Threat Intelligence

3/15/2018
03:16 PM
100%
0%

Cryptojacking Threat Continues to Rise

Unauthorized cryptocurrency mining can consume processing power and make apps unavailable as well as lead to other malware.

The latest malware threat doesn't encrypt your files, delete your data, steal your information, or even deface your website: All it does is steal your productivity and electricity in order to make money for the attacker. And it's becoming a huge threat to corporate IT.

Cyptocurrency miners have been in the news as legitimate miners search out towns with cheap electricity and plentiful empty space. Unethical and criminal cryptocurrency miners have discovered that the cheapest electricity is power that someone else pays for, and the most plentiful space that in someone else's data center. And the rewards of cryptocurrency speculation make the (currently small) risk of discovery worth it for many actors.

In a new report, researchers at Secureworks note that the cryptocurrency market grew from approximately $18 billion to more than $600 billion during 2017. The rise in value has been accompanied by a rise in crypto-miner malware. Secureworks says that the number of alerts related to cryptocurrency mining they've seen in their client base has jumped significantly, from 40,000 in May of 2017 to over 280,000 in October 2017. While settling back slightly, they say that the number of "cryptojacking" alerts has remained high through February of this year.

Risks Rise

Unauthorized cryptocurrency mining can cost critical servers and applications to become unavailable as their processing capacity is consumed. Even more worrisome is the fact that the threat actors, who have infected the computers with cryptocurrency mining malware, can and will deploy additional and potentially more lethal malware onto these systems, such as banking Trojans or ransomware.

"There's a temptation for people to see the miners as a lesser danger because they're less disruptive, but they're not a good thing to have on your network," says Mike McLellan, Secureworks Counter Threat Unit (CTU) Sr. security researcher. "They signify a failure of technical controls."

McLellan says that his group is trying to raise awareness of the problem so that companies will see cryptocurrency miners as a security issue on the same level as banking Trojans and other well-known types of malware because monitoring networks are seeing a shift to the miners from older types of intrusion. "I think a lot of organizations will have these on their networks," he says, simply because they're becoming a popular way for criminals to make money.

Criminals have become creative in finding ways to place cryptocurrency miners on victims' systems. "I think one of the interesting things is the sheer breadth of the delivery mechanisms being used," McLellan explains. "We've seen scan exploit techniques as well as spam and Web link poisoning."

Other researchers have found criminal networks using the NSA's EternalBlue exploit to plant miners on more than half a million PCs. Secureworks reported on attackers who exploited unpatched vulnerabilities in Oracle WebLogic servers to embed miners on both Windows and Linux servers.

Vulnerabilities in Web servers have also been exploited, as researcher Troy Mursch demonstrated when he found more than 50,000 websites (including many based on WordPress) that have been infected and are now busily mining cryptocurrency for their controllers.

Illicit Mining's Impact

McLellan says that convincing computer owners of the seriousness of cryptojacking attacks can be difficult since the immediate impact is often invisible; electrical costs can go up and server performance can go down, though it can be difficult for an administrator to point immediately at a crypocurrency miner as the reason.

Often, it's not until the miner's resource demands become too high that owners notice. "When the malware gets on business critical computers, the critical applications can become unstable or unusable because of the demands on the system of the cryptominers," says McLellan.

In many ways, the mining malware's more critical impact is as a harbinger of potential damage to come. Cryptojacking applications are a malicious payload that can be delivered through a variety of means. And if cyptojackers can be successfully delivered, so can other malware.

The rise in cryptojackers could also have an impact on open source development. Recently, criminals placed a cryptocurrency miner in a forked project on Github. Notably, this code also included limits on how much CPU resource the code could use - obviously an attempt to evade detection through one of the more notorious side-effects of miners.

"But cybercriminal cryptocurrency mining isn't just about device wear and tear, or even the power consumption involved. It's also a reflection of the ever-evolving technology landscape and the risks and threats that can come with it," Trend Micro senior product manager Menard Osena, wrote in a recent blog post. "And just like ransomware, we expect cryptocurrency-mining malware to be as diverse as they are common, using a plethora of ways to infect systems and even inadvertently turn their victims a part of the problem."

Because cryptocurrency miners tend to use existing exploit kits to carry their payload, existing defenses can work to keep them at bay. "The key message is that, if organizations are using good hygiene, they should be able to catch these," McLellan says. "On the flip side, if you do these things to stop cryptocurrency miners, you also stop a number of other threats like ransomware. There's nothing unique there, it's just about doing the basics."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10869
PUBLISHED: 2018-07-19
redhat-certification does not properly restrict files that can be download through the /download page. A remote attacker may download any file accessible by the user running httpd.
CVE-2018-10870
PUBLISHED: 2018-07-19
redhat-certification does not properly sanitize paths in rhcertStore.py:__saveResultsFile. A remote attacker could use this flaw to overwrite any file, potentially gaining remote code execution.
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...