A significant surge in cyberattacks, orchestrated by the Kinsing hacking collective, has been detected targeting computer systems within Russia, according to reports from Russian cybersecurity experts. The aim of these intrusions appears to be illicit cryptocurrency mining.
A recent analysis published by F6, a Russian cybersecurity organization, revealed that these attacks commenced in April. The malicious software, identified as Kinsing and XMRig, has been used to infiltrate devices and harness their processing power to mine Monero, a digital currency. F6 refrained from naming the specific organizations that were compromised.
The Kinsing group, also known under aliases like H2Miner and Resourceful Wolf, has been a persistent threat since 2019, specializing in “cryptojacking” activities. Their tactics bypass traditional phishing schemes; instead, they actively scan organizational networks for weaknesses in popular software programs, exploiting these vulnerabilities to inject malicious code.
In their latest operation, the attackers sought to exploit CVE-2017-9841, a critical security gap present within PHPUnit, a commonly used framework for testing PHP code. This vulnerability, although addressed with a patch in 2017, remains a risk in systems that haven’t been updated. It enables hackers to remotely execute commands and gain complete control over affected servers.
While Kinsing’s past attacks have primarily targeted entities in North America, Western Europe, and Asia, F6 noted that this marks the first instance of substantial activity within Russia. The investigation did not uncover any evidence suggesting that the group has extended its reach to target companies in other parts of Eastern Europe.
This discovery coincides with a broader escalation of cryptomining-related cyber campaigns observed across Russia. In June, another group, identified as Rare Werewolf, deployed XMRig on numerous Russian computer systems, including those belonging to industrial facilities and educational institutions. Additional infections were also reported in Belarus and Kazakhstan. Furthermore, in September, the Russian cybersecurity firm F.A.C.C.T. documented a separate campaign involving the delivery of XMRig malware to Russian businesses through compromised email auto-replies.
“The Kinsing attacks targeting Russian companies underscore the critical need for robust defenses against even infrequent and unconventional cyber threats,” stated Vladislav Kugan, an analyst in the threat intelligence division at F6. “Criminal organizations are not bound by industry sectors or geographical borders, and they have the potential to target users globally.”
Recorded Future
Intelligence Cloud.