad;<\/li>\n<li>Kinotochka;<\/li>\n<li>KinoZapas;<\/li>\n<li>Kion;<\/li>\n<li>Viju;<\/li>\n<li>GidOnline;<\/li>\n<li>Lime HD TV \u2013 Free online TV;<\/li>\n<li>Smotreshka;<\/li>\n<li>Tricolor Kino and TV online;<\/li>\n<li>Digital TV 20 channels for free.<\/li>\n<\/ul>\n<p>As of writing, 22 Russian media services are blocked in Ukraine.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Lawyers warn of potential fines for Telegram over giveaways<\/strong><\/h2>\n<p>A recently introduced feature in the Telegram messenger for running giveaways could pose a set of problems for the company. Kommersant reports.<\/p>\n<p>Lawyers consulted say that giveaways fall under advertising law and thus should be labeled.<\/p>\n<p>There is also a risk that distributing premium accounts could be deemed an illegal lottery, which would expose organizers to fines and bans.<\/p>\n<p>Additionally, experts foresee increased fraudulent activity on the messenger.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Damages from the breach of the cryptocurrency exchange Poloniex <a href=\"https:\/\/forklog.com\/en\/news\/poloniex-hack-losses-top-100-million\">exceeded $100 million<\/a>.<\/li>\n<li>Kraken converted <a href=\"https:\/\/forklog.com\/en\/news\/kraken-converts-2-million-in-cryptocurrency-to-reimburse-fraud-victims\">cryptocurrency worth $2 million<\/a> to reimburse fraud victims.<\/li>\n<li>The court postponed <a href=\"https:\/\/forklog.com\/en\/news\/court-delays-ruling-on-bail-for-safemoon-ceo\">the bail ruling<\/a> for the CEO of SafeMoon.<\/li>\n<li>Russian-linked hackers carried out <a href=\"https:\/\/forklog.com\/en\/news\/russia-linked-hackers-carried-out-a-ddos-attack-on-chatgpt\">a DDoS attack on ChatGPT<\/a>.<\/li>\n<li>Former head of OneCoin compliance <a href=\"https:\/\/forklog.com\/en\/news\/ex-head-of-onecoin-compliance-pleads-guilty\">pleaded guilty<\/a>.<\/li>\n<li>In Kazakhstan, investigations have begun into the <a href=\"https:\/\/forklog.com\/en\/news\/kazakhstan-opens-investigation-into-eolus-cryptocurrency-pyramid\">cryptocurrency pyramid Eolus<\/a> case.<\/li>\n<li>An expert suspected the theft of <a href=\"https:\/\/forklog.com\/en\/news\/expert-suspects-2-million-theft-from-coinspot-exchange-after-hack\">$2 million from the CoinSpot exchange<\/a> as a result of a breach.<\/li>\n<li>In Ukraine and Georgia, authorities uncovered the <a href=\"https:\/\/forklog.com\/en\/news\/in-ukraine-and-georgia-authorities-uncover-scheme-defrauding-eu-bitcoin-investors\">scheme defrauding Bitcoin investors<\/a> from the EU.<\/li>\n<li>In Kazakhstan, officials explained the <a href=\"https:\/\/forklog.com\/en\/news\/kazakhstan-explains-coinbase-blockage\">blockade of Coinbase<\/a>.<\/li>\n<li>A participant in the Mango Markets attack <a href=\"https:\/\/forklog.com\/en\/news\/mango-markets-attacker-moved-to-jail-alongside-sam-bankman-fried\">has been jailed<\/a> in connection with Sam Bankman-Fried.<\/li>\n<li>Georgia <a href=\"https:\/\/forklog.com\/en\/news\/georgia-extradites-to-the-united-states-the-organizer-of-a-cryptocurrency-laundering-scheme\">handed over to the United States<\/a> the organizer of the cryptocurrency-withdrawal scheme.<\/li>\n<li>Bitfinex disclosed <a href=\"https:\/\/forklog.com\/en\/news\/bitfinex-reveals-details-of-security-incident\">details of the security incident<\/a>.<\/li>\n<li>In Georgia, more than $810,000 <a href=\"https:\/\/forklog.com\/en\/news\/tonwex-bitcoin-exchange-robbed-of-more-than-810000-in-georgia\">was taken from the Tonwex bitcoin exchange<\/a>.<\/li>\n<li>A user <a href=\"https:\/\/forklog.com\/en\/news\/uniswap-liquidity-pool-user-loses-over-700000-after-mev-bot-surge-likely-due-to-misconfiguration\">lost $700,000<\/a> due to a liquidity pool misconfiguration.<\/li>\n<li>Creators of the <a href=\"https:\/\/forklog.com\/en\/news\/creators-of-fake-ledger-live-stole-768000-in-cryptocurrency\">fake Ledger Live<\/a> stole cryptocurrencies worth $768,000.<\/li>\n<li>An unknown actor stole <a href=\"https:\/\/forklog.com\/en\/news\/unknown-attacker-drains-monero-fund-of-about-452000\">assets worth $450,000<\/a> from the Monero fund.<\/li>\n<li>Aave paused some operations <a href=\"https:\/\/forklog.com\/en\/news\/aave-suspends-part-of-operations-after-vulnerability\">due to a vulnerability<\/a>.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>An excerpt from Bruce Schneier, a pioneer of modern cryptography, &#8220;<em>Hack Everything: How the Powerful Use System Vulnerabilities for Their Own Gain<\/em>&#8220;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We round up the week&#8217;s most important cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":86903,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-86902","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"15","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/86902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=86902"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/86902\/revisions"}],"predecessor-version":[{"id":86904,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/86902\/revisions\/86904"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/86903"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=86902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=86902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=86902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}