Why cryptojacking is more harmful than you think -TEISS® : Cracking Cyber Security


By Liviu Arsene, Senior e-Threat Analyst at Bitdefender

In 2017, Bitcoin reached a record-high value of $19,000 per unit. Prior to this, cryptocurrency had been primarily used by cyber criminal groups trading on the dark web, but its sudden surge in value sparked mainstream interest. In addition, cybercriminals began to explore the mining of less well-known cryptocurrencies such as Monero, in the hope that their value would correspondingly increase. 

These criminal groups started to use Javascript-based mining tools such as CoinHive to enable browsers to mine cryptocurrency. CoinHive allows distributed mining using commodity CPUs, as opposed to GPUs, which removes the need for an on-device client — instead, mining is conducted via the browser. Because a browser-based miner of this nature is less intrusive from a security perspective, it is easier to deploy and weaponise than GPU-based miners.

Also of interest: Worried about cryptojacking? Here’s what you need to know

An escalating threat

The first victims of this kind of cryptojacking were average users who would stumble upon an infected webpage. Their CPU would be abused by the coin mining JavaScript, and its performance would quickly be throttled up to 100 percent as resource was dedicated to mining cryptocurrency. But the problem with this method from a cybercriminal’s perspective was that, even if the number of victims would increase, the mining of cryptocurrency would become more difficult. That’s because, over time, as the more cryptocurrency units are mined, it takes more computing power to mine for new ones.

So cybercriminals instead turned their attention towards organisations with the scale of infrastructure and data centres in place that would allow them to ramp up their efforts, as cryptocurrencies became harder to mine. But they had learned important lessons from trying to mine through proxy consumers, and capped the CPU consumption at 70 or 80 percent, rather than 100. Consequently, they were often able to continue their operation within infrastructures undetected for months at a time. This technique offered the potential to mine millions of dollars worth of cryptocurrency. 

However, when it came to exploiting data centres, the process was more complex than for that of regular users. Rather than exploiting vulnerabilities in popular CMS platforms, cybercriminals had to make use of APTs, such as the EternalBlue of WannaCry notoriety. This means that the most sophisticated attack techniques that cybercriminals have in their arsenal are often now being used to drop cryptojackers rather than, say, payloads for data theft. And the fact that cybercriminals are able to do this poses a serious threat.

This is because cryptominers can be bundled with even more malicious software and left behind post-breach, as something of a one-two punch for victims. So if a security team discovers such a mining tool residing anywhere on the network, it indicates a critical vulnerability that may already have been exploited for cyber espionage or data extraction. 

Also of interest: Podcast on cyber resiliency with CSO of Bacs and Faster Payments, Craig Rice

Damage to data centres

Performance is of critical importance to data centres. After all, poor performance can increase operating costs, slow down processes and negatively impact the end-user experience and productivity. Cryptojackers can cause all of these things to happen, and this is due, at least in part, to automated provisioning. Although intended to optimise data centre performance, automated provisioning when exploited by a cryptojacker has the opposite effect, and the mining operation is scaled at the data centre’s expense. 

In the case of a highly virtualized infrastructure, VDIs or containerisation tools may be altered to deploy crypto mining software whenever new instances are provisioned. Unless a baseline performance metering has already been established prior to infection, companies will have a hard time identifying a cryptomining operation before they are suddenly hit with a hugely increased bill!

Also of interest: “You have to stick to your guns,” Mark Walmsley on life as a CISO at Freshfields LLP

Defending the data centre from cryptojackers

To secure data centres against cryptojacking, the same multi-layered approach is required that would be deployed against APTs, fileless attacks and known or unknown vulnerabilities used to deploy cryptominers in the first place. 

Detecting file-based and fileless cryptojackers requires layered next-generation security that can block it during various stages of the attack lifecycle, both within the data center and on endpoints. Even memory protection technologies that identify memory manipulation techniques associated with the exploitation of known or unknown vulnerabilities can help prevent cryptojacking samples from being dropped within virtual workloads.

But one of the most effective methods of detecting and mitigating cryptojacking is to use hypervisor introspection – a technology that prevents memory manipulation techniques associated with known or unknown vulnerabilities – from ever compromising workloads in the first place. In the case of cryptojackers -that have been known to leverage military-grade cyber weapons such as EternalBlue – this ability to catch threats early is crucial to avoiding substantial costs, not to mention the possibility of a data breach if additional malware is deployed alongside it. 





Source link