Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/5/2018
09:00 AM
Travis Kreikemeier
Travis Kreikemeier
Partner Perspectives
50%
50%

Cryptomining: Fast-Becoming the Web's Most Profitable Attack Method

The ROI of 'cryptojacking' has never been higher, making bitcoin and other cryptocurrencies a more attractive target for cybercriminals. Here's why.

The popularity of cryptocurrency mining is giving  attackers a new reason to target and exploit your applications and the platforms that support them. They’ve ramped up their attacks against web servers and applications across the Internet, exploiting both new and old remote code execution vulnerabilities. The intent is to compromise servers and then install software designed to perform cryptocurrency mining on behalf of the attackers. This practice of taking over servers, enslaving system resources, and forcing them to mine for the attackers is known as cryptojacking, and it can be very profitable, given enough compute resources.

In late 2017, F5 threat researchers discovered Zealot, a Monero crypto miner that installed itself on vulnerable Apache Struts servers by making use of NSA-attributed EternalBlue and EternalSynergy exploits. Shortly thereafter, F5 threat researchers also discovered a Linux-based variant called PyCryptoMiner that spreads via the SSH protocol. Another variant called RubyMiner recently ran rampant on the Internet. In a 24-hour period, attackers reportedly attempted to compromise 30% of networks worldwide looking for vulnerable web servers and applications to recruit into their mining pools. To date, one of the most profitable cryptojacking botnets is Smominru, which has reportedly made its attackers $2.3 billion.

When people think of cryptocurrency, they immediately think of bitcoin, as this was the first and is still the most popular. However, bitcoin mining has become more challenging for attackers because it is now longer as profitable to mine bitcoin with standard components in servers and desktop computers. Today, it requires the use of graphic cards or, ideally, application-specific integrated circuit (ASIC) chips. This is why many attackers are now mining newer, alternative cryptocurrencies. An example is Monero, which can be successfully mined with any CPU; it doesn’t require ASICs.

Since attackers are not paying for their own resources and electricity, cryptojacking is 100% percent profitable for them. The more resources they can force to mine in their pools, the more money they generate. Even weak processors can be woven into mining pools to share their processing power. IoT devices are a ripe target because they are always on and are typically unmanaged systems, so the likelihood of these devices being discovered and then remediated is low.

Another risk is that attackers might modify a web application by injecting JavaScript miners, like Coinhive or another web-miner, into visitors’ browsers. The attackers are then able to leverage the compute resources of all website visitors for their own benefit. Within the last few weeks, there has been an aggressive text message-based campaign attempting to rope smartphones into crypto mining operations by luring users to click on a link that promises them free Bitcoins.

As data theft becomes less profitable for attackers (credit card data has recently sold on the black market for as little as $0.0003 per record), cryptocurrencies become a more attractive target for cyber-criminals. And that makes every application a potential target. The Internet is a great equalizer in that no application, no matter where it might be located, is immune. Attackers don't discriminate by industry, either. Whether you’re a manufacturer in the American midwest or a large financial services organization on the east or west coast, you’re not safe from these attacks.

The best way to protect your environment from cryptojacking is by placing a web application firewall in front of all your applications. Then, look for the classic symptom of poor performance and dig in deeper from there.

Since cryptocurrencies are such a hot topic right now, threat intelligence teams around the world are actively looking for cryptocurrency mining bots and publishing everything they find, typically including Indicators of Compromise (IOCs). Security teams should be looking for those publications and making sure their networks are not communicating with any of the cryptocurrency mining command and control servers published in the IOCs.

Get the latest application threat intelligence from F5 Labs.

 

Travis Kreikemeier is currently a Field Systems Engineer for F5 Networks, covering many verticals of customers. He came to F5 from Hayneedle, an online retailer now owned by Walmart where he was the Director of IT Infrastructure. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.