MY TAKE: Why ‘crypto-jacking’ is spreading faster than ransomware — and may be more insidious

Has there ever been anything more tailor made for hackers than crypto currency? Is anyone surprised that hackers are innovating ways to crack into digital wallets and currency exchanges?

In January, hackers absconded with some 58 billion Japanese yen worth of the XEM cryptocurrency from Tokyo-based Coincheck Exchange. That’s a cool $533 million in U.S. dollars.

Related article: Crypto miners achieve a breakthrough

Meanwhile, con artists have commenced  scamming unwitting victims into forking over their joyfully earned digital coins. Those smiles can quickly turn to frowns if the crypto coin holder gets fooled into doing any transactions on spoofed websites, sporting website addresses that look just like the authentic URLs of some popular cryptocurrency exchange sites, like Binance and Bittrex.

However there is an even more insidious malicious activity that is on the verge of disrupting business networks at an unprecedented scale: the dispersal of crypto mining malware for the purposes of crypto jacking.

New heights of innovation

Not only is this type of hacking activity taking off like a rocket – it is driving hackers to new heights of innovation. Hacking collectives are directing the latest, greatest hacking techniques to to uploading crypto mining code on PCs and servers inside business networks. They are:

•Repurposing classic botnets, as well as assigning IoT botnets to crypto mining chores.

•Using stolen NSA cyber weapons, like the ones used in the WannaCry ransomware wave, to accelerated mining activities

•Seeking out and tapping into well-known vulnerabilities in Windows and  Linux open source admin tools to aid these endeavors.

Avital

“Crypto mining malware is becoming attackers popular mode of operation regardless of their targets, says Nadav Avital, security researcher at network security firm Imperva. “Crypto mining attacks are directed at any machine that has a public interface to the internet, weather it is a MySQL server, Apache server or a file server.”

The common denominator is that cyber miners are seeking to access and usurp control of the Central Processing Unit, the heart of the computing device, whether it be a desktop, a server, a home router, or even a container residing in the public cloud. With control of a CPU, they can divert cycles to the crypto coin mining, which involves dedicating CPUs to solving complex math puzzles. Solving one puzzle, earns part of a coin, but the next puzzle is slightly more difficult to solve. As the difficulty rises, so does the required computing cycles – and the amount of electricity needed to run the CPU cycles. There is a finite number of coins, which creates scarcity. And value is determined in an exchange.

This direct correlation between processing power and crypto currency value has prompted hackers to seek out the former in order to accumulate the latter.

BitCoin, the granddaddy of cryptocurrencies, was first mined in 2009. At the end of 2016 one BitCoin was worth about $1,000. By early December 2017 it had spiked to nearly $20,000, and more recently has been trading around $8,000. Because BitCoin has been around so long and attracted so much attention, the puzzles it puts out today can only be resolved by special-purpose computers.

But Monero, Litecoin and dozens of other crypto currencies can still be mined by ordinary CPU cycles, and their values have been rising dramatically, as well, creating a fresh, hassle-free path to a criminal payday. The result: crypto jacking is accelerating and morphing much faster than any other fresh attack variant I’ve witnessed in 15 years covering cyber security.

No stones unturned

Botnets are a natural fit for illicit crypto minining.  When they’re not busy blasting out email spam or spreading malware, classic botnets, like Necurs, are now being dispatched to crypto mining chores. Meanwhile, the Satori botnet, which is made up of compromised Internet of Things devices, has pioneered a way to crack into legit crypto mining operations and then syphon off freshly-mined coins, according to researchers from China-based Qihoo Netlab 360.

Related article: WannaCry signals coming wave of NSA weaponized hacks

Remember EternalBlue,  the stolen NSA cyber weapon that sought out and exploited a zero-day vulnerability in certain Windows services to spread the WannaCry ransomware worm? Trend Micro has been tracking one hacking group that has been using EternalBlue to get deep inside business networks and stealthily deliver crypto-mining malware. Once inside, these attackers spoof their way onto a common Microsoft Windows administration tool, called WMI, and use it to rapidly spread a resilient form of the mining code.

Meanwhile, firewall company Imperva has been tracking another hacking group that is also leveraging EternalBlue to deploy a self-spreading, WannaCry-like worm, christened RedisWannaMine designed to swiftly infect unpatched Windows servers and convert them into  relentess crypto miners.

