Emerging Threat: Blockchain-Enabled Botnet

Google, together with Internet infrastructure providers and hosting providers, recently disrupted the operation of a blockchain-enabled botnet, taking down the operation’s servers – for now.

In partnership with Internet infrastructure providers and hosting providers such as Cloudflare, Google said it has taken down the servers of the Glupteba botnet.

Glupteba Botnet

Glupteba is a malicious software (malware) that has been around for less than a decade. Through the years, this malware uses many common cybercrime tricks. Similar to other malware, Glupteba is a zombie malware, also known as bot (short for software robot), that can be controlled remotely.

The group being Glupteba also operates a botnet – a group of computer devices each infected with the Glupteba malware and hijacked to carry out various scams and cyberattacks.

In the blog post “New action to combat cyber crime”, Royal Hansen, Vice President for Security at Google, and Halimah DeLaine Prado, Google General Counsel, said Glupteba botnet currently hijacked approximately one million Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day.

“Botnets are a real threat to Internet users, and require the efforts of industry and law enforcement to deter them,” Hansen and Prado said.

In another blog post “Disrupting the Glupteba operation”, security researchers Shane Huntley and Luca Nagy from Google Threat Analysis Group said that individuals operating the Glupteba botnet offered multiple online services, including selling access to virtual machines loaded with stolen credentials, proxy access, and selling credit card numbers to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads.

Computer devices that form part of the Glupteba botnet are also used for unauthorized cryptocurrency mining, enabling the group behind this malware to earn cryptocoins, while owners of hijacked computer devices unknowingly pay the high electric bills resulting from the cryptocurrency mining.

Glupteba malware distributes itself automatically across victims’ networks via two different variants of the ETERNALBLUE exploit – a Windows exploit used in the 2017 WannaCry ransomware attack. ETERNALBLUE exploits outdated computer devices. Glupteba has also been known to exploit unprotected and outdated popular home and small business routers.

The group behind Glupteba often hides its zombie malware behind pirated software. Computer devices, even those patched against ETERNALBLUE, are attacked by Glupteba malware via pirated software from well-known piracy sites.

Blockchain-Enabled Botnet

While Glupteba has been known to use many common cybercrime tricks, it’s known for using the Bitcoin blockchain for its malicious activities. Just like in the Cold War era when spies communicated using the “Personals” section in a print newspaper, the group behind the Glupteba botnet communicates using the Bitcoin blockchain.

“Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are unexceptionably accessible from most networks,” security researcher Paul Ducklin from SophosLabs said in the write-up "Glupteba – the malware that gets secret messages from the Bitcoin blockchain".

Ducklin from SophosLabs added, “Bitcoin ‘transactions’ don’t actually have to be about money – they can include a field called RETURN, also known as OP_RETURN, that is effectively a comment of up to 80 characters.”

Security researchers from SophosLabs decrypted the secret message “venoco___ol.com” in one of the Bitcoin wallets used by the group behind Glupteba. This secret message means that the new command-and-control server used by the Glupteba is moved to venoco___ol.com.

“The current command-and-control servers used by the crooks, known as C2 servers or C&Cs, might get found out and blocked or killed off at any moment, so zombie malware often includes a method for using an otherwise innocent source of data for updates,” Ducklin added. “After all, to tell a bot to switch from one C&C server to another, you typically don’t need to send out much more than new domain name or IP number, and there are lots of public messaging systems that make it easy to share short snippets of data like that.”

Security researchers Huntley and Nagy from Google Threat Analysis Group said that the group behind Glupteba is likely to attempt to regain control of the Glupteba botnet by using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.

Royal Hansen, Vice President for Security at Google, and Halimah DeLaine Prado, Google General Counsel, meanwhile, admitted that taking down the command and control infrastructure of Glupteba isn’t the end game for the group behind Glupteba. Before the U.S. District Court for the Southern District of New York, Google filed the first lawsuit against a blockchain-enabled botnet, in particular, suing two named individuals and 15 unidentified individuals.

