Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 29 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

How cryptojacking came to be, what to watch out for, and how Citrix can help you avoid it like the plague!

by The Gurus
February 16, 2018
in This Week's Gurus
Share on FacebookShare on Twitter

Cryptojacking targets both endpoints and servers – both on-premises and in the cloud. The goal is the same: enslave a massive botnet of devices and harness CPU cycles to mine cryptocurrency with minimal cost or investment. I briefly introduced the concept in the previous Digital Vikings blog post and the threat has grown month after month, likely coinciding with the run-up in the crypto market. We’ll look at crypto mining and at some mitigations to prevent and detect digital parasites from leeching CPU cycles for months or even years, generating cash for its owners all the while.

 

Primitive infectious organisms kill their host, gaining a one-time benefit: replication. But the more advanced ones feed on their hosts. These biological parasites live in or on a host organism and siphon nutrients at the host’s expense. Their main function is to leech from the host, not destroy it. Similarly, in the digital world, parasites don’t delete, encrypt, or ransom data; they siphon off compute resources – preferably undetected. Compute resources are a valuable commodity in the world of crypto-mining. Crafty adversaries driven by the opportunity of financial gain are weaponizing crypto mining to exploit the digital currency boom. This stealthier malware phenomenon called cryptojacking is becoming a popular payload since it’s an effective way to generate revenue with a lower chance of detection. The goal is to run undetected – stealing CPU cycles – essentially becoming a digital parasite.

 

For example, Coinhive – a website-based crypto miner that has the slogan “Monetize Your Business With Your Users’ CPU Power” – has been discovered hijacking user connections in a café in Argentina and online video sites. A European water utility was also hit by crypto mining – critical ICS and SCADA systems. If those critical systems aren’t enough – how about Russian supercomputers used for simulating nuclear weapons designs? Not even regulatory agencies such as the UK’s ICO are spared. Finally, some websites are using crypto mining as an alternative to advertising banners and pop ups – this can be an opt-in approach at monetization that is interesting to see develop.

 

Digital Gold Rush

 

For context – let’s take a brief look at what mining means in terms of crypto. Cryptomining is an intensive process – consistently running mathematical calculations that keep processors at 100% usage. Professional miners make a large upfront investment in specialized hardware and infrastructure (hosting, cooling, etc.) Then there are recurring electricity costs, maintenance, and staff. It’s a substantial investment to get ROI and become profitable, but cryptojackers reap the reward of crypto mining by herding botnets of compromised machines, collectively stealing CPU cycles and leaving end users with reduced performance while inflating the cost of electricity, both on-premises and in the cloud where elastic resources are priced on usage.

 

In the earliest days of crypto, Bitcoin mining was done with CPUs from desktop computers. As more miners came online, the difficulty level adjusted so that running multiple graphics processing units (GPUs) became more effective at mining. Next came specialized chipsets or ASICs designed specifically for mining Bitcoin – these are getting smaller and more efficient. To increase the chances of payout, multiple miners join pools in which they are compensated based on their contribution of compute resources or hash power. For Bitcoin, mining using CPUs, GPUs, or even the older ASICs will never reach ROI – the cost of energy consumption is greater than the revenue generated. With exceptions, mining Bitcoin tends to be limited to larger operations where the cost of energy is low – hydro power or subsidized power are attractive – China, Sweden, Iceland and the State of Washington among others.

 

But a large number of “altcoins” running different protocols and with lower difficulty levels have grown in popularity. These include Ethereum and Monero, among hundreds of others. While some alts have unique utility or functionality, they mainly provide a more lucrative opportunity to profit from mining (and cryptojacking) as they can be traded for Bitcoin. Monero is a favorite among mining botnets, where a couple thousand compromised systems can mine several hundreds of thousands of dollars a year. It’s not all dark and gloomy, crypto mining is great learning opportunity as well. Case in point is our very own Steve Wilson who embarked on a business and technology project with his daughter. How many experiments teach about blockchain, operating efficiencies, and equipment depreciation?

