Written by: Carolyn Crandall, Attivo Networks Chief Deception Officer and CMO – Cryptocurrency mining attacks have skyrocketed in the last year with the Cyber Threat Alliance (CTA) members reporting an increase in cryptominer detections by 459% from 2017 through 2018, rapidly becoming one of the most in-vogue forms of attack. With its momentum, It becomes critical to understand not only the potential impact of cryptomining today, but also what it could become if used in economic warfare to destabilize economies, fuel nation-state actor revenue, or to simply redirect processing power into decrypting files.
Although this form of threat is relatively new, it should not be underestimated. Cryptomining shows no sign of stopping given the escalating value and number of cryptocurrencies available, from Bitcoin, Monero, Ethereum, Zcash, and Litecoin to name a few. These have encouraged attackers to expand their focus from utilizing malware to steal data and impose ransoms or for a disruptive DDoS attack, to employing tools and techniques to gain access to the computing power of enterprises to generate cryptocurrency payouts.
This form of attack is also viewed as more attractive since it takes limited effort to generate revenue and is much simpler to achieve payday vs. ransomware, which requires an organization to agree to pay. Buyer/seller marketplaces make it easy to facilitate offers in bitcoin for the processing power. These markets will automatically switch the seller’s hashing power to mine for the buyer with the highest offer, making it very easy to complete hashing power financial transactions. So, all one really needs is access to commodity malware, browser-based exploit kits, some computer processing power, and electricity (stolen or legitimate) to get started.
The situation is also only likely to get worse as enterprises embrace blockchain technologies to conduct business operations, illicit mining outside of cryptocurrencies may also create additional risks that enterprises will need to mitigate.
What is the impact?
Cryptomining attacks will not only drain resources and raise electrical bills but can also damage IT infrastructure. Equally important, the presence of a cryptomining attack may indicate other flaws in the organization’s security controls, which, if left open, present opportunity for a much larger attack.
How does this work?
Although cryptomining can be done legally with legitimate apps like XMRig, CGminer, and MultiMiner or web browser scripts like Coinhive, JSECoin, and Crypto-Loot, we will focus on the more illicit examples and cryptojacking-based activities.
The attack starts with cryptojacking, which is the unauthorized use of another person’s machine to mine cryptocurrency. Hackers will use a compiled executable program or application that runs on a device (binary-based mining). When anyone on the network opens the file, the malware immediately begins scanning for machines vulnerable to the exploit. Once infected, the machines retrieve and use an app like XMRigbinary to mine for bitcoin. Popular payloads include PyRoMine, Adylkuzz, Smorinru, and exploit kits like EternalRomance.
With either method, these attacks are typically inexpensive for the actor to conduct and can easily scale across large enterprises or applied to multiple victims. Often these attackers will also use group or “pool” mining to aggregate processing power to mine coins and gain a greater payout.
Why Are These Illicit Cryptomining Attacks Soaring?
These attacks can be surprisingly hard to detect with slower performance and increased latency potentially not noticed for extended periods of time, and even when variations are noted, they can be mistakenly attributed to other causes. Undetected for extended periods of time, the attacker can lay cryptomining scripts for future malware or ransomware attacks. This can create quite a bit of work for an organization to find all these infections, eradicate them, and prevent the attacker from returning. Unfortunately, all too often, the first indicator of compromise is from a sharp spike in CPU usage vs. a detection of the actual attack.
Regrettably, antivirus solutions, firewalls, secure web gateways, and URL filtering cannot reliably detect cryptominer code and are not effective in stopping it from auto-executing within endpoint browsers. Attackers are also now increasingly targeting IoT devices, which may not have the same level of security controls available or applied. Detecting lateral movement within the network has also been traditionally hard for organizations, resulting in missing this form of attack. A different approach to a perimeter-based defense or attempting to find this through some form of behavioral or traffic analysis is needed.
What can be done?
One of the most common ways of detecting and stopping cryptominers is at the network layer because an attacker needs to be able to communicate with an external source to collect new hashes and deliver coins to the applicable wallet. This can be difficult because the messages can be short, encrypted and obscured within other traffic making it difficult to distinguish mining traffic from other types of communication.
Some best practices for detecting cryptomining activities are:
- Employ cybersecurity best practices by patching known vulnerabilities and improving defenses and education against spam and phishing campaigns.
- Prevent unauthorized lateral movement to disrupt an attacker’s ability to install malicious crypto-miners. Integrating deception technology into existing IT security controls can be a powerful resource for defenders in gaining early visibility to in-network threats. By making the attack harder with decoys and misdirection, an adversary is more likely to get deterred as they are forced to decipher what is real and what is fake. This will change the economics of the attack and impact their ROI where it may no longer be financially motivating to continue their attack.
- Monitor for irregular CPU activity and power consumption. Check running processes for command line used by cryptomining
- Blacklist network traffic from mining sites and apply application whitelists to prevent unknown executables from launching autonomously.
- Search DNS query logs for text strings related to cryptocurrency mining tools such as Bitcoin, Monero, CoinHive, Crypto, Cryptonight, Pool, BTC, XMR, Minergate, or Zcash.
- Monitor firewalls and web proxy logs, traffic for abnormal requests, look for connections over mining ports.
- Check system privilege policies and grant administrative privileges only to critical personnel. Placing admin deception credentials will provide visibility to unauthorized use of credentials and insight into exposed credentials that an attacker would target for harvesting.
- Factor in all environments including on-premise servers, cloud environments, IOT devices and individual user systems.
Attivo Networks has seen a material increase in cryptomining activity and deception is playing a critical role in detecting and stopping cryptomining activities at organizations both small and large. Implementing these best practices will have a material impact on the feasibility and likelihood of an adversary’s success on a cryptocurrency mining attack. When network defenders improve their cyber hygiene and lay traps to misdirect illicit cryptocurrency miners, there is a strong chance that the attacker will seek an easier target or simply become disenchanted as the complexity and their costs become too great.