Hello, welcome to the Friday, January 4th, 2019 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes Ulrich,

and I'm recording from Jacksonville, Florida. Xaviya ran into a crypto coin miner and well,

what he was able to do actually is get a list of other infected systems.

The trick here was that this particular crypto coin miner is uploading a small file with

system information to an FTP server and the file name is the IP address of the victim.

Now, Xavier was not able to download these files, but he was able to

get a directory listing that then gave him the ability to enumerate all the victim's IP addresses,

and he plotted a nice map showing them. Now, he counted a total of 35,000 unique infected systems, which was over the course of about

two days.

And as so often these days with these crypto coin miner scripts, it also includes a fairly

extensive list of possible competitors that it will kill.

It looks like a large number of dormant Twitter accounts was hijacked and then used to spread

propaganda for the Islamic State.

The problem being exploited here is that in the past Twitter did not actually require a verified

email account in order to open a Twitter account.

So you could enter essentially more or less random email address and you didn't even have to prove that you owned that email address.

Now what's happening now apparently is that the attackers are finding these accounts and

then they're actually registering these email addresses.

If the domain is one of the well-known public email hosting services like Gmail, hotmail,

and the user ID was never used because it's just

random characters or the like, then the attacker can register the email address and then use it

in order to reset the password for this dormant account and then of course take over. Only in June

...