Unscrupulous crypto miners are leaving no stones unturned in their hunt for free CPU cycles. In patronizing Amazon Web Services (AWS) to execute major parts of its business operations, car maker Tesla left itself open to a hacker to gain control of Tesla’s Kubernetes panel. Kubernetes is an  open-source cloud-services management tool widely used by the fasted moving companies.  Cloud security firm RedLock reports on how hackers managed to install crypto mining malware on Tesla’s Kubernetes console, turning the car maker’s AWS data storage servers into Monero crypto miners.

Crypto jackers are even tapping into industrial control systems. Darktrace, a supplier of AI-based security systems, has identified more than 20 cryptocurrency miner attacks over the past six months among its customers in the energy and utilities sectors. And Kaspersky Lab reports that, from February 2017 to February 2018, miners attacked 3.3% of computers that are part of industrial automation systems. One recent example: researchers at industrial controls security firm CyberX used the Shodan search engine to locate a European wastewater facility infected with cryptocurrency mining malware.

CPU motherlode

And they’ve even found fresh resources in a somewhat obscure application, called Browsealound, used widely by government, health and education organizations in the U.S., the UK and Australia. The software is used to assist folks with Dyslexia, visual impairment and speech difficulties. Hackers accessed a JavaScript file in Browsealoud and injected it with coding that converts any server running the Browsaloud into a crypto miner. A total of 4275 websites were affected, including UK’s Information Commissioner’s Office, U.S. Courts and  numerous academic websites.

Another fresh motherlode  of easy-to-hack CPU cycles: Website servers. Hackers have discovered that website hosting servers make awesome crypto currency miners. The number of websites found to be diverted to crypto coin mining surged 725% between September 2017 and January 2018. Security vendor Cyren monitored 500,000 websites in that period and found 7,281 running coin mining scripts.

And let’s not forget Google extensions; crypto hackers certainly didn’t.  Nearly 90 malicious Google Chrome browser extensions designed to inject crypto mining code and record browsing activities were recently discovered in the official Chrome store. More than 400,000 computers have been infected by these malicious Chrome extensions.

We’re at the start of this trend, folks. The direct payoff for criminals will remain compelling – at least until the crypto currency bubble bursts, and probably for a while after that. I fear most companies do not realize the nature of exposure, since no one is demanding a ransom payment, and the theft of a little processing power may not seem overtly costly.

Yet crypto mining may prove to be more insidious in the long run. From Imperva’s Avital: “From what we have seen so far, crypto-mining malware relies on a dynamic configuration file that is downloaded separately from the malware. Hence, it enables the attacker the flexibility to change the way the malware operates.

“The configuration file ‘tells’ the malware which algorithm to use, where to store log files, etc. This file also specifies how many CPU cores to use in the infected machine and to which extent.

“If there are no restrictions, which is the case in many attacks we have witnessed, then the crypto-mining malware uses all CPU computing power and prevent the CPU from doing other tasks. For example, if the infected machine is a web server, then users browsing the web application will experience major slowdown in pages loading time up to a point where the application cannot be used.”

Deeper damage

At the end of the day, company’s may have to pay as much to recover or rebuild CPU cycles stolen by crypto miners. That’s the micro impact. The macro effect is even more troublesome. Crypto mining appeared to motivating the best and brightest hacker to take innovation to another level.

Bilogorskiy

Here’s what Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, observes:  “We’ve observed the trend of combining cryptocurrency monetization with self-spreading, exploit-based propagation. This was started by WannaCry last year, which spread through Eternal Blue exploits and asked for ransom. WannaCry infected more than 300,000 computers worldwide and was attributed to North Korea state attackers.

“Now, WannaMine (Smominru) botnet is using the same Eternal Blue exploit and has swapped the ransom mechanism for a mining engine. The pattern is clear. State-sponsored attackers are pushing the envelope by discovering and weaponizing sophisticated attack methods (Eternal Blue) and then financial-motivated cyber mobsters are following in their footsteps and quickly adapting those techniques to their own campaigns, similar to how a suckerfish attaches itself to the belly of a shark for a symbiotic relationship.“

 It seems clear crypto mining is destined to accelerate. Companies and government agencies of all sizes that’ don’t adequately monitor and defend, are likely to get run over by this freight train.



This is a Security Bloggers Network syndicated blog post authored by bacohido. Read the original post at: The Last Watchdog