As surging investment drives interest in cryptocurrency, cryptomining malware has emerged from nowhere to become one of the biggest threats facing enterprise security managers.
The past year has seen an explosion in mining activity as cybercriminals exploit vulnerabilities such as the Apache Struts bug, which compromised Equifax last year and was exploited for the Zealot mining tool. The SMB1 vulnerability, famously used to deliver WannaCry ransomware, was also used to deploy Adylkuzz mining malware. And, in January, upatched Oracle WebLogic servers were infected with Monero cryptocurrency mining software. Cryptocurrency-related fraud is also an issue, with Australians paying over $50,000 in Bitcoin to fake ATO scammers to date.
Detections of cryptocurrency mining infections have closely followed the surging value of Bitcoin cryptocurrency, according to a time analysis of mining activity by the SecureWorks Counter Threat Unit (CTU) Research Team.
CTU analysts “often” discover cryptocurrency mining software while responding to calls for assistance in which mining software may be the cause of the problems, or running alongside other “malicious artifacts”.
As opposed to the hard stop imposed by ransomware, mining-malware victims “may not notice cryptocurrency mining as quickly because it does not require capitulation, its impact is less immediate or visible, and miners do not render data and systems unavailable,” the report’s authors noted. “These factors may make mining more profitable than deploying ransomware.”
Cybercriminals’ new attack vector may lead some to breathe a sigh of relief, since – unlike ransomware or destructive malware – the software generally tries not to overtly interfere with the computer’s operation. Yet the slowdown in processing capabilities can retard the performance of business-critical applications and processes. And, with mining malware potentially bundled with banking Trojans or other insidious malware, complacency is ill-advised.
McAfee’s Advanced Threat Research team has also explored the rise of cryptocurrency mining infections, noting in its latest McAfee Labs Threats Report that PowerShell malware and cryptocurrency mining were leading growth that saw an average of 8 new malware samples per second in the last quarter of 2017 – compared with 4 new samples per second in the previous quarter.
Palo Alto Networks’ Unit 42 cybersecurity unit has also been tracking the rise of cryptocurrency mining malware, noting “a major increase” in such attacks in the last six months as mining activity becomes more profitable and lower risk than other forms of malware exploitation.
A recent Kaspersky Labs analysis found that 1.65m users were attacked with mining tools in the first eight months of 2017 – suggesting a 2.48m annualised rate that is well above the 1.8m total infections stopped in 2016.
Implications for security practice
The spread of cryptocurrency miners within an environment should be taken as a warning that other malware could spread through similar mechanisms, SecureWorks’ analysts advised, while warning enterprise customers to develop a formal policy around legal forms of cryptocurrency mining such as the CoinHive browser-based tool.
Yet surreptitious installation of cryptocurrency miners are only part of the problem for enterprise CSOs: given that cryptocurrency miners can also be legitimately loaded by users, security policies will need to be formalised to simplify dealing with incidents such as the Australian Federal Police response when two Bureau of Meteorology (BoM) employees were recently discovered using company systems to run mining tools.
Such incidents – and others yet to be discovered – reflect a new exposure that can be partly attributed to a systemic failure to secure other parts of the infrastructure, such as the privileged accounts necessary to load mining software in the first place.
The BoM incident “highlights the need for organisations to implement policies such as least-privilege access, so employees have only access to the privileges they require to do their jobs,” noted Centrify senior director for products and marketing Corey Williams in a statement.
Security policies needed to lock privileged accounts for administrators, system accounts, and superuser accounts from casual use, Williams noted. “The rights assigned to those privileged accounts should be limited to just those needed to perform legitimate work-related tasks,” he said.
“All of the sessions should be recorded and monitored for improper use. This least-privilege approach would both keep individuals from exercising poor judgement as well as preventing all-too-common cyber attacks that use compromised credentials and target privileged access.”