Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/25/2019
10:00 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Rise of Silence and the Fall of Coinhive

Cryptomining will exist as long as it remains profitable. One of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network.

Threat actors recently have been benefiting tremendously from leveraging tools developed by others, including legitimate vendors, to carry out their cyberattacks. In April, for example, Fortinet released a playbook on the Silence group, a threat actor that has been leveraging PowerShell and other legitimate tools in a long running campaign. In the most recent "Fortinet Threat Landscape Report," threat analysts paid special attention to the Silence group as well as Coinhive, a cryptocurrency mining service that was suddenly terminated by its creators in March.

Coinhive Falls Victim to Its Own Success
Coinhive's service launched in 2017 with the idea that its JavaScript file could be installed on websites to generate income for the site owners without resorting to traditional advertisements. Coinhive mines the cryptocurrency Monero, and unlike bitcoin, Monero transactions between two parties are undetectable.

This feature made it an attractive option for cybercriminals who took to installing it on compromised websites without consent. This "success" in the black market drove Coinhive to the top of the threat charts and caused it to be blacklisted in many security products.

Despite claims of raking in $250,000 per month and controlling 62% of the cryptojacking market, Coinhive publicized in February that the service "isn't economically viable anymore" and that it would be shutting down. This is partly due to Monero crashing in value as well as the fact that Monero released an algorithm update that made the mining process slower.

Coinhive said the JavaScript variant would cease working on March 8, and true to its promise, none of the JS/Coinhive variants appeared in Fortinet's data beyond that date. The effects of this shutdown in early March were obvious. Our detection of the two biggest Coinhive signatures began to slow down over the quarter. However, the Riskware/Coinhive version still shows some signs of life. We suspect this reflects a delay in remediating the many compromised servers that exist. Based on prior shutdowns, analysts suspect it will be a long time before Coinhive disappears completely. But it's still good to acknowledge each victory as it comes.

Silence Group Expands Its Bank Exploit Capabilities
Silence, a name coined from its long intervals between attacks, was launched in 2016 as a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry. The group is primarily known for targeting banks in Russia and Eastern Europe, but its support infrastructure spans the globe, with examples found in Australia, Canada, France, Ireland, Spain, and Sweden, with the US Silence group growing increasingly sophisticated and successful over time.

Silence typically executes attacks by using a combination of publicly available tools and utilities that exist on the target machine (such as PowerShell) combined with its own customized tools. As the different timelines in the Playbook created for the Cyber Threat Alliance suggests, Silence continues to add to its portfolio. If its growth in capability and effectiveness continues, the potential threat the group poses justifies continued vigilant observation of future Silence Group campaigns.

Defending Against the Illicit Use of PowerShell and Similar Services
Given current trends, it seems safe to say that the illicit use of PowerShell and other legitimate services will continue to expand. Because these tools are already embedded in most networks, enterprises must focus on averting this threat. Luckily, defending against illicit cryptocurrency mining does not require specialized security software or radical changes in behavior. In fact, organizations can employ well-known cybersecurity practices:

  • Identify, monitor, and harden tools like PowerShell to prevent their exploitation.
  • Apply application whitelisting.
  • Blacklist network traffic (i.e., blocking domains of mining sites).
  • Block communication protocols for mining pools
  • Check text strings related to cryptomining, such as Crypto, Monero, etc.
  • Identify abnormal behaviors and provide standards for real network traffic with the use of machine learning or other artificial intelligence technologies.
  • Keep up to date with the latest vulnerabilities and patches
  • Monitor firewall and web proxy logs and look for domains associated with cryptomining pools or browser-based coin miners.
  • Monitor for unusual power consumption and CPU activity.
  • Regulate administrative privilege policies.

Cryptomining will continue to exist as long as it remains profitable, which means that one of the most effective ways to disrupt that activity is to make it too expensive to run cryptomining malware in your network. Groups like Silence depend on organizations being lax when it comes to basic cybersecurity practices, and given the number of attacks that successfully target known vulnerabilities with available patches, they are making a safe bet. Effective cybersecurity strategies — ranging from simply patching tools and services to hardening or even removing systems that cybercriminals tend to exploit — force threat actors back to the drawing board or to look for easier prey.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1448
PUBLISHED: 2020-07-14
A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1446, CVE-2020-1447.
CVE-2020-1449
PUBLISHED: 2020-07-14
A remote code execution vulnerability exists in Microsoft Project software when the software fails to check the source markup of a file, aka 'Microsoft Project Remote Code Execution Vulnerability'.
CVE-2020-1450
PUBLISHED: 2020-07-14
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1451, CVE-2020-1456.
CVE-2020-1451
PUBLISHED: 2020-07-14
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1450, CVE-2020-1456.
CVE-2020-1454
PUBLISHED: 2020-07-14
This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affected SharePoint server.An authenticated attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server, aka 'Microsoft SharePoint Re...