Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Cryptojacking Threat Continues to Rise

Unauthorized cryptocurrency mining can consume processing power and make apps unavailable as well as lead to other malware.

The latest malware threat doesn't encrypt your files, delete your data, steal your information, or even deface your website: All it does is steal your productivity and electricity in order to make money for the attacker. And it's becoming a huge threat to corporate IT.

Cyptocurrency miners have been in the news as legitimate miners search out towns with cheap electricity and plentiful empty space. Unethical and criminal cryptocurrency miners have discovered that the cheapest electricity is power that someone else pays for, and the most plentiful space that in someone else's data center. And the rewards of cryptocurrency speculation make the (currently small) risk of discovery worth it for many actors.

In a new report, researchers at Secureworks note that the cryptocurrency market grew from approximately $18 billion to more than $600 billion during 2017. The rise in value has been accompanied by a rise in crypto-miner malware. Secureworks says that the number of alerts related to cryptocurrency mining they've seen in their client base has jumped significantly, from 40,000 in May of 2017 to over 280,000 in October 2017. While settling back slightly, they say that the number of "cryptojacking" alerts has remained high through February of this year.

Risks Rise

Unauthorized cryptocurrency mining can cost critical servers and applications to become unavailable as their processing capacity is consumed. Even more worrisome is the fact that the threat actors, who have infected the computers with cryptocurrency mining malware, can and will deploy additional and potentially more lethal malware onto these systems, such as banking Trojans or ransomware.

"There's a temptation for people to see the miners as a lesser danger because they're less disruptive, but they're not a good thing to have on your network," says Mike McLellan, Secureworks Counter Threat Unit (CTU) Sr. security researcher. "They signify a failure of technical controls."

McLellan says that his group is trying to raise awareness of the problem so that companies will see cryptocurrency miners as a security issue on the same level as banking Trojans and other well-known types of malware because monitoring networks are seeing a shift to the miners from older types of intrusion. "I think a lot of organizations will have these on their networks," he says, simply because they're becoming a popular way for criminals to make money.

Criminals have become creative in finding ways to place cryptocurrency miners on victims' systems. "I think one of the interesting things is the sheer breadth of the delivery mechanisms being used," McLellan explains. "We've seen scan exploit techniques as well as spam and Web link poisoning."

Other researchers have found criminal networks using the NSA's EternalBlue exploit to plant miners on more than half a million PCs. Secureworks reported on attackers who exploited unpatched vulnerabilities in Oracle WebLogic servers to embed miners on both Windows and Linux servers.

Vulnerabilities in Web servers have also been exploited, as researcher Troy Mursch demonstrated when he found more than 50,000 websites (including many based on WordPress) that have been infected and are now busily mining cryptocurrency for their controllers.

Illicit Mining's Impact

McLellan says that convincing computer owners of the seriousness of cryptojacking attacks can be difficult since the immediate impact is often invisible; electrical costs can go up and server performance can go down, though it can be difficult for an administrator to point immediately at a crypocurrency miner as the reason.

Often, it's not until the miner's resource demands become too high that owners notice. "When the malware gets on business critical computers, the critical applications can become unstable or unusable because of the demands on the system of the cryptominers," says McLellan.

In many ways, the mining malware's more critical impact is as a harbinger of potential damage to come. Cryptojacking applications are a malicious payload that can be delivered through a variety of means. And if cyptojackers can be successfully delivered, so can other malware.

The rise in cryptojackers could also have an impact on open source development. Recently, criminals placed a cryptocurrency miner in a forked project on Github. Notably, this code also included limits on how much CPU resource the code could use - obviously an attempt to evade detection through one of the more notorious side-effects of miners.

"But cybercriminal cryptocurrency mining isn't just about device wear and tear, or even the power consumption involved. It's also a reflection of the ever-evolving technology landscape and the risks and threats that can come with it," Trend Micro senior product manager Menard Osena, wrote in a recent blog post. "And just like ransomware, we expect cryptocurrency-mining malware to be as diverse as they are common, using a plethora of ways to infect systems and even inadvertently turn their victims a part of the problem."

Because cryptocurrency miners tend to use existing exploit kits to carry their payload, existing defenses can work to keep them at bay. "The key message is that, if organizations are using good hygiene, they should be able to catch these," McLellan says. "On the flip side, if you do these things to stop cryptocurrency miners, you also stop a number of other threats like ransomware. There's nothing unique there, it's just about doing the basics."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.