Just as with investigations of criminal activity in other areas, the mantra “follow the money” makes sense in looking at what’s causing hacking attacks. Research indicates crypto-mining malware is a consistent cybersecurity threat–and growing. Here’s what you need to know about it.
What is Crypto-Mining?
At this point, whether you’re someone who still carries cash in your wallet or not, you’ve at least heard of cryptocurrency.
Bitcoin is the most popular cryptocurrency available today. But whether Bitcoin, Electroneum, Karbo or another cryptocurrency, they typically demand substantial processing power. Crypto-mining uses computers to verify digital transactions by solving complex problems. This requires a lot of juice. For context, earlier this year it was estimated that cryptocurrency is already eating up an estimated 20,000 gigawatt hours of electricity per year — on par with the power demand of the country of Ireland.
For example, DMG Blockchain Solutions in November opened a new 85-megawatt crypto-mining facility in Canada to become one of the largest crypto-mining facilities operating in North America. Coinmint also recently announced its intention to launch a $700-million mining facility in Massena, New York, with 435-megawatt capacity.
Crypto-mining has fast become a moneymaker for criminals in the form of cryptojacking. Instead of trying to get someone to open an attachment that opens a door to steal data, or running a script to take control of the network and demand a ransom, all they need to do is mount a code that takes over the infected system’s processing power.
Looking at combined data from its members, the Cyber Threat Alliance shows a 459% increase in illicit crypto-mining malware detections since 2017.
Cryptojacking scripts are running on 3% of all sites users are visiting today, according to Webroot’s midyear cybersecurity report. Cryptojacking represented 35% of the current threat landscape, with malware (excluding cryptojacking) making up the remaining 52% of the top 87% malware threats.
The Motivation Behind Cryptojacking Appeals
A single miner doesn’t generate that much coin on its own, but when many systems are infected and set to run the computer problems, criminals can tap an ongoing revenue source, with minimal effort, and little chance of discovery. Even if the exploit is discovered, the miners are typically using anonymous, untraceable digital currencies, such as Monero. Those behind the WannaCry ransomware attack, for instance, moved their 52.2 billion in bitcoins over to a Monero wallet. In 2017, the value of one bitcoin neared $20,000.
“Cryptocurrency miner payloads could be among some of the easiest money makers available for attackers,” the threat intelligence division at Talos told Forbes. “There is no need to attempt to compromise hosts to steal documents, passwords, wallets, private keys, as we’ve grown accustomed to seeing from financially motivated attackers.”
The ease of this illicit mining is so pernicious a threat its even expected to lead to multiple bad actors trying to run mining scripts on the same compromised systems which could ultimately lead to widespread brownouts of computing power.
Tackling the Crypto-Mining Threat
To install crypto-mining malware, bad actors try to exploit vulnerabilities in the web application source code, mainly remote code execution (RCE) vulnerabilities. The malware usually uses all of the infected server’s CPU computing power, which prevents other tasks from getting done and effectively functions as a denial of service (DoS) attack.
So, even though the attackers are not stealing money directly from their victims, they are illicitly accessing computing power and the requisite electricity and can render computers unusable to application users. This can also increase IT workload and risk of damage to IT infrastructure.
In December 2017, 88 percent of all remote code execution (RCE) attacks sent a request to an external source to try to download a crypto-mining malware.
Based on its 2018 study of “an extremely large spike of RCE attacks,” Imperva categorized three main types of crypto-mining threat:
- Malware — downloads a script from a remote server to turn local, vulnerable server into a crypto currency miner.
- DDoS botnet– downloads and runs a script as above but also enlists the vulnerable server to participate in on-demand DDoS attack
- Reconnaissance– attackers make many requests of a specific server, targeting different parameters to determine whether it’s vulnerable or not.
Imperva attributed the majority of these to RCE vulnerabilities from insecure deserialization, which lets attackers tamper with serialized objects sent to the web application to exploit vulnerable server to run malicious code.
Yet others point to crypto-mining worms leveraging Windows Management Infrastructure (WMI) weaknesses. Common exploits of this type include Smominru and WannaMine. Other attack vectors have targeted Microsoft SQL Server, Oracle, and even Google Android devices by scanning for open debug ports.
This kind of malware is also a tough one to shake. The attack often persists as the bad actor often adds a scheduled task to download and run the script again after a certain period of time.
Protect your web applications from crypto-mining threats by securing your system against attack. Plan on penetration testing at least annually to ensure your servers are secure, in conjunction with having a thorough and documented security plan in place.
RedTeam’s experts are here to help. Schedule your free consultation today and let’s chat about next steps toward a more secure organization.