lolloj - Fotolia
As the popularity and value of cryptocurrencies has increased, so has cyber criminal activity aimed at cashing in on this trend, mainly in the form cryptocurrency mining malware.
The malware is typically designed to hijack organisations’ computing power to generate cryptocurrency, which is then credited to cryptocurrency wallets under control of the cyber criminals behind the malware.
Servers are the favourite target for cryptocurrency mining attacks because they offer the most computing power to solve the mathematical operations required by cryptomining.
In recent months, there has been a sharp increase in reported incidents of illicit cryptocurrency mining, known as cryptojacking. In fact, cryptojacking was identified as the most popular attack type between September 2017 and February 2018.
According to the latest report from NTT Security, about 12,000 monero mining malware samples dating back to March 2015 have been identified by researchers at the company’s Global Threat Intelligence Center (GTIC).
They also discovered that 66% of the samples were submitted between November and December 2017, indicating a dramatic increase in the use of cryptocurrency mining malware to fund cyber criminal operations.
Terrance DeJesus, threat research analyst at NTT Security, said the acceptance and adoption of digital currencies means that investing in cryptocurrency has become a new way to make money.
“However, generating a profit from mining the currency has become more time-consuming and costly, so cyber criminals have begun developing malware in an attempt to overcome the barriers to entry and generate profits for themselves,” he said.
Monero mining malware is typically installed on the victim’s computer or smartphone without their knowledge and, once installed, it uses the victim’s computing resources and electricity supply to mine cryptocurrencies without their knowledge.
Based on its visibility into 40% of global internet traffic and data from a wide range of threat intelligence sources, NTT Security has revealed that cyber criminals are using phishing emails as the primary tactic to gain a foothold on a targeted system.
Other reports have indicated that cyber criminals are also using malvertising to spread coin miners to a large audience, as seen with a YouTube case that involved malicious adverts via Google-owned internet ad service DoubleClick.
In another case, a Texthelp plugin called BrowseAloud was compromised and injected with a cryptocurrency mining script, leading to hundreds of UK government websites unwittingly participating in malicious cryptomining activity.
Drive-by download attacks
Cryptocurrency miners have been identified as one of the most commonly served payloads in drive-by download attacks, while mobile devices are often targeted through Trojanised apps laced with mining code, especially for the Android platform.
The discovery of coin miners in a network environment suggests that more malicious activity could also exist in that environment, such as backdoors and unpatched vulnerabilities, the NTT Security researchers said. They also found that legitimate coin mining services, such as Coinhive, could be abused and injected into mobile games and websites.
“Organisations must not ignore the threat of mining malware because the impact of an attack can go well beyond performance issues,” said DeJesus. “Mining costs organisations money, impacts the environment and causes reputational damage. It could also be indicative of more problems in the network.”
Illicit miners will grow
The researchers predict that the use of illicit cryptocurrency miners will grow and become more advanced, possibly being built into other malware types, such as banking Trojans, as well as ransomware.
There are serious business implications to ignoring this current threat, according to the researchers. “We are encouraging all companies to be more vigilant of cyber security threats to their business,” they said. “There are often simple and effective ways to mitigate risks, but too often the most obvious things are overlooked.”
Other security reports have urged organisations to ensure their software is patched up to date because of several instances of cryptocurrency malware taking advantage of known exploits such as the EternalBlue and DoublePulsar exploits used by WannaCry, and vulnerabilities such as a flaw with Oracle’s WebLogic Server (CVE-2017-10271), which has been used to deliver miners onto servers from universities and research institutions. Although Oracle released a patch in October 2017, many did not apply it in a timely fashion, and a proof-of-concept attack facilitated widespread abuse.
NTT Security has advised organisations to take the following steps to mitigate the risk of cryptocurrency mining malware penetrating their environment:
- Conduct regular risk assessments to identify vulnerabilities in the organisation.
- Adopt a defence-in-depth approach to cyber security with multiple layers of security in place to reduce exposure to threats.
- Regularly update systems and devices with the latest patches, and deploy intrusion detection and prevention systems to stop attacks.
- Educate employees on how to handle phishing attacks, suspicious email links, and unsolicited emails and file attachments.
- Proactively monitor network traffic to identify malware infection, and pay close attention to the security of mobile devices.