“However, due to Glupteba’s sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity, we have also decided to take legal action against its operators, which we believe will make it harder for them to take advantage of unsuspecting users,” Hansen and Prado said.

Best Practices to Mitigate the Risks

Here are some of the cybersecurity best practices to protect your organization’s computer devices from being hijacked as part of a botnet like the Glupteba botnet:

• Keep your organization’s operating systems, apps, and devices such as routers and file storage servers up to date.
• Stay away from pirated software.
• Monitor electric bills and computer devices’ wear and tear. A sudden increase in electric bills and sudden wear and tear of computer devices could mean that your organization’s computer devices are being hijacked as part of a botnet for cryptocurrency mining.

Top Cloud Security Threat: Unauthorized Cryptocurrency Mining

Google's Cybersecurity Action Team recently published a report naming unauthorized cryptocurrency mining, also known as cryptojacking, as the top threat to Google Cloud Platform.

What Is Cryptocurrency Mining?

Cryptocurrency mining refers to the process of creating a new coin. Aside from creating new coins, cryptocurrency mining also refers to validating cryptocurrency transactions.

In many countries, cryptocurrency mining is legal. With the rise of cryptocurrency prices, malicious actors are stealing computing resources such as cloud resources from Google Cloud Platform. The skyrocketing value of cryptocurrencies like Bitcoin has prompted threat actors to shift their focus from stealing data to stealing compute power in organizations’ public cloud environments.

Aside from mining Bitcoin, threat actors also mine other cryptocurrencies that are particularly developed to evade transaction tracing.

Crytopjacking Prevalence

According to Google's Cybersecurity Action Team, out of 50 recently compromised Google Cloud Platform instances, 86% were used to perform cryptocurrency mining.

Unauthorized cryptocurrency mining, specifically, cloud resources is nothing new. In February 2018, RedLock reported that Tesla was once a victim of unauthorized cryptocurrency mining. 

“The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.”

Google's Cybersecurity Action Team, meanwhile, said that compromised Google Cloud Platform instances were compromised through the following:

1. Weak or no password for user account or no authentication for APIs
2. Vulnerability in third-party software in the Cloud instance was exploited
3. Misconfiguration of Cloud instance or in third-party software
4. Leaked credentials, such as keys published in GitHub projects

Google's Cybersecurity Action Team also found that in 58% of situations, the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised.

“This suggests that the initial attacks and subsequent downloads were scripted events not requiring human intervention,” Google's Cybersecurity Action Team said. “The ability to manually intervene in these situations to prevent exploitation is nearly impossible..”

Scanning Activities

Threat actors easily find vulnerable internet-facing applications and exposed cloud accounts through the process called scanning.

Google's Cybersecurity Action Team reported that the shortest amount of time between deploying a vulnerable Cloud instance exposed to the internet and its compromise was as little as 30 minutes, with 40% of instances, the time to compromise was under eight hours.

“This suggests that the public IP address space is routinely scanned for vulnerable Cloud instances,” Google's Cybersecurity Action Team said.

An earlier study conducted by researchers from Palo Alto Networks' Unit 42 found that vulnerable internet-exposed applications are compromised in just 24 hours. Between July 2021 and August 2021, Unit 42 researchers set up 320 honeypots (network-attached computers purposely set up to lure threat actors) to verify how fast threat actors compromise four vulnerable internet-exposed applications. These four apps were purposely configured with weak passwords.

Palo Alto Networks' Unit 42 researchers found that 80% of the 320 honeypots were compromised in just 24 hours and all of the honeypots were compromised within a week. For these honeypots, Palo Alto Networks' Unit 42 researchers applied firewall policies to block IPs from known network scanners.

