Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/1/2020
10:00 AM
Matt Honea
Matt Honea
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cryptojacking: The Unseen Threat

Mining malware ebbs and flows with the price of cryptocurrencies, and given the momentum on price is upward, cryptojacking is a very present threat.

Cryptojacking isn't a new threat, but it's highly evolving. This type of mining malware tends to ebb and flow in infections with the price of cryptocurrencies. The bad news is that cryptojacking is experiencing new upward momentum in 2020. As background, 2018 was one of the biggest years for cryptomining malware development and proliferation. In 2019, there was a 40% drop early in the year, followed by a steady infection rate into 2020, with a slight uptick through August. Those trends line up with the price of Bitcoin over the last three years.

So, why is an old threat significant and timely news? Cryptojacking is heavily underreported in the security industry, and only a small fraction of what is out there, due to the nature of the malware involved, has been seen. When the mining malware is examined, it's incredibly lightweight, elegant, and easily changed. Its sole purpose is to calculate numbers using computer CPUs, and it's very difficult to differentiate between a legitimate script and a cryptominer's script. In addition, code is often so customized and benign in behavior that malware scanners overlook the code all together.

Given that cryptocurrency prices are rising, the number of Internet of Things (IoT) devices has doubled since 2017, mobile phones with web browsers are ubiquitous, and the number of vulnerabilities discovered has tripled over the same time period, we are facing a perfect storm of opportunity for cryptominers to evolve their tactics and create wormable mining malware for illicit gains.

Consider the following: An average CPU can process around 500 hashes per second on the Monero network. Servers have many CPUs, so they are a more lucrative target than IoT devices, but IoT devices are more numerous, and often a softer target (all targets, including IoT devices, web browsers, mobile phone, etc., are kept equal for the sake of this article and simplicity). At current prices, this hash rate translates to $0.21 per week per CPU from mining.

Related Content:

Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and Cryptojacking

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Think You're Spending Enough on Security?

One might say that's a paltry amount, but let's put it in a different perspective. The Mirai botnet infected 600,000 devices. A cross-site scripting attack on Google search could affect 6 billion devices in a single day. There are roughly 20 billion Internet-connected devices today. Even someone who could infect 10,000 of the 20 billion instances (0.00005%) could make $2,100 a week, enough to live very comfortably in most places.

Infecting All the Devices
How do you infect 10,000 devices? The easiest way is to find exploitable software in an automated fashion. Code execution is the top reported vulnerability category the last three years running. Cross-site scripting (XSS) was the No. 1 reported vulnerability through HackerOne in 2019. 

The reasons around why cryptojacking is more prolific is threefold: It doesn't require elevated permissions, it is platform agnostic, and it rarely sets off antivirus triggers. In addition, the code is often small enough to insert surreptitiously into open source libraries and dependencies that other platforms rely on. It can also be configured to throttle based on the device, as well as use a flavor of encrypted DNS, in order not to arouse suspicions.  

Cryptojacking can also be built for almost any context and in various languages such as JavaScript, Go, Ruby, Shell, Python, PowerShell, etc. As long as the malware can run local commands, it can utilize CPU processing power and start mining cryptocurrency. In addition to entire systems, cryptominers can thrive in small workhorse environments, such as Docker containers, Kubernetes clusters, and mobile devices, or leverage misconfigured cloud instances and overpermissioned accounts. The possibilities are endless.

Unbalanced Scales
The goal is to minimize detection and maximize longevity. Even with cryptocurrency prices in flux, for financially motivated actors, cryptojacking is still lucrative. Resource overhead is minimal and direct profits are obtained.

Here are three reasons why we will see continued cryptojacking growth and development:

  1. The number of potential targets is in the billions. Many devices are already infected and flying under the radar.
  2. It's direct payout for minimal effort. There is no need for additional steps to get money, such as data brokers or via "crypto tumbling," a process similar to money laundering.
  3. Cryptojacking is only one step removed from data exfiltration. Once a foothold is established within environments, cryptojacking could easily evolve into wormable malware, piggybacking on advanced techniques. It could also evolve into botnets for hire or data theft.

In addition to the huge number of targets, corporate data breaches are heavily underreported because laws vary by jurisdiction on when a company is required to report a breach. Because cryptojacking generally does not steal data or cause a business outage, no one is forcing victims to report an infection. The malware is stealthy to begin with, so it is underreported.

Cryptojacking can also target the biggest portion of IoT devices, often of which lack any malware detection. Unless a company has a well-established baseline and a tight budget, no one will be wiser.

Developing a Response
Evaluating macro trends is critical to developing cyber defenses for the future. Cryptojacking threats should be taken seriously as they can evolve into a security breach at any time. We should be hunting for cryptojacking threats at multiple levels:

  • Identifying mining algorithms at runtime rather than on disk
  • Full DNS inspection for all connected devices
  • DNS/IP alerting for known mining pools, Tor usage, or blacklisted Git repos
  • CPU/GPU monitoring for high usage
  • Temperature baseline monitoring for physical devices

In addition, more visibility into our IoT devices and containers is needed to understand abnormal baseline usage. Until the security industry as a whole is able to effectively identify this threat at scale, it will only continue to get worse.

As Senior Director of Cybersecurity at Guidewire Software, Matthew Honea is responsible for the company's corporate security strategy and implementation. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Brad Brooks
50%
50%
Brad Brooks,
User Rank: Author
10/1/2020 | 12:16:52 PM
Thank you
Thanks for your thoughts
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11854
PUBLISHED: 2020-10-27
Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravil...
CVE-2020-11858
PUBLISHED: 2020-10-27
Code execution with escalated privileges vulnerability in Micro Focus products Operation Bridge Manager and Operation Bridge (containerized). The vulneravility affects: 1.) Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 ...
CVE-2020-23945
PUBLISHED: 2020-10-27
A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database.
CVE-2020-7754
PUBLISHED: 2020-10-27
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-6023
PUBLISHED: 2020-10-27
Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to escalate privileges while restoring files in Anti-Ransomware.