Attacks/Breaches

5/3/2018
09:10 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

No Computing Device Too Small For Cryptojacking

Research by Trend Micro shows IoT and almost all connected devices are targets for illegal cryptocurrency mining.

Pretty much any computing device — however low powered — appears to be becoming a target for cybercriminals trying to make money through illegal cryptocurrency mining.

An investigation by security vendor Trend Micro shows how underground markets are awash in cryptocurrency malware, including those targeted at devices with relatively low processing capabilities such as consumer IoT products, smartphones and routers.

Though mining for cryptocurrency is a computationally intensive and power-consuming task, several of the crypto mining malware samples that Trend Micro observed appear dedicated to exploring whether any connected device, however underpowered, can still be exploited for financial gain.

"IoT devices have less computing power, but are also less secured," says Fernando Merces, a senior threat researcher at Trend Micro. "In some cases there may be thousands of them publicly exposed, so the amount of devices compromised is important here."

It is unclear how many IoT devices an attacker would need to infect with mining software in order to profit from cryptomining, Merces says. A lot would depend on the type of device infected and the cryptocurrency being mined. "[But] a big botnet with a few thousands of devices seems to be attractive to some criminals, even though some of them disagree."

Not all of the cryptocurrency malware that Trend Micro observed is for mining. Several of the tools are also designed to steal cryptocurrency from bitcoin wallets and from wallets for other digital currencies like Monero. But a lot of the activity and discussions in underground forums appear centered on illegal digital currency mining. And it is not just computers that are under threat but just about any internet-connected device, Trend Micro says.

"The underground is flooded with so many offerings of cryptocurrency malware that it must be hard for the criminals themselves to determine which is best," Merces says in a Trend Micro report on the topic this week.

The sheer number of cryptocurrency mining software tools currently on sale in underground forums makes it hard to categorize and study all of them. Prices for these tools range from under $5 for Fluxminer, an Ethereum miner, to $1,000 for some miners like Decadence, a software product for mining Monero digital currency. The varying price points reflect the different features that are available with different malware samples. A product like Decadence for instance starts at just $40 but can cost up to $1,000 when features like graphics processing unit support, a web-based control panel, remote access capabilities and encryption services are added.

One of the latest offerings is a Monero cryptocurrency mining tool called DarkPope priced at around $47. The malware is designed to surreptitiously use hijacked computers for mining purposes, and to send earnings to a digital wallet owned by the attacker. Among other things, the authors of DarkPope offer round-the-clock support for the tool, according to the Trend Micro report.

Somewhat ironically, despite the abundance of mining malware, there's little evidence that threat actors are making any major profits from them, at least presently. Though some other vendor reports have described threat actors as having the potential to make upwards of $180,000 per year or $500 a day from cryptomining, Trend Micro says the company is currently not aware of criminals making large amounts of money from illegal cryptomining. But the potential for doing so certainly exists, Merces says.

"Though our research doesn’t specifically focus on the profit, other research has proven this is possible," Merces says. "It is all situation-dependent with the number and type of devices, as well as the type of cryptocurrency being mined," he says. With enough processing power being leveraged, criminals can indeed make substantial profits from cryptomining, he says.

"Cryptomining is fast becoming one of the top threats to individuals and organizations as cybercriminals look to compromise systems for use in mining," Merces says. "The main difference here is threat actors don't compromise systems looking to steal data or drop ransomware, they want the computing resources the machine can provide for their cryptomining activities."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
5/4/2018 | 8:57:17 AM
Wireless Defibulator!
OMG - I have a wireless defibulator.  True and " I " could be mining bitcoin without even knowing it??  (Heaven forbid somebody in North Korea hits the SHUTDOWN command). 
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: On the SS7 network, nobody knows you're a dog.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18812
PUBLISHED: 2019-01-16
The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the S...
CVE-2018-18813
PUBLISHED: 2019-01-16
The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire...
CVE-2018-18814
PUBLISHED: 2019-01-16
The TIBCO Spotfire authentication component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability in the handling of the authentication that theoretically may allow an attacker to gain full access to a target account, indep...
CVE-2018-5740
PUBLISHED: 2019-01-16
"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is i...
CVE-2018-5741
PUBLISHED: 2019-01-16
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update ...