Unit 42 researchers found that applying firewall policies to block IPs from known network scanners doesn’t work as 85% of the attacker IPs were observed only on a single day. The researchers identified a daily average of 75,000 unique scanner IP addresses globally.

According to Google's Cybersecurity Action Team, Google Cloud customers with non-secure Cloud instances will likely be detected and attacked in a relatively short period of time. “Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted,” Google Team said.

Unauthorized Cryptocurrency Mining Risk Mitigation

Unauthorized cryptocurrency mining of cloud resources is bad for business. Cryptocurrency mining is resource-intensive. With unauthorized cryptocurrency mining, threat actors earn money while your organization unknowingly ends up paying the rented cloud computing bill.

In the case of unauthorized cryptocurrency mining done on your organization’s internet-exposed networks, negative impacts include the substantial increase in electrical consumption and an increase in the wear and tear on the hardware.

Here are some of the cybersecurity best practices to protect your organization’s internet-exposed networks and cloud accounts:

• Keep all software up to date, specifically update third-party software prior to exposure to the internet.
• Protect cloud accounts and internet-exposed applications with strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections.
• Never publish credentials in GitHub projects.

Monitor cloud configurations, network traffic, and suspicious user behavior via automated solutions. It’s important to have automated solutions. As shown by Google's Cybersecurity Action Team’s report, cryptocurrency mining software is downloaded to the system within 22 seconds of being compromised, making human intervention impossible. 

Contact us today to assess your cybersecurity posture and mitigate the risks.

What Is Cryptomining Attack and How to Prevent Such Attack

The price of Bitcoin, the recognized leader among thousands of cryptocurrencies, has skyrocketed from $100 in 2013 to nearly $60,000 in March 2021.

The dizzying rise, not just by Bitcoin but by other cryptocurrencies as well, gives rise to the cyberattack known as “cryptomining attack.”

What Is Cryptomining Attack?

In cryptomining, also known as cryptojacking, an attacker uses the computing power of others, without the knowledge and permission from the owners of the computing power.

Bitcoin and other cryptocurrencies are virtual currencies. They only exist online and they’ve no physical notes or coins.

If done with the knowledge and permission of the computing power owner, cryptomining is legal. It’s important to note, however, that some countries ban cryptomining and cryptocurrency in general.

Many cryptocurrencies use cryptomining – the use of the processing power of computers to solve complex mathematical problems and verify cryptocurrency transactions. Crypto miners, meanwhile, are rewarded a certain amount of cryptocurrency for the use of computing power.

Cryptomining can be done on physical computers and via cloud computing. With physical computers, cryptomining attacks can easily be detected through a noticeable slowdown in device performance, reduction in productivity of the device, and unexpected increases in electricity costs.

With cloud-based cryptomining attacks, threat actors can illicitly use cloud computing resources for a long time without detection. Typically, cloud-based cryptomining attacks are only discovered when the victim finds an inflated cloud usage bill.

Prevalence of Cryptomining Attacks

Cryptomining attacks have been around for years. The noticeable uptick of cryptomining attacks happened in 2017 when the Bitcoin price reached $20,000.

Internet Exposed Kubernetes Pods

In February 2018, researchers at RedLock reported that Tesla fell victim to cryptomining attack. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” RedLock researchers said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”

The cryptocurrency that was mined using Tesla’s computing resources was Monero. To date, the price of Monero is $261.57.

QNAP NAS Vulnerabilities

Researchers at 360 Netlab reported that on March 2, 2021, they detected attacks targeting QNAP NAS devices via the unauthorized remote command execution vulnerabilities, specifically CVE-2020-2506 and CVE-2020-2507.

CVE-2020-2506 is a security vulnerability in the QNAP NAS device that allows attackers to compromise the device’s software security, allowing the attackers to gain privileges, or reading sensitive information. CVE-2020-2507, meanwhile, is a command injection vulnerability in the QNAP NAS device that can allow remote attackers to run arbitrary commands.

Successful exploitation of CVE-2020-2506 and CVE-2020-2507, researchers at 360 Netlab said, allowed the attacker to gain root privilege on the devices and perform cryptomining attacks. Researchers at 360 Netlab named the malicious software (malware) that exploits CVE-2020-2506 and CVE-2020-2507 in QNAP NAS devices and conduct cryptomining activities on these devices as “UnityMiner.”

UnityMiner, 360 Netlab researchers said, allows the attackers to hide the illicit cryptomining process and the real CPU memory resource usage information. With UnityMiner, the researchers said, QNAP users who check the system usage via the WEB management interface cannot see the abnormal system behavior.

Cryptoming Botnet

In January 2021, Imperva researchers reported a botnet in which one of its primary activities was performing cryptomining attacks.

Botnet, also known as zombie army, is a group of hijacked internet-connected computers each injected with malware and controlled from a remote location by an attacker to perform malicious activities such as cryptomining. According to Imperva researchers, the malware that they discovered exploited the security vulnerability designated as CVE-2021-3007.

The CVE-2021-3007 vulnerability has two opposing claims: one claim is that this is a Zend Framework vulnerability that can lead to remote code execution; the other claim, meanwhile, is that this is a "vulnerability in the PHP language itself."

According to Imperva researchers, successful exploitation of CVE-2021-3007 allows the attackers to run XMRig – a legitimate open-source software that utilizes system CPUs to mine the cryptocurrency Monero. Cybercriminals, however, abuse XMRig to earn cryptomining revenue by launching cryptomining attacks on victims’ computing resources.

In the case of a botnet, once a victim’s computer is enslaved as one of the zombie armies and injected with malware and controlled from a remote location by an attacker to perform malicious activities, there’s no limit to what the attacker can do. In addition to illicit cryptomining, your organization’s computers could be used for other malicious activities such as distributed denial-of-service (DDoS) attacks.

Best Practices to Prevent Cryptomining Attacks

Here are some of the best practices in order to prevent threat actors from using your organization’s computing power for illicit cryptomining:

• Monitor configurations. Don't leave your organization’s computing resources exposed to the internet without protection such as password protection, multi-factor authentication (MFA), and other security protection.
• Monitor network traffic for suspicious activities
• Keep your organization’s software and firmware up to date
• Use Web Application Firewall (WAF) with remote code execution detection rules

How to Find Out If Your Organization’s Resources Are Illicitly Used for Crypto Mining

Ukraine’s National Nuclear Energy Generating Company, also known as Energoatom, a state enterprise operating all four nuclear power plants in Ukraine disclosed that a recent search carried out inside one of Ukraine’s nuclear power plants revealed that a power plant employee had installed his own computer equipment inside the plant for cryptocurrency mining. This incident shows the danger of employees stealing their employers’ resources for cryptocurrency mining.

What Is Cryptocurrency Mining?

Cryptocurrency mining, also known as crypto mining, is the process of validating transactions and for these transactions to be added to the list of all transactions known as the blockchain. Anyone with a computer and an internet connection can become a cryptocurrency miner.

Some cryptocurrencies can be mined using small and low processing power computers such as Raspberry Pi. Other cryptocurrencies such as Bitcoin can only be mined using specialized computers with high computing power. In exchange for the computing power and electricity used for mining, miners get rewarded with cryptocurrency.

As cryptocurrency mining is power-hungry, especially the top cryptocurrencies like Bitcoin, high electricity bill is one of the obstacles why many don’t venture into this field. To remedy this high electricity bill hurdle, malicious actors illicitly steal power from their employers and even from strangers. Aside from stealing electricity, malicious actors also steal from employers or strangers computing power of computers that can process a significant amount of data faster than ordinary computers.

The illicit stealing of electricity at one of Ukraine’s nuclear power plantsisn’t the first time that an employee has been caught stealing an employer’s resources for cryptocurrency mining. In February 2018, nuclear weapons engineers at the All-Russian Research Institute of Experimental Physics were arrested for mining cryptocurrencies at the workplace.

