An evolution has occurred with the preferred attack method among hackers. With its high potential for a fast return with relatively little right, instances of cryptojacking, the malicious use of a companies’ computer resources to mine for cryptocurrency, have increased 8500% in 2018 according to Symantec. While 2017 saw a rise in ransomware to be paid in cryptocurrency, this year attackers have decided to remove an organization’s decision of paying from the process. Instead of taking over a system and demanding a ransom, attackers now take over a system and use the CPU or GPU power to mine cryptocurrencies for their own profit. Each system may only yield .25-.50 cents a day, but with hundreds of thousands of devices in a campaign, these amounts add up. The CryptoNight hash for Monero Coin is one of the most popular, using CPU power, something all systems have, to mine a currency deemed a “privacy’ coin which is anonymously transacted (this isn’t entirely true, but that’s another subject).
Most organizations do not think they would be a target for a cryptojacking attack, but these attacks are most effective with a high volume of systems. Perpetrators are looking for any system they can take over, even those without any significant data or purpose, to join the campaign, making all systems a potential target. CPU mining software takes up valuable resources and shortens the life of any system they are running on, an auxiliary cost of infection. These attacks are occurring both on-premise and in the cloud, leveraging any available systems.
In April 2018 Palo Alto Networks’ Unit 42, a threat research team, identified the Rarog mining trojan. This software originated in Russia, costs around $104 USD to acquire, and has infected at least 166,000 systems. Rarog comes with built-in capabilities to deploy other malware and assist in persistence as well as propagate the trojan to other systems.
Luckily there are several ways to break the kill chain of this attack type. Starting with perimeter for some of the more popular attacks, such as CoinHive. NextGen Anti-Viruses such as Cylance will block known mining software from executing on a device, even when the author was purposely mining eth with his duel GPU’s on his personal desktop. Additionally, the CRITICALSTART MSSP maintains external dynamic block lists that identify all mining pools, the servers all mining machines must communicate with to obtain a mining reward, so communication with them is not possible. This method helps to block both outside attackers and internal employees deciding underutilized company servers would be a good way for them to make some additional money. Although these admins may have the authority to load software onto systems, the NGFW will not allow them to reap any rewards.
The takeaway here is, a change in the adversaries’ preferred form of rewards for their attacks must elicit a change in our mitigation strategies. If the payload is no longer designed to encrypt but to propagate and quietly mine, security programs must adapt to identify more stealthy indicators of mining. Individuals with almost no expertise can buy cryptojacking malware, deploy it with ease, and quietly profit without having to demand a ransom. Since victims often become aware of ransomware only due to the process of the attackers trying to extract their dues, attacks that quietly run in the background can persist for long periods without discovery.
by Chris Russell | Director of SOC Engineering, CRITICALSTART
March 23, 2018