FROM RANSOMWARE TO CRYPTO MINING - ACTORS ARE SHAKING THINGS UP
Recently, our clients have asked about Crypto Mining operations seen in the news.
We wanted to give our observations and give some feedback on industry resources that may help organizations better protect themselves from the threats. As a caveat, this isn't meant to be a comprehensive analysis, rather a glimpse of the surface of what we've been seeing and hearing.
Through our monitoring of various Crimeware focused actors, or those who attack for profit, we have observed a shift in tactics.
Previous tried and true attack methods for monetary compensation such as click/ad related revenue, credential theft and ransomware have taken a back seat.
Like many of us, these attackers have developed a keen interest in digital currency, commonly known as ‘crypto currency.’
We feel that shortly after the WannaCry event, ransomware profits were not as high as expected, therefore they started seeking alternative revenue sources.
Crimeware actors have always been opportunistic cons and look to seize on the chance to make profit. One hot technology is browser-based mining digital currency mining operations.
This technology caught on quickly. Recently, 360 Netlab released a list of sites to be among the most popular (according to Alexa) which are running browser miners. This was no surprise to our Managed Security Services Team which monitors for threats like this in customer environments across the country.
Some shady website owners are using old “pop-under” style attacks to keep the sites running in the background and unknown to the user community, these sites are abusing computing resources which could require costly hardware repairs if unchecked.
Our research team has compiled a list of sites that we’ve observed in our customer environments abusing our customer's resources to mine currency. This list can be used as a block list in your Web filtering products, host files or through DNS blocks using providers like Cisco Umbrella.
Additionally, many of these sites overlap with excellent work by the maintainers of NoCoin, a block-list that can be imported into browser plugins such as AdBlock, Ublock, AdGuard and browsers such as Opera and Brave Browser.
Of course, by blacklisting known bad sites, there is always the chance that additional mining pools startup. Blacklists are, unfortunately, whack-a-mole. Additionally, these technologies are not likely to address the real threat: cybercriminals using Monero (and similar) digital currency mining technologies once they’ve compromised a host through traditional attacks such as phishing, hacking or worm style events. Internet of Things (IoT) devices could be abused in this way for years before they are detected.
Since communication between the mining workers and the mine server are generally protected by TLS, traditional signature-based security products are unlikely to detect the affected traffic.
Antivirus detects many of the more common mining technologies but just like any unwanted code, there will be ways for attackers to obfuscate and work around anti-virus.
The absolute best way to detect mining activity on your workstations or servers is to monitor CPU utilization. Using traditional performance monitoring tools, your helpdesk team/NOC is your first line of defense. They should work directly with the organizations' security partners to triage long-term CPU spikes in networking gear, end-user products and server class devices. SNMP Trap/Monitors may also provide early warning analysis when standard CPU spikes last more than a few minutes.
If your organization has a robust SIEM and monitoring capability, deploying tools such as SYSMON may provide your SOC/MSSP with the level of detail needed to identify the threat, its original source and help prevent further contamination. It is ideal to deploy this level of monitoring to devices outside of your traditional ‘four-wall’ boundary to get a truly real-time picture of the threat landscape.