Attacks/Breaches

2/1/2018
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Crypto-Mining Attacks Emerge as the New Big Threat to Enterprises

Attackers looking to hijack systems for illegally mining digital currencies have begun eyeing business systems, security vendors say.

In an ominous trend for businesses, hijacking computers for cryptocurrency mining appears to have become the go-to strategy for cybercriminals looking for a safe and reliable way to generate illegal revenues.

Several vendors in recent days have reported a huge surge in illegal crypto-mining activity involving millions of hijacked computers worldwide. Professional cybercriminals are moving away in droves from less profitable exploits to making money via the surging global interest in digital currencies, said Digital Shadows in the latest warning on this trend.

The activity has begun to pose as much of a threat to businesses as it does to consumers. Security vendor CrowdStrike recently reported that it had seen multiple instances of businesses being impacted by illegal crypto-mining activity. In some cases, mining tools installed illegally on business systems have caused applications and hardware to crash, causing operational disruptions lasting days and sometimes even weeks, says Bryan York, director of services at CrowdStrike.

"We've seen an uptick in unauthorized crypto-mining, or cryptojacking, targeting businesses," he says. "While cryptocurrency mining has typically been viewed as a nuisance, we've recently seen several cases where mining has impacted business operations," York warns.

Mining 101

Crypto mining is a fairly complex process where a computer's processing resources are used for blockchain transaction verification. Mining is a very CPU-intensive, resource-hogging activity and some digital currencies like Bitcoin require special-purpose hardware to do it. Several other digital currencies like Monero, Zcash, and Ethereum, however, can also be mined by pooling the resources of multiple computers. 

In return for installing a mining tool and allowing their computer resources to be pooled for mining, the miners or owners of the computers, receive digital coins in return. Mining itself is a legal activity, and many people around the world allow their systems to be used for the purpose in hopes of making some money on the side.

In recent months, however, cybercriminals have begun surreptitiously installing crypto-mining tools on victim computers and using resources of those compromised systems for the same purpose. Instead of taking over computers to steal data or install ransomware, cybercriminals have simply begun stealing system resources and using this to illegally profit from digital currency mining.

"These attacks are much stealthier than their predecessors," Cisco's Talos threat group said in a report this week. "Attackers are not stealing anything more than computing power from their victims and the mining software isn't technically malware."

When installing mining software, some criminals have even begun putting limits on things like CPU usage and amount of cores being used to ensure users don't notice any obvious performance hit as result of mining software running on their system. In theory, victims could remain part of the adversary botnet indefinitely, Talos said in its report.

E-Currency Theft

Illegal crypto-mining is just one form of cryptocurrency fraud. Cybercriminals have also begun stealing tens of millions of dollars directly from electronic wallets used to store digital currency, as well as targeting cryptocurrency exchanges and trading platforms. Michael Marriott, research analyst at Digital Shadows, points to one recent incident where criminals targeted the Initial Coin Offering for blockchain application company Experty and used phishing emails to trick potential coin buyers to send funds to an attacker-owned wallet.

In another incident just this week, thieves emptied a staggering $500 million from Japan's Coincheck cryptocurrency exchange.

However, illegal mining - especially for Monero - has quickly emerged as one of the most reliable and safe ways for cybercriminals to profit from the cryptocurrency craze. Using the Monero cybercurrency as an example, Talos has estimated that a threat actor using 2,000 hijacked computers can generate $500 per day, or $182,500 per year. There are some botnets with millions of infected systems that criminals can leverage to generate more than $100 million from cryptocurrency mining, according to Talos.

Driving the trend is the easy availability of do-it-yourself kits that almost anyone can use for illegal mining. Criminals can rent mining botnets for as little as $30 to $130 per month, and software for distributing miners for as little as $29, according to Digital Shadows.

"We've seen plenty of actors changing their focus to profit from this," says Marriott from Digital Shadows. "For example, the ransomware variant known as VenusLocker switched its business model to mine bitcoin rather than encrypt files on victims' computers. Similarly, the RIG exploit kit has incorporated Monero mining into its features," he says. 

Satori, a botnet associated with DDoS attacks, has also recently begun targeting cryptocurrency mining, as has Smominru, a botnet that has infected over 500,000 systems and already generated some $3 million in Monero, Marriott says.

Attackers have also begun searching on sites such as GitHub for keys to cloud services such as AWS in order to use cloud-based machines to mine cryptocurrencies, he notes. "If attackers have access to an organization's cloud services, then as well as performing mining activity, they could realistically do other malicious acts, such as stealing data or installing malware payloads," Marriott says.

WannaMine

CrowdStrike has observed crypto-mining attacks within the education, entertainment, financial, healthcare, insurance, and technology sectors, says York. Some of the tools used in the attacks pose a particular threat to enterprises. One example, he says, is WannaMine, a crypto-mining worm that uses sophisticated propagation and persistence methods to spread and remain on systems, he says.

"WannaMine propagates more effectively within a corporate network than it would on consumer network," he notes. 

It uses the Mimikatz credential-harvester to acquire credentials and move laterally within organizations using the legitimate credentials. "If unsuccessful, WannaMine attempts to exploit the remote system with the EternalBlue exploit used by WannaCry in early 2017. This approach is generally more effective in corporate networks," he says.

Nick Biasini, a threat researcher at Cisco Talos, says organizations that aren't already looking for miners on their infrastructure definitely should be. "This is a huge new wave of threats that is being delivered to systems in virtually every way possible," he says.

Some examples include phishing websites and rogue browser extensions. 

Performance degradation is one sign of the activity, he says. A compromised system also periodically reaches out to the broader infected pool with which it belongs, so monitoring network activity is critical. "[But] it is important to note that attackers can throttle resource usage or only mine during off-hours to make it much more difficult to detect," Biasini adds.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Strategist
2/2/2018 | 12:50:24 PM
Send the bill to the crypto-currency companies.
Crypto-mining attacks didn't start with the enterprise.  There was a transition from a few website owners choosing to install (or allowing installation of), crypto-mining software as a revenue source.  When the performance impact was low, and site visitors were informed, many visitors found that less annoying (and the site experience better), than intrusive ads. 

That innovative and honest practice was soon overtaken by greed: high impact, uninformed cycle grabbing; often in addition to, rather than instead of, ads.  Next, it was the site owners who were uninformed or misinformed; as the crypto-mining code was secreted onto websites - hence, crypto-jacking

For enterprises, crypto-mining code as malware won't be an issue in the same way it was for website owners and visitors; but the potential treasure-trove of enterprise resources mean that attackers will utilize both established and innovative tactics to get to them.  Virtualized servers are too well utilized, monitored and protected; but that's not the case for the many nodes of an enterprise network.  Even if these new attackers are unsuccessful, just having more motivated attackers hitting your system in new ways will further burden your IT security, and likely discover new vulnerabilities. 

Even when cybercriminals are caught, any funds recovered are paltry compared to the costs incurred.  So, where should you send the bill?
Tresav
50%
50%
Tresav,
User Rank: Apprentice
2/2/2018 | 7:53:59 AM
Comment
I totally agree
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
3 Tips to Keep Cybersecurity Front & Center
Greg Kushto, Vice President of Sales Engineering at Force 3,  2/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.