As the general public tried to get its head around the concept of cryptocurrency and blockchain at the back-end of 2017, infosecurity professionals were facing one of the universal truths of our industry: whenever there is an innovation in technology or society, those who want to exploit it for illicit gain are never far behind.
In the case of cryptocurrency, its current high profile is legitimising a means of exchange that, until recently, was mostly the preserve of the deep and dark web as the preferred payment method from victims of ransomware attacks. So, while Joe Public began a twenty-first century gold rush to try and make a killing in the fluctuating cryptocurrency markets, the cybercriminal community started putting its own ideas of how to get its hands on the digital gold into action. The result? Cryptojacking looks set to overtake ransomware as the number one motive for cyberattacks in 2018.
Black market dynamics
The reasons for this are not hard to work out. Fundamentally, the majority of cybercriminals are motivated by the prospect of making a quick buck with as little effort as possible. Ransomware, though lucrative does have a couple of drawbacks that have its exponents looking for an easier target:
- Setting up a cryptocurrency wallet takes time and most companies don’t have one at the point they are attacked. This means the criminal has to wait for payment instead of seeing an instant profit.
- Using exchanges costs money. Fees vary but if you want to be profitable do you really want to pay exchange fees at all?
- The fluctuating price of cryptocurrency makes it hard to rely on as a means of payment – attackers constantly have to tweak their files so that the value of the payment remains within the range that victims are likely to pay: a bit too much like hard work.
On top of this, diversification is critical for any business. Like any other venture, cyber criminals want to spread out their sources of income. By seeding cryptojacking malware. They can avoid the hassle and admin of running ransomware campaigns and settle back while unsuspecting victims print money for them.
High profile victims bring the issue to the fore
Injecting malware into websites is still depressingly easy to do, and the growing scale of the problem hit the headlines earlier this year when 4,000 sites were infected with a cryptojacking bug designed to mine the currency Monero. The Coinhive cryptominer was injected into the sites via a compromised plugin that was designed to assist site accessibility; in this case it allowed cybercriminals to access a bunch of Monero. There were red faces at the UK Information Commissioner’s Office, among many other government agencies, as they shut their sites down to deal with the problem and tighten security.
An interesting point about this attack was that the perpetrators only aimed to hijack around 60% of the site visitors’ CPU power, causing a slowdown but not the kind of total shutdown that would immediately bring the attack to everyone’s attention. Already, attackers are showing the kind of evasion and innovation that we associate with a tactic that is here to stay. I expect to see strategies becoming more sophisticated as time goes on, making life difficult for infosec professionals tasked with protecting the ever-growing number of endpoints under their jurisdiction.
Blurred lines – cryptomining for good causes
Of course, mining cryptocurrency is perfectly legitimate when done openly, and it can even be harnessed for good. How about instead of seeing adverts when you visit your favourite website, your computer is used to mine cryptocurrency while you browse? No more irritating ads, but the site owner still makes money. The site could even decide to mine currency to donate to a charity for users who opt in. While this is perfectly legitimate and even praiseworthy, it presents a headache for infosec professionals trying to put protocols in place to protect systems. What do you allow and what do you block?
Preventing your endpoints from joining the cryptomine workforce
For infosec professionals, this latest scourge is yet more evidence of the importance of protecting endpoints, especially as we’re seeing cryptojacking starting to morph from misdirection of processing power towards actual malware installation on compromised systems. Vulnerable endpoints are susceptible to infiltration and, once an attacker can execute a piece of code on an organisation’s endpoint, it can do all kinds of damage. Just as with ransomware, we saw an evolving into credential theft and lateral movement, so we should expect the same from malicious crypto-software.
Protecting against cryptojacking and related malware requires the same measures that any strong endpoint security programme should have because attackers are generally using the familiar tactics we’re used to defending against.
So, we’re looking for great cyber hygiene in the form of patching; reducing the attack surface with technology such as application whitelisting; tuned next-generation antivirus (NGAV); and good content filtering and control of admin accounts. Organisations can control browser settings in their environment and use those settings to help thwart these types of attacks. You should also pay close attention to an increase in the number of tickets or user complaints related to system slowness that could indicate cryptomining in progress.
Rapid detection and response remain the key to robust network defence. Employing a threat hunting tool, such as Carbon Black’s Cb Response, lets you go further and proactively search for anomalies that flag malicious activity.
Cryptojacking and cryptomining malware are the latest new kids on the block designed to exercise the ingenuity of cybercriminals and those of us who make it our business to stop them. Effectively, it’s just yet another reason threat actors are trying to get control of your endpoints except this time, instead of stealing your data, they’re after processing power to mine cryptocurrency. The battle continues for mastery over the endpoint and deploying sound strategies to defend against attacks will keep us busy for the foreseeable future.
