Q&A: Crypto jackers redirect illicit mining ops to bigger targets — company servers

Illicit crypto mining is advancing apace.

It was easy to see this coming. It began when threat actors began stealthily embedding crypto mining functionality into the web browsers of unwitting individuals. Cryptojacking was born. And now, the next-level shift is underway.

Related article: Illicit crypto mining hits cloud services

Cybercriminals have shifted their focus to burrowing onto company servers and then redirecting those corporate computing resources to crypto mining chores. They are doing this using both tried-and-true, as well as leading-edge, hacking techniques.

I recently unwrapped these developments in a discussion with Liviu Arsene, senior security analyst at Bitdefender, which has been closely monitoring this trend. One key bit of intelligence Bitdefender shares in a whitepaper is a breakdown of how EternalBlue has come into play, once again.

You may recall EternalBlue was one of the cyber weapons stolen from the NSA and used in the milestone WannaCry ransomware attack in the spring of 2017. WannaCry used EternalBlue to deploy a self-spreading worm to help rapidly spread a globe-spanning ransomware campaign. It also used PowerShell and Windows Management Instrumentation script to infect the victim, followed by Mimikatz to pull logins and passwords from a computer’s memory in order to move laterally across the infrastructure.

And now in 2018 EternalBlue is propagating a very similar worm, dubbed WannaMine, that has been seeking company servers to infect – and redirect to crypto mining chores – in 150 countries.

This is part of a rising number of advanced attacks designed to penetrate data centers of private and public cloud infrastructures which have the computing resources coveted by crypto miners.

The criminals aren’t asking for any ransom. They’re just taking – or more precisely, consuming — what they want: processing power and electricity. Upon noticing slowdowns and even failure of critical services, unwitting victim organizations typically provision new resources, which can lead to a rise in operating expenses.

And since the bad guys are doing this quite stealthily – by seeking out unpatched systems and exploiting unknown vulnerabilities — this trend has got some shelf life. Here’s a synopsis of Last Watchdog’s conversation with Arsene, edited for clarity and length.

LW: Can you frame, at a high level, the shift that is unfolding, with respect to illicit crytomining?

Arsene: Browser-based cryptojacking, using individual CPUs, is dependent on how much time the user spends on the tampered website. So browser-based cryptojacking is not really that persistent on individual computers. By contrast, company servers have a huge uptime, and the chances for a reboot are really low.


What’s more, in large business environments, especially highly virtualized environments, a cryptojacker infection would likely seem like an ordinary spike, caused by services being under strain. Automated provisioning compensates for this by instancing new workloads to cope with the increase in computing power. It’s likely IT and security teams won’t find the infection for months.

LW: What’s going on in the wild that illustrates this trend?

Arsene: Tampered Docker instances, improperly secured Kubernetes clusters, and vulnerabilities in Jenkins servers are just a few examples in which attackers have been targeting business environments to deploy crypto miners. Docker, for instance, is a very popular containerization platform.

So attackers built tampered images that contain crypto miners, uploaded them in Docker Hub, and waited for them to be deployed and placed in production. The more times the tampered image was used to spawn new instances, the more “productive” it would be for attackers, as each new workload would start mining cryptocurrency.

LW: What does the arrival of WannaMine tells us about criminal use of EternalBlue and other cyberweapons stolen from the NSA?

Arsene: With EternalBlue it was only a matter of time until it would have been used to deploy crypto miners. Now the same methods used to deliver vulnerabilities, fileless attacks, etc. are being used to deliver crypto miners.

Threats and malware have a way of being reused, improved upon and repackaged with other threats. WannaMine appears to be result of a low entry barrier for using advanced delivery methods, coupled with an opportunistic new vector. Also, while there is a patch available to mitigate the vulnerability EternalBlue taps into, many businesses schedule patching quarterly or semi-annually.

It’s likely that threat actors are targeting businesses that haven’t patched this vulnerability. another thing to keep in mind about patching is that some businesses might not even have the ability to patch their systems, potentially because of backwards compatibility issues or too much downtime.

LW: What verticals are the most vulnerable?

Arsene: The tech and telecom verticals are probably the ones most likely to be targeted, as their infrastructures are highly virtualized and very scalable. Highly virtualized infrastructures rely on automated provisioning to scale resources. This makes anomalous spikes difficult to detect, as they’re usually associated with organic business growth.

LW: Companies by now should understand the rationale behind ‘defense in depth’ and ‘layered defense.’ What more do they need to understand?

Arsene: It’s important to understand that crypto mining may seem benign. However, the fact that cryptojackers infiltrated your infrastructure is an indication of a data breach. Threat actors might have actually exfiltrated data or deployed other types of threats before dropping coin miners.

Also, organizations need to understand that their business continuity will depend on how well prepared they are to detect, isolate and remedy the breach in a timely manner, and how proficient they are at constantly adapting to an evolving threat landscape.

LW: Very high level, what approach must they take?

Arsene: Start with the realization that it is essential in today’s business environment for organizations to be more agile, in terms of identifying and responding to threats, constantly minimizing the time it takes to detect a potential breach and continuously updating their incident response plan. This is directly tied to ensuring business continuity and minimizing financial and reputational losses.

Hybrid infrastructures are usually the most difficult to secure from a platform-agnostic perspective, as traditional security solutions are not usually designed to support the performance, agility, and manageability needs associated with them.

The best approach to secure any type of infrastructure – physical or virtual – is to gain full visibility across every type of workload. That will put you in position to detect threats without affecting performance.

LW: So get to know your systems – and your data?

Arsene: Organizations must start by understanding how their infrastructure is designed, what data is considered mission-critical, and where that data is stored. Using a layered security solution that’s platform-agnostic and capable of securing physical and virtual infrastructure can help preserve the benefits digitalization offers.

Apart from this, it’s mandatory that they implement an incident response plan that’s constantly updated, revised, and improved. This will help minimize any potential fallout caused by a data breach.

(Editor’s note: Last Watchdog has supplied consulting services to Bitdefender.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: