Full Report
Russia-based cybersecurity firm F6 said the attacks began in April and infected devices with Kinsing and XMRig malware, tools commonly used to mine the cryptocurrency Monero.
Analysis Summary
# Threat Actor: Kinsing (H2Miner, Resourceful Wolf)
## Attribution & Identity
* **Identification:** A prolific cryptojacking threat actor group active since 2019.
* **Known Aliases:** H2Miner, Resourceful Wolf.
## Activity Summary
The group recently launched a large-scale wave of cyberattacks, beginning in April, specifically targeting Russian computers for cryptocurrency mining. This marks the first time researchers (F6) have observed **large-scale** activity by Kinsing in Russia, although their historical focus has been North America, Western Europe, and Asia.
## Tactics, Techniques & Procedures
* **Infection Vector:** The group avoids phishing, instead scanning company networks for vulnerabilities in widely-used software to exploit and install malicious code.
* **Exploited Vulnerability (Latest Campaign):** Attempted to exploit **CVE-2017-9841**, a critical, unpatched flaw in the PHP testing framework PHPUnit, allowing for remote code execution and full server control.
* **Malware Used:** Implemented Kinsing malware and XMRig (a tool commonly used to mine the cryptocurrency Monero).
## Targeting
* **Sectors:** Not explicitly detailed, but targeting organizations with vulnerable, unpatched systems.
* **Geography:** Historically active in North America, Western Europe, and Asia. The current major campaign shows expansion and focus on **Russia**. No evidence of targeting elsewhere in Eastern Europe was found by F6.
* **Victims:** F6 did not disclose specific companies targeted in the Russian campaign.
## Tools & Infrastructure
* **Malware families used:** Kinsing, XMRig.
* **Infrastructure (C2, domains, IPs):** Not specified in the provided text.
## Implications
Kinsing continues to demonstrate adaptability by expanding its operational geography into Russia, highlighting that criminal groups are not limited by industry or geography, posing a threat to organizations globally, especially those running outdated, vulnerable software. The sustained activity confirms Kinsing's position as one of the most prolific cryptojacking groups.
## Mitigations
* Defend against threats by addressing even "rare and unusual" cyber threats.
* Ensure timely patching of externally facing software, specifically mentioning the need to address vulnerabilities like CVE-2017-9841 in outdated PHPUnit installations.
* Implement robust network scanning and monitoring to detect exploitation activity targeting software vulnerabilities.