Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/25/2019
10:00 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Rise of Silence and the Fall of Coinhive

Cryptomining will exist as long as it remains profitable. One of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network.

Threat actors recently have been benefiting tremendously from leveraging tools developed by others, including legitimate vendors, to carry out their cyberattacks. In April, for example, Fortinet released a playbook on the Silence group, a threat actor that has been leveraging PowerShell and other legitimate tools in a long running campaign. In the most recent "Fortinet Threat Landscape Report," threat analysts paid special attention to the Silence group as well as Coinhive, a cryptocurrency mining service that was suddenly terminated by its creators in March.

Coinhive Falls Victim to Its Own Success
Coinhive's service launched in 2017 with the idea that its JavaScript file could be installed on websites to generate income for the site owners without resorting to traditional advertisements. Coinhive mines the cryptocurrency Monero, and unlike bitcoin, Monero transactions between two parties are undetectable.

This feature made it an attractive option for cybercriminals who took to installing it on compromised websites without consent. This "success" in the black market drove Coinhive to the top of the threat charts and caused it to be blacklisted in many security products.

Despite claims of raking in $250,000 per month and controlling 62% of the cryptojacking market, Coinhive publicized in February that the service "isn't economically viable anymore" and that it would be shutting down. This is partly due to Monero crashing in value as well as the fact that Monero released an algorithm update that made the mining process slower.

Coinhive said the JavaScript variant would cease working on March 8, and true to its promise, none of the JS/Coinhive variants appeared in Fortinet's data beyond that date. The effects of this shutdown in early March were obvious. Our detection of the two biggest Coinhive signatures began to slow down over the quarter. However, the Riskware/Coinhive version still shows some signs of life. We suspect this reflects a delay in remediating the many compromised servers that exist. Based on prior shutdowns, analysts suspect it will be a long time before Coinhive disappears completely. But it's still good to acknowledge each victory as it comes.

Silence Group Expands Its Bank Exploit Capabilities
Silence, a name coined from its long intervals between attacks, was launched in 2016 as a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry. The group is primarily known for targeting banks in Russia and Eastern Europe, but its support infrastructure spans the globe, with examples found in Australia, Canada, France, Ireland, Spain, and Sweden, with the US Silence group growing increasingly sophisticated and successful over time.

Silence typically executes attacks by using a combination of publicly available tools and utilities that exist on the target machine (such as PowerShell) combined with its own customized tools. As the different timelines in the Playbook created for the Cyber Threat Alliance suggests, Silence continues to add to its portfolio. If its growth in capability and effectiveness continues, the potential threat the group poses justifies continued vigilant observation of future Silence Group campaigns.

Defending Against the Illicit Use of PowerShell and Similar Services
Given current trends, it seems safe to say that the illicit use of PowerShell and other legitimate services will continue to expand. Because these tools are already embedded in most networks, enterprises must focus on averting this threat. Luckily, defending against illicit cryptocurrency mining does not require specialized security software or radical changes in behavior. In fact, organizations can employ well-known cybersecurity practices:

  • Identify, monitor, and harden tools like PowerShell to prevent their exploitation.
  • Apply application whitelisting.
  • Blacklist network traffic (i.e., blocking domains of mining sites).
  • Block communication protocols for mining pools
  • Check text strings related to cryptomining, such as Crypto, Monero, etc.
  • Identify abnormal behaviors and provide standards for real network traffic with the use of machine learning or other artificial intelligence technologies.
  • Keep up to date with the latest vulnerabilities and patches
  • Monitor firewall and web proxy logs and look for domains associated with cryptomining pools or browser-based coin miners.
  • Monitor for unusual power consumption and CPU activity.
  • Regulate administrative privilege policies.

Cryptomining will continue to exist as long as it remains profitable, which means that one of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network. Groups like Silence depend on organizations being lax when it comes to basic cybersecurity practices, and given the number of attacks that successfully target known vulnerabilities with available patches, they are making a safe bet. Effective cybersecurity strategies — ranging from simply patching tools and services to hardening or even removing systems that cybercriminals tend to exploit — force threat actors back to the drawing board or to look for easier prey.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.