Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/5/2018
09:00 AM
Travis Kreikemeier
Travis Kreikemeier
Partner Perspectives
50%
50%

Cryptomining: Fast-Becoming the Web's Most Profitable Attack Method

The ROI of 'cryptojacking' has never been higher, making bitcoin and other cryptocurrencies a more attractive target for cybercriminals. Here's why.

The popularity of cryptocurrency mining is giving  attackers a new reason to target and exploit your applications and the platforms that support them. They’ve ramped up their attacks against web servers and applications across the Internet, exploiting both new and old remote code execution vulnerabilities. The intent is to compromise servers and then install software designed to perform cryptocurrency mining on behalf of the attackers. This practice of taking over servers, enslaving system resources, and forcing them to mine for the attackers is known as cryptojacking, and it can be very profitable, given enough compute resources.

In late 2017, F5 threat researchers discovered Zealot, a Monero crypto miner that installed itself on vulnerable Apache Struts servers by making use of NSA-attributed EternalBlue and EternalSynergy exploits. Shortly thereafter, F5 threat researchers also discovered a Linux-based variant called PyCryptoMiner that spreads via the SSH protocol. Another variant called RubyMiner recently ran rampant on the Internet. In a 24-hour period, attackers reportedly attempted to compromise 30% of networks worldwide looking for vulnerable web servers and applications to recruit into their mining pools. To date, one of the most profitable cryptojacking botnets is Smominru, which has reportedly made its attackers $2.3 billion.

When people think of cryptocurrency, they immediately think of bitcoin, as this was the first and is still the most popular. However, bitcoin mining has become more challenging for attackers because it is now longer as profitable to mine bitcoin with standard components in servers and desktop computers. Today, it requires the use of graphic cards or, ideally, application-specific integrated circuit (ASIC) chips. This is why many attackers are now mining newer, alternative cryptocurrencies. An example is Monero, which can be successfully mined with any CPU; it doesn’t require ASICs.

Since attackers are not paying for their own resources and electricity, cryptojacking is 100% percent profitable for them. The more resources they can force to mine in their pools, the more money they generate. Even weak processors can be woven into mining pools to share their processing power. IoT devices are a ripe target because they are always on and are typically unmanaged systems, so the likelihood of these devices being discovered and then remediated is low.

Another risk is that attackers might modify a web application by injecting JavaScript miners, like Coinhive or another web-miner, into visitors’ browsers. The attackers are then able to leverage the compute resources of all website visitors for their own benefit. Within the last few weeks, there has been an aggressive text message-based campaign attempting to rope smartphones into crypto mining operations by luring users to click on a link that promises them free Bitcoins.

As data theft becomes less profitable for attackers (credit card data has recently sold on the black market for as little as $0.0003 per record), cryptocurrencies become a more attractive target for cyber-criminals. And that makes every application a potential target. The Internet is a great equalizer in that no application, no matter where it might be located, is immune. Attackers don't discriminate by industry, either. Whether you’re a manufacturer in the American midwest or a large financial services organization on the east or west coast, you’re not safe from these attacks.

The best way to protect your environment from cryptojacking is by placing a web application firewall in front of all your applications. Then, look for the classic symptom of poor performance and dig in deeper from there.

Since cryptocurrencies are such a hot topic right now, threat intelligence teams around the world are actively looking for cryptocurrency mining bots and publishing everything they find, typically including Indicators of Compromise (IOCs). Security teams should be looking for those publications and making sure their networks are not communicating with any of the cryptocurrency mining command and control servers published in the IOCs.

Get the latest application threat intelligence from F5 Labs.

 

Travis Kreikemeier is currently a Field Systems Engineer for F5 Networks, covering many verticals of customers. He came to F5 from Hayneedle, an online retailer now owned by Walmart where he was the Director of IT Infrastructure. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .