Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/5/2018
09:00 AM
Travis Kreikemeier
Travis Kreikemeier
Partner Perspectives
50%
50%

Cryptomining: Fast-Becoming the Web's Most Profitable Attack Method

The ROI of 'cryptojacking' has never been higher, making bitcoin and other cryptocurrencies a more attractive target for cybercriminals. Here's why.

The popularity of cryptocurrency mining is giving  attackers a new reason to target and exploit your applications and the platforms that support them. They’ve ramped up their attacks against web servers and applications across the Internet, exploiting both new and old remote code execution vulnerabilities. The intent is to compromise servers and then install software designed to perform cryptocurrency mining on behalf of the attackers. This practice of taking over servers, enslaving system resources, and forcing them to mine for the attackers is known as cryptojacking, and it can be very profitable, given enough compute resources.

In late 2017, F5 threat researchers discovered Zealot, a Monero crypto miner that installed itself on vulnerable Apache Struts servers by making use of NSA-attributed EternalBlue and EternalSynergy exploits. Shortly thereafter, F5 threat researchers also discovered a Linux-based variant called PyCryptoMiner that spreads via the SSH protocol. Another variant called RubyMiner recently ran rampant on the Internet. In a 24-hour period, attackers reportedly attempted to compromise 30% of networks worldwide looking for vulnerable web servers and applications to recruit into their mining pools. To date, one of the most profitable cryptojacking botnets is Smominru, which has reportedly made its attackers $2.3 billion.

When people think of cryptocurrency, they immediately think of bitcoin, as this was the first and is still the most popular. However, bitcoin mining has become more challenging for attackers because it is now longer as profitable to mine bitcoin with standard components in servers and desktop computers. Today, it requires the use of graphic cards or, ideally, application-specific integrated circuit (ASIC) chips. This is why many attackers are now mining newer, alternative cryptocurrencies. An example is Monero, which can be successfully mined with any CPU; it doesn’t require ASICs.

Since attackers are not paying for their own resources and electricity, cryptojacking is 100% percent profitable for them. The more resources they can force to mine in their pools, the more money they generate. Even weak processors can be woven into mining pools to share their processing power. IoT devices are a ripe target because they are always on and are typically unmanaged systems, so the likelihood of these devices being discovered and then remediated is low.

Another risk is that attackers might modify a web application by injecting JavaScript miners, like Coinhive or another web-miner, into visitors’ browsers. The attackers are then able to leverage the compute resources of all website visitors for their own benefit. Within the last few weeks, there has been an aggressive text message-based campaign attempting to rope smartphones into crypto mining operations by luring users to click on a link that promises them free Bitcoins.

As data theft becomes less profitable for attackers (credit card data has recently sold on the black market for as little as $0.0003 per record), cryptocurrencies become a more attractive target for cyber-criminals. And that makes every application a potential target. The Internet is a great equalizer in that no application, no matter where it might be located, is immune. Attackers don't discriminate by industry, either. Whether you’re a manufacturer in the American midwest or a large financial services organization on the east or west coast, you’re not safe from these attacks.

The best way to protect your environment from cryptojacking is by placing a web application firewall in front of all your applications. Then, look for the classic symptom of poor performance and dig in deeper from there.

Since cryptocurrencies are such a hot topic right now, threat intelligence teams around the world are actively looking for cryptocurrency mining bots and publishing everything they find, typically including Indicators of Compromise (IOCs). Security teams should be looking for those publications and making sure their networks are not communicating with any of the cryptocurrency mining command and control servers published in the IOCs.

Get the latest application threat intelligence from F5 Labs.

 

Travis Kreikemeier is currently a Field Systems Engineer for F5 Networks, covering many verticals of customers. He came to F5 from Hayneedle, an online retailer now owned by Walmart where he was the Director of IT Infrastructure. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34812
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2021-34808
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
CVE-2021-34809
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34810
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34811
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.