Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/25/2019
10:00 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Rise of Silence and the Fall of Coinhive

Cryptomining will exist as long as it remains profitable. One of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network.

Threat actors recently have been benefiting tremendously from leveraging tools developed by others, including legitimate vendors, to carry out their cyberattacks. In April, for example, Fortinet released a playbook on the Silence group, a threat actor that has been leveraging PowerShell and other legitimate tools in a long running campaign. In the most recent "Fortinet Threat Landscape Report," threat analysts paid special attention to the Silence group as well as Coinhive, a cryptocurrency mining service that was suddenly terminated by its creators in March.

Coinhive Falls Victim to Its Own Success
Coinhive's service launched in 2017 with the idea that its JavaScript file could be installed on websites to generate income for the site owners without resorting to traditional advertisements. Coinhive mines the cryptocurrency Monero, and unlike bitcoin, Monero transactions between two parties are undetectable.

This feature made it an attractive option for cybercriminals who took to installing it on compromised websites without consent. This "success" in the black market drove Coinhive to the top of the threat charts and caused it to be blacklisted in many security products.

Despite claims of raking in $250,000 per month and controlling 62% of the cryptojacking market, Coinhive publicized in February that the service "isn't economically viable anymore" and that it would be shutting down. This is partly due to Monero crashing in value as well as the fact that Monero released an algorithm update that made the mining process slower.

Coinhive said the JavaScript variant would cease working on March 8, and true to its promise, none of the JS/Coinhive variants appeared in Fortinet's data beyond that date. The effects of this shutdown in early March were obvious. Our detection of the two biggest Coinhive signatures began to slow down over the quarter. However, the Riskware/Coinhive version still shows some signs of life. We suspect this reflects a delay in remediating the many compromised servers that exist. Based on prior shutdowns, analysts suspect it will be a long time before Coinhive disappears completely. But it's still good to acknowledge each victory as it comes.

Silence Group Expands Its Bank Exploit Capabilities
Silence, a name coined from its long intervals between attacks, was launched in 2016 as a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry. The group is primarily known for targeting banks in Russia and Eastern Europe, but its support infrastructure spans the globe, with examples found in Australia, Canada, France, Ireland, Spain, and Sweden, with the US Silence group growing increasingly sophisticated and successful over time.

Silence typically executes attacks by using a combination of publicly available tools and utilities that exist on the target machine (such as PowerShell) combined with its own customized tools. As the different timelines in the Playbook created for the Cyber Threat Alliance suggests, Silence continues to add to its portfolio. If its growth in capability and effectiveness continues, the potential threat the group poses justifies continued vigilant observation of future Silence Group campaigns.

Defending Against the Illicit Use of PowerShell and Similar Services
Given current trends, it seems safe to say that the illicit use of PowerShell and other legitimate services will continue to expand. Because these tools are already embedded in most networks, enterprises must focus on averting this threat. Luckily, defending against illicit cryptocurrency mining does not require specialized security software or radical changes in behavior. In fact, organizations can employ well-known cybersecurity practices:

  • Identify, monitor, and harden tools like PowerShell to prevent their exploitation.
  • Apply application whitelisting.
  • Blacklist network traffic (i.e., blocking domains of mining sites).
  • Block communication protocols for mining pools
  • Check text strings related to cryptomining, such as Crypto, Monero, etc.
  • Identify abnormal behaviors and provide standards for real network traffic with the use of machine learning or other artificial intelligence technologies.
  • Keep up to date with the latest vulnerabilities and patches
  • Monitor firewall and web proxy logs and look for domains associated with cryptomining pools or browser-based coin miners.
  • Monitor for unusual power consumption and CPU activity.
  • Regulate administrative privilege policies.

Cryptomining will continue to exist as long as it remains profitable, which means that one of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network. Groups like Silence depend on organizations being lax when it comes to basic cybersecurity practices, and given the number of attacks that successfully target known vulnerabilities with available patches, they are making a safe bet. Effective cybersecurity strategies — ranging from simply patching tools and services to hardening or even removing systems that cybercriminals tend to exploit — force threat actors back to the drawing board or to look for easier prey.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.