Originally reported by ZDNet, Sophos has recently published a report identifying the threat group behind the MrbMiner cryptomining botnet. After identifying the underlying infrastructure that makes up MrbMiner, Sophos named an Iranian software development firm as the culprit. Sophos found several MrbMiner domains were hosted from the same server used to host vihansoft[.]ir, which is the website of the accused Iranian-based software firm. Additionally, that domain was reused by the Command and Control (C2) server for the MrbMiner operation.
Analyst Notes
As MrbMiner uses brute force attacks to access unsecured Microsoft SQL Servers, Binary Defense recommends taking some steps towards system hardening, such as:
• Change the default SQL Server ports
• Use Windows Authentication Mode
• Use service accounts for applications
• Configure service accounts with the least privileges required
Additionally, Binary Defense recommends employing a 24/7 SOC monitoring solution, such as Binary Defense’s own Security Operations Task Force, in order to catch any unexpected activity, such as MrbMiner.
More information can be found here: https://www.zdnet.com/article/mrbminer-crypto-mining-operation-linked-to-iranian-software-firm/
