Be careful about what kind of data you invite into your network. 2018 has seen a 629% increase in cyrptojacking attacks, securing the malware’s position as the new threat on the block.
This trend coincides with the legitimization of cryptocurrencies like Bitcoin, Etherium, and the countless altcoins out there. As these cryptocurrencies exploded in popularity and profitability, so did cryptojacking. Cryptojacking is a malware that sinks its teeth into your system and covertly siphons off computing power and electricity to mine a cryptocurrency. The most terrifying statistic about these parasitic pieces of software is how widespread they are. According to a study published by AdGuard, over half a billion people have unwittingly mined coins for cryptojackers by visiting websites embedded with mining scripts.
It doesn’t stop there. Using personal computers as a de facto botnet isn’t exactly the most efficient way to mine for coins. Instead, hackers are now targeting telcos, ISPs, mid to large-sized enterprises, and even government agencies. This attack is done by the injection of mining code into servers, often after an employee unwittingly invites the hackers into the network.
Once inside, the network is practically charmed by the malware. The mining code will take over a regular and authentic system process, pretending to be benign. The average user won’t even notice something is amiss before it’s too late, and new hardware or software is bought to keep up with the increased demands. The attack is also harder to discover on an enterprise network as it can move alongside lateral traffic, a blind spot for most security teams, letting it go undetected for unprecedented amounts of time.
GuardiCore Labs has been studying cryptojacking campaigns since 2016, and have discovered four prominent examples of attacks on enterprise networks: PhotoMiner, Bondnet, Hexmen, and Operation Prowli. Each example shows a precedent in how different kinds of cryptomining campaigns behave.
1. Worms: The first attack discovered by GuardiCore was a worm they named PhotoMiner. PhotoMiner infects websites hosted on FTP servers, making end users mine Monero (the favored cryptocurrency of hackers)
2. Botnets: In 2017, GuardiCore discovered Bondnet. Bondnet is a very scary botnet created by infecting thousands of servers and conscripting them into one single botnet. All of this is done while leaving a backdoor, allowing Bondnet to enthrall any infected network.
3. Hidden Scripts: Hexmen was discovered in data centers in China. It comes in three variants, each named after identifiable traits. Hex used numerous variations of Hex.exe within its code. Hanako leaves a backdoor user named Hanako within compromised databases. Taylor, lets attackers exchange scripts by hiding them within Taylor Swift photos.
4. Brute Force: Operation Prowli, the fourth of the main cryptojacking campaigns, uses an arsenal of attack techniques like exploits and brute-forcing passwords and weak configurations.
So, how do businesses protect themselves from these vamipric cyberattacks? The main defense is visibility. By using a powerful NOC monitoring solution working in tandem with micro-segmentation, security policies can be established around individual and logically grouped applications. The next thing they need is reputation-based security solutions that are fueled by global threat intelligence. Finally, a next-gen firewall that can monitor and capture attacker activities, especially lateral traffic.
Remember, cryptojackers need computing power. Always be wary of resource usage spikes and unexpected network activity. Make sure your firewall is up-to-date, and your monitoring solution can show whether or not malware has breached the firewall. Cryptojackers may be like vampires, but security teams are always good at hunting.
