Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/25/2019
10:00 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Rise of Silence and the Fall of Coinhive

Cryptomining will exist as long as it remains profitable. One of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network.

Threat actors recently have been benefiting tremendously from leveraging tools developed by others, including legitimate vendors, to carry out their cyberattacks. In April, for example, Fortinet released a playbook on the Silence group, a threat actor that has been leveraging PowerShell and other legitimate tools in a long running campaign. In the most recent "Fortinet Threat Landscape Report," threat analysts paid special attention to the Silence group as well as Coinhive, a cryptocurrency mining service that was suddenly terminated by its creators in March.

Coinhive Falls Victim to Its Own Success
Coinhive's service launched in 2017 with the idea that its JavaScript file could be installed on websites to generate income for the site owners without resorting to traditional advertisements. Coinhive mines the cryptocurrency Monero, and unlike bitcoin, Monero transactions between two parties are undetectable.

This feature made it an attractive option for cybercriminals who took to installing it on compromised websites without consent. This "success" in the black market drove Coinhive to the top of the threat charts and caused it to be blacklisted in many security products.

Despite claims of raking in $250,000 per month and controlling 62% of the cryptojacking market, Coinhive publicized in February that the service "isn't economically viable anymore" and that it would be shutting down. This is partly due to Monero crashing in value as well as the fact that Monero released an algorithm update that made the mining process slower.

Coinhive said the JavaScript variant would cease working on March 8, and true to its promise, none of the JS/Coinhive variants appeared in Fortinet's data beyond that date. The effects of this shutdown in early March were obvious. Our detection of the two biggest Coinhive signatures began to slow down over the quarter. However, the Riskware/Coinhive version still shows some signs of life. We suspect this reflects a delay in remediating the many compromised servers that exist. Based on prior shutdowns, analysts suspect it will be a long time before Coinhive disappears completely. But it's still good to acknowledge each victory as it comes.

Silence Group Expands Its Bank Exploit Capabilities
Silence, a name coined from its long intervals between attacks, was launched in 2016 as a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry. The group is primarily known for targeting banks in Russia and Eastern Europe, but its support infrastructure spans the globe, with examples found in Australia, Canada, France, Ireland, Spain, and Sweden, with the US Silence group growing increasingly sophisticated and successful over time.

Silence typically executes attacks by using a combination of publicly available tools and utilities that exist on the target machine (such as PowerShell) combined with its own customized tools. As the different timelines in the Playbook created for the Cyber Threat Alliance suggests, Silence continues to add to its portfolio. If its growth in capability and effectiveness continues, the potential threat the group poses justifies continued vigilant observation of future Silence Group campaigns.

Defending Against the Illicit Use of PowerShell and Similar Services
Given current trends, it seems safe to say that the illicit use of PowerShell and other legitimate services will continue to expand. Because these tools are already embedded in most networks, enterprises must focus on averting this threat. Luckily, defending against illicit cryptocurrency mining does not require specialized security software or radical changes in behavior. In fact, organizations can employ well-known cybersecurity practices:

  • Identify, monitor, and harden tools like PowerShell to prevent their exploitation.
  • Apply application whitelisting.
  • Blacklist network traffic (i.e., blocking domains of mining sites).
  • Block communication protocols for mining pools
  • Check text strings related to cryptomining, such as Crypto, Monero, etc.
  • Identify abnormal behaviors and provide standards for real network traffic with the use of machine learning or other artificial intelligence technologies.
  • Keep up to date with the latest vulnerabilities and patches
  • Monitor firewall and web proxy logs and look for domains associated with cryptomining pools or browser-based coin miners.
  • Monitor for unusual power consumption and CPU activity.
  • Regulate administrative privilege policies.

Cryptomining will continue to exist as long as it remains profitable, which means that one of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network. Groups like Silence depend on organizations being lax when it comes to basic cybersecurity practices, and given the number of attacks that successfully target known vulnerabilities with available patches, they are making a safe bet. Effective cybersecurity strategies — ranging from simply patching tools and services to hardening or even removing systems that cybercriminals tend to exploit — force threat actors back to the drawing board or to look for easier prey.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.