 

Digital Parasites

 

Endpoints are targeted through the web browser – a telltale symptom is sluggishness, high CPU usage, and the whine of maxed-out RPM on the cooling fans. An example is afinding by independent security researcher William DeGroot, who “believes all of the 2,496 sites he tracked are running out-of-date software with known security vulnerabilities that have been exploited to give attackers control. Attackers, he said, then used their access to add code that surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero.” Another variant is a “drive-by” cryptojacking – where a hidden and persistent popup hangs around even after closing the site.

 

Mobile devices and gadgets are also susceptible, even more so since the mining scripts can run in the background or are more difficult to identify. One example is the Android variant named ADB.Miner. It typically runs on rooted devices using the same scanning code as the Mirai botnet -using the same techniques to search for open and accessible devices. If successful, the malware proceeds to infect them and mine Monero while spreading to more devices. Mobile apps such as Minergate Mobile and dozens of others have been available since 2016 – downloadable right off the internet. Weaponized variants are typically installed on rooted or jailbroken devices or potentially on the hundreds of thousands of apps removed from the app stores.

 

Server-side attacks are the same as previous botnets – but retooled. Instead of pharma mail spam, ransomware, or DDoS attacks – the bots host apps like Minergate and Smominru. The apps run surreptitiously and regularly while checking in with the mining pool hosts in order to get new blocks and validate work. The payload may come in through via spam emails that contain attachments such as malicious Word documents. A common vector is RDP enabled internet facing servers with weak passwords and no multifactor authentication. Tools like Shodan clearly show how pervasive internet facing servers are. Tools that sniff all ports for RDP listeners – make quick work of security through obscurity of changing RDP ports. Using brute force dictionary attacks, it’s only a matter of time before simple passwords are cracked. Once they are in, expect that backdoor accounts and backup access methods are deployed. As with other attacks, server side cryptojacking can be more complex and more complicated once it spreads. If the attacker gets access to the infrastructure, he or she may provision additional servers – in cloud environments, expect to see new servers with high end specs and cost.

 

A more recent cryptojacking attack is WannaMine. As described by CrowdStrike: “WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry. It’s fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without some form of next-generation antivirus.” As discussed in Martin Zugec’s blog post, blocking the EternalBlue exploit used to deliver the WannaCry ransomware and fileless attacks have been possible with Bitdefender HVI and Citrix XenServer since day one.

Back to the basics… but smarter

 

Defending against cryptojacking requires a holistic approach and building a security architecture with a secure digital perimeter. The approach must focus on prevention as well as detection. Citrix has partnered with multiple security companies that enhance endpoint, network, server, and cloud protection. Secure Web Gateway protects browsers by preventing access to malicious websites and malware – by integrating with NetStar to inspect the incoming payload and block as needed. Additionally, for exploit delivered payloads – integrations with Bitdefender provides Hypervisor Introspection for XenServer. For mobile endpoints, XenMobile’s integration with Symantec Endpoint Protection Mobile (formerly Skycure) is stopping the exploits before the payload is delivered.

FacebookTweetLinkedIn
Tags: CybersecurityTechnology
ShareTweetShare
Previous Post

Lackadaisical Employee Attitudes to Cyber Security are the Biggest Risks to Enterprises

Next Post

The Destructive nature of North Korean Cyber-Attacks

Recent News

Pie Chart, Purple

New API Report Shows 400% Increase in Attackers

March 29, 2023
Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato Networks Recognised as Leader in Single-Vendor SASE Quadrant Analysis

March 29, 2023
Outside of cinema with advertising

Back and Bigger Than Ever! The Inside Man Season 5 Takes a Stab at Power Hungry Adversaries

March 29, 2023
Blue Logo OUTPOST24

New Research Examines Traffers and the Business of Stolen Credentials

March 28, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information