Threat Intelligence

3/15/2018
03:16 PM
100%
0%

Cryptojacking Threat Continues to Rise

Unauthorized cryptocurrency mining can consume processing power and make apps unavailable as well as lead to other malware.

The latest malware threat doesn't encrypt your files, delete your data, steal your information, or even deface your website: All it does is steal your productivity and electricity in order to make money for the attacker. And it's becoming a huge threat to corporate IT.

Cyptocurrency miners have been in the news as legitimate miners search out towns with cheap electricity and plentiful empty space. Unethical and criminal cryptocurrency miners have discovered that the cheapest electricity is power that someone else pays for, and the most plentiful space that in someone else's data center. And the rewards of cryptocurrency speculation make the (currently small) risk of discovery worth it for many actors.

In a new report, researchers at Secureworks note that the cryptocurrency market grew from approximately $18 billion to more than $600 billion during 2017. The rise in value has been accompanied by a rise in crypto-miner malware. Secureworks says that the number of alerts related to cryptocurrency mining they've seen in their client base has jumped significantly, from 40,000 in May of 2017 to over 280,000 in October 2017. While settling back slightly, they say that the number of "cryptojacking" alerts has remained high through February of this year.

Risks Rise

Unauthorized cryptocurrency mining can cost critical servers and applications to become unavailable as their processing capacity is consumed. Even more worrisome is the fact that the threat actors, who have infected the computers with cryptocurrency mining malware, can and will deploy additional and potentially more lethal malware onto these systems, such as banking Trojans or ransomware.

"There's a temptation for people to see the miners as a lesser danger because they're less disruptive, but they're not a good thing to have on your network," says Mike McLellan, Secureworks Counter Threat Unit (CTU) Sr. security researcher. "They signify a failure of technical controls."

McLellan says that his group is trying to raise awareness of the problem so that companies will see cryptocurrency miners as a security issue on the same level as banking Trojans and other well-known types of malware because monitoring networks are seeing a shift to the miners from older types of intrusion. "I think a lot of organizations will have these on their networks," he says, simply because they're becoming a popular way for criminals to make money.

Criminals have become creative in finding ways to place cryptocurrency miners on victims' systems. "I think one of the interesting things is the sheer breadth of the delivery mechanisms being used," McLellan explains. "We've seen scan exploit techniques as well as spam and Web link poisoning."

Other researchers have found criminal networks using the NSA's EternalBlue exploit to plant miners on more than half a million PCs. Secureworks reported on attackers who exploited unpatched vulnerabilities in Oracle WebLogic servers to embed miners on both Windows and Linux servers.

Vulnerabilities in Web servers have also been exploited, as researcher Troy Mursch demonstrated when he found more than 50,000 websites (including many based on WordPress) that have been infected and are now busily mining cryptocurrency for their controllers.

Illicit Mining's Impact

McLellan says that convincing computer owners of the seriousness of cryptojacking attacks can be difficult since the immediate impact is often invisible; electrical costs can go up and server performance can go down, though it can be difficult for an administrator to point immediately at a crypocurrency miner as the reason.

Often, it's not until the miner's resource demands become too high that owners notice. "When the malware gets on business critical computers, the critical applications can become unstable or unusable because of the demands on the system of the cryptominers," says McLellan.

In many ways, the mining malware's more critical impact is as a harbinger of potential damage to come. Cryptojacking applications are a malicious payload that can be delivered through a variety of means. And if cyptojackers can be successfully delivered, so can other malware.

The rise in cryptojackers could also have an impact on open source development. Recently, criminals placed a cryptocurrency miner in a forked project on Github. Notably, this code also included limits on how much CPU resource the code could use - obviously an attempt to evade detection through one of the more notorious side-effects of miners.

"But cybercriminal cryptocurrency mining isn't just about device wear and tear, or even the power consumption involved. It's also a reflection of the ever-evolving technology landscape and the risks and threats that can come with it," Trend Micro senior product manager Menard Osena, wrote in a recent blog post. "And just like ransomware, we expect cryptocurrency-mining malware to be as diverse as they are common, using a plethora of ways to infect systems and even inadvertently turn their victims a part of the problem."

Because cryptocurrency miners tend to use existing exploit kits to carry their payload, existing defenses can work to keep them at bay. "The key message is that, if organizations are using good hygiene, they should be able to catch these," McLellan says. "On the flip side, if you do these things to stop cryptocurrency miners, you also stop a number of other threats like ransomware. There's nothing unique there, it's just about doing the basics."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14373
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. In TIFFFindField in tif_dirinfo.c, the structure tif is being dereferenced without first checking that the structure is not empty and has the requested fields (tif_foundfield). In the call sequences following from the affected library functions (TIFFVGetFiel...
CVE-2018-14374
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow can occur via an empty fmt argument to unixErrorHandler in tif_unix.c, and it can be exploited (at a minimum) via the following high-level library API functions: TIFFClientOpen, TIFFFdOpen, TIFFRawStripSize, TIFFCheckTile, TIFFComputeStrip,...
CVE-2018-14375
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow vulnerability can occur via an invalid or empty tif argument to TIFFRGBAImageOK in tif_getimage.c, and it can be exploited (at a minimum) via the following high-level library API functions: TIFFReadRGBAImage, TIFFRGBAImageOK, and TIFFRGBAIm...
CVE-2018-14378
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow can occur via an invalid or empty tif argument to TIFFWriteBufferSetup in tif_write.c, and it can be exploited (at a minimum) via the following high-level library API function: TIFFWriteTile.
CVE-2018-14363
PUBLISHED: 2018-07-17
An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does not properly restrict '/' characters that may have unsafe interaction with cache pathnames.