Threat actors recently have been benefiting tremendously from leveraging tools developed by others, including legitimate vendors, to carry out their cyberattacks. In April, for example, Fortinet released a playbook on the Silence group, a threat actor that has been leveraging PowerShell and other legitimate tools in a long running campaign. In the most recent "Fortinet Threat Landscape Report," threat analysts paid special attention to the Silence group as well as Coinhive, a cryptocurrency mining service that was suddenly terminated by its creators in March.
Coinhive Falls Victim to Its Own Success
This feature made it an attractive option for cybercriminals who took to installing it on compromised websites without consent. This "success" in the black market drove Coinhive to the top of the threat charts and caused it to be blacklisted in many security products.
Despite claims of raking in $250,000 per month and controlling 62% of the cryptojacking market, Coinhive publicized in February that the service "isn't economically viable anymore" and that it would be shutting down. This is partly due to Monero crashing in value as well as the fact that Monero released an algorithm update that made the mining process slower.
Silence Group Expands Its Bank Exploit Capabilities
Silence, a name coined from its long intervals between attacks, was launched in 2016 as a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry. The group is primarily known for targeting banks in Russia and Eastern Europe, but its support infrastructure spans the globe, with examples found in Australia, Canada, France, Ireland, Spain, and Sweden, with the US Silence group growing increasingly sophisticated and successful over time.
Silence typically executes attacks by using a combination of publicly available tools and utilities that exist on the target machine (such as PowerShell) combined with its own customized tools. As the different timelines in the Playbook created for the Cyber Threat Alliance suggests, Silence continues to add to its portfolio. If its growth in capability and effectiveness continues, the potential threat the group poses justifies continued vigilant observation of future Silence Group campaigns.
Defending Against the Illicit Use of PowerShell and Similar Services
Given current trends, it seems safe to say that the illicit use of PowerShell and other legitimate services will continue to expand. Because these tools are already embedded in most networks, enterprises must focus on averting this threat. Luckily, defending against illicit cryptocurrency mining does not require specialized security software or radical changes in behavior. In fact, organizations can employ well-known cybersecurity practices:
- Identify, monitor, and harden tools like PowerShell to prevent their exploitation.
- Apply application whitelisting.
- Blacklist network traffic (i.e., blocking domains of mining sites).
- Block communication protocols for mining pools
- Check text strings related to cryptomining, such as Crypto, Monero, etc.
- Identify abnormal behaviors and provide standards for real network traffic with the use of machine learning or other artificial intelligence technologies.
- Keep up to date with the latest vulnerabilities and patches
- Monitor firewall and web proxy logs and look for domains associated with cryptomining pools or browser-based coin miners.
- Monitor for unusual power consumption and CPU activity.
- Regulate administrative privilege policies.
Cryptomining will continue to exist as long as it remains profitable, which means that one of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network. Groups like Silence depend on organizations being lax when it comes to basic cybersecurity practices, and given the number of attacks that successfully target known vulnerabilities with available patches, they are making a safe bet. Effective cybersecurity strategies — ranging from simply patching tools and services to hardening or even removing systems that cybercriminals tend to exploit — force threat actors back to the drawing board or to look for easier prey.