A recent uptick in cyberattacks on organizations using cryptocurrency-mining tools suggest a trend of cybercriminals using cryptominers for more disruptive and destructive attacks.
CrowdStrike researchers noted several cases in which cryptomining software halted business operations when systems and applications crashed due to the high CPU speeds, a contrast from under the radar CPU cycle leaching attacks seen in earlier instances, according to a Jan. 25 blog post.
In addition, the cryptocurrency miner software is becoming more sophisticated and resilient such as the cryptomining worm dubbed WannaMine. The cryptominer leverages “living off the land” techniques including Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism and propagation techniques similar to those used by nation-state actors.
Panda Security researchers first spotted the fileless Monero cryptominer in October 2017 and described it as “the professionalization of increasingly advanced attacks.”
“The fact that it is a fileless attack makes it so that a majority of traditional antivirus solutions are barely able to counteract or even detect it, and its victims can only wait for the necessary signatures to be generated (the attack is fileless, but as we have seen at one point, both the scripts and the Monero client are downloaded),” Panda Security researchers said in a blog post.
In some cases attacks like this have impacted business operations, rendering some companies unable to operate for days and weeks at a time. In one case, nearly 100 percent of a firm's environment was rendered unusable due to the overutilization of systems' CPUs.
And while financially motivated hackers have more incentive to stay under the radar in their cryptomining attacks, criminals operating with more of a “smash-and-grab” mentality obtain more profitability from obtaining a high volume of system resources for a short period of time, as seen in recent attacks. The cybercriminals appetite for destruction has been seen in other high profile financially motivated attacks.
“After extensive malware analysis of NotPetya, it became apparent the threat actor had no ability nor intention of providing a mechanism to decrypt systems and files infected with this malware,” CrowdStrike Director of Services Bryan York said. “While the specific motivations of this threat actor are still unclear, we think this instance of WannaMine highlights more of a trend toward disruptive and destructive attacks on organizations.”
WannaMine also uses credentials acquired with the credential harvester Mimikatz to attempt to propagate and move laterally with legitimate credentials and if unsuccessful, the cryptominer will attempt to exploit the remote system with the EternalBlue exploit. Researchers said that these traits haven't been seen in cryptominers until now.
“While many cryptominers install as an application and run on a system as a package, WannaMine uses applications already present on a system to run such as PowerShell and WMI,” York said. “WannaMine is also very challenging to get rid of due to its persistence mechanisms and its aggressive approach to spreading.”
York went on to say that while there is a strong understanding of the malware concerning how it operates and the potential impacts it can have on a business, the most challenging questions to answer in any investigation are “who did this?” and “why?”
The prevalence of these attacks also signal the broader issue of how these attackers are able to get into these enterprise networks in the first place. Enterprises reduce their chances of this by having solid endpoint protection and by ensuring that all of their systems are patched and up to date.