By Liviu Arsene, senior e-threat analyst, Bitdefender
Cybercrime is motivated by financial gain, be it in the form of money or data that can be monetized. Experts estimate the cybercrime industry nets trillions in illicit profits while causing significant financial and reputational damage to organizations.
Organizations agree that their security risks have increased in the past several years, and the emergence of new threats that stealthily infiltrate them have changed the way security and IT teams need to look at malware. As detection and response methods evolve, so too do attack techniques, as attackers find new ways to generate revenue while evading the latest security solutions and protocols.
Alex, “What is cryptojacking?”
Traditional threats and malware have primarily focused on data exfiltration or holding data for ransom, however, the emergence of cryptocurrency has brought forward a new type of menace that abuses an infrastructure’s computing power to mine for cryptocurrency. The process of illicitly using a victim’s computing power is referred to as cryptojacking, and it’s one of the newest types of malware. Cryptojacking is gaining traction because of its ability to “fly under the radar” and operate undetected on victims’ systems.
Let’s Take Endpoints to Data Centers
Cryptocurrency mining has been traditionally restricted to rigging GPU farms and using their collective power to mine for virtual currencies. With the demand for graphics cards increasing alongside the ever-advancing complexity of generating new cryptocurrency units, threat actors have now turned to abusing CPUs. Browser-based cryptocurrency mining scripts, such as CoinHive, became extremely popular because they could be easily injected into compromised websites and start using the collective computing power of unsuspecting users to mine for cryptocurrency.
While the use of CPUs presents obvious benefits in terms of potential targets, the power-hungry process of mining for new cryptocurrency units has driven threat actors to explore a new avenue: data centers. These large infrastructures have the one defining characteristic that makes cryptocurrency mining the perfect threat: uptime. For example, traditional endpoints are sometimes rebooted by individual users. Data centers and virtual workloads that host servers and databases, however, are rarely rebooted, as it would affect the overall business performance.
To this end, threat actors started targeting digital infrastructures that heavily rely on virtualization to quickly scale the cryptocurrency mining process. Leveraging the computing power of the cloud as well as its uptime, threat actors could stealthily deploy cryptocurrency miners that remained undetected for months while generating revenue for themselves.
For example, a recent incident involving Tesla saw cybercriminals abusing a series of the company’s Amazon instances to quickly deploy the mining software while leaving Tesla to pay the bill.
In some instances, to maximize the spread of the infection within an infrastructure, threat actors have even weaponized the wormable component of the WannaCry ransomware outbreak – the military-grade EternalBlue vulnerability allegedly developed by the NSA – to spread cryptocurrency mining software. Ironically dubbed WannaMine, the malware seeks out and infects unpatched systems and automatically exploits and deploys the coin-mining software.
Double Jeopardy for $500
Abusing a data center’s computing power might seem relatively benign at first, as it doesn’t disrupt or corrupt data, but merely causes performance slowdowns that can be addressed by allocating more computing power. However, a cryptojacking infection can have a broad-reaching impact, even destabilizing critical infrastructure. In a double jeopardy scenario, these attacks drain computing power, while at the same time degrading user experience, consolidation ratios, virtualization density, and increasing provisioning costs with no apparent cause.
Stopping Cryptojacking
The most common misconception about a cryptojacking infection is that it’s completely harmless and, if the overall infrastructure is still standing, there’s no immediate danger. Experience knows better. IT and security teams should be concerned with identifying how the threat managed to get within the infrastructure. A cryptojacking infection is usually a sign of a data breach and the potential financial, reputational, and productivity impact that such an attack poses should not be underestimated. Threat actors might have exfiltrated data or deployed other types of threats before dropping coin miners.
Here’s what organizations need to do keep their infrastructure safe:
· Deploy security at the workload level that can analyze attack techniques at the hypervisor level and even run cloud performance baselining that can spot anomalous provisioning spikes in resource consumption.
· Use next-generation security solutions specifically designed for virtualized environments and data centers. These solutions have layered security defenses that can prevent and detect cryptocurrency miners and block them from being deployed.
· Implement memory introspection technologies that can help identify potential known or unknown vulnerabilities that are used to deliver cryptocurrency mining software. These technologies are specifically designed for software-defined data centers and hyper-converged infrastructures, as they’re uniquely capable of protecting virtual workloads from zero-day vulnerabilities and memory manipulation techniques usually associated with advanced and sophisticated threats.
· Beware suspect scripts embedded in email attachments and websites. Fileless threats constitute one of the most popular methods for delivering cryptocurrency malware. They are usually scripts – PowerShell, VisualBasic, WMI, etc. – that are embedded within email attachments or websites. Although fileless malware has been often associated with advanced and sophisticated attackers, it has recently become the “go to” attack method used by criminals to deploy even the seemingly benign cryptocurrency miner. Detecting these attacks requires hyper detection technologies based on machine learning to identify malicious behavior and prevent these scripts from ever executing on the workload.
· Monitor network communications with C&C servers. Some security technologies also have an additional security layer that can detect network communication between infected machines and command and control (C&C) servers. These servers usually orchestrate the cryptocurrency mining process on infected workloads. Spotting this type of communication with a known C&C is usually a sign of a data breach.
Cryptojacking has become one of the highest security concerns and the star of high-profile attacks. While ransomware dominated the cybersecurity landscape in recent years, cryptojacking has quickly made headlines and has become a truly effective method of generating revenue for cybercriminals.
Organizations that run highly virtualized infrastructures, software-defined data centers, or hyper-converged infrastructures need to carefully assess the cryptojacking threat, as it’s extremely stealthy and a far greater data breach could lurk behind it.
Protecting against these types of attacks is a two-step process. First, understand how the infrastructure is designed and identify the critical data and where it’s stored, and second, use a layered security solution that’s platform-agnostic and capable of security physical and virtual infrastructures without impacting the benefits digitalization offers.
And in the event a cryptojacking scheme is uncovered, IT and security teams will need to be prepared to implement an incident response plan that’s constantly updated, revised, and improved to minimize any fallout caused by a data breach exposed by a cryptojacking infection.