Unlike the cryptocurrency mining at one of Ukraine’s nuclear power plants which only stole the plant’s electricity as the accused installed his own computer equipment, the crypto mining incident at the All-Russian Research Institute of Experimental Physics used not only the facility’s electricity but the office computer as well. Tatyana Zalesskaya, head of the research institute’s press service confirmed to Interfaxthat there had been an unauthorized attempt to the institute’s “computing power for personal purposes, including for the so-called mining”.

Cryptojacking

Employees aren’t the only one interested in your organization’s computer power for crypto mining, unknown external attackers are also after your organization’s computer power. Attackers steal computing power in the process called “cryptojacking”.

In cryptojacking, malicious actors, which could be either be insiders or outsiders, in order to earn cryptocurrency, install a crypto mining software into vulnerable systems, including websites, operating systems or public cloud accounts.

In February 2018, researchers at RedLockreported that Tesla was once a victim of cryptojacking. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” researchers at RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”

Prevalence

In May this year, researchers at Guardicore Labsreported that over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors were compromised for crypto mining.

Illicit crypto mining isn’t only a threat to large organizations or businesses. This type of attack also threatens small and medium-sized organizations. In late 2018, a school principal in China was fired after stealing the school’s electricity to mine cryptocurrency. The South China Morning Postreported that the fired school principal deployed inside the school 8 computers used for mining the cryptocurrency Ethereum for about a year, racking up an electricity bill of 14,700 yuan, equivalent to US$2,120.

Ways to Monitor Crypto Mining and Preventive Measures

Here are some security measures in order to monitor crypto mining activities within your organization’s premises and also ways to prevent this threat to occur in your organization:

1. Monitor Electric Bills

An unusual increase of electric bill is a sign that computers operating within your organization’s premises are being used for cryptocurrency mining.

2. Monitor Use of External Computers Within Premises

Somewhere lurking in your organization’s premises could be computers used for cryptocurrency mining and racking up your organization’s electricity bill.

3. Monitor Speed of Computers

If your organization’s computers are functioning a bit slower than usual, this could be a sign that your organization’s computers are being used for illicit cryptocurrency mining.

4. Monitor Network Traffic

Malicious actors in recent months have learned how to be stealthy in their crytojacking activities, such as mining only cryptocurrencies that use less computer power and electricity to deflect suspicion. For instance, the crytojacking incident which compromised 50,000 servers reported by Guardicore Labs in May this year, mined a relatively new cryptocurrency called “Turtlecoin”, a cryptocurrency that can be mined even in small and low processing computers such as Raspberry Pi.

Monitoring network traffic is one of the ways in discovering this type of stealth crytojacking activities. Access to your organization's network from unknown locations and during non-working hours are telltale signs of a network compromise and possible illicit cryptocurrency mining.

Lastly, practice basic cyber hygiene such as keeping your organization’s operating systems up-to-date and using multi-factor authentication as gate-keepers to these computers and servers. In many cases, computers and servers are compromised for illicit cryptocurrency mining by the mere failure of applying the latest security update and the used of weak login details and lack of multi-factor authentication.

When you need help, contact our teamof experts to mitigate the cybersecurity risks for your organization.

How Cryptocurrency Mining Malware Evades Detection

The recent rise of cryptocurrency mining malware is driven not just because of its high-profit potential, but also because of its ability to remain undetected in a compromised system.

Early this month, Nova Scotia-based St. Francis Xavier University announced that it purposely shut down all its network systems in response to a cryptojacking attack, whereby attackers attempted to illicitly mine the cryptocurrency Bitcoin using the university’s collective computing power. 

The price of Bitcoin as of November 13, 2018 (8:30 AM GMT+7) is $6,370, way below the all-time high of nearly $20,000 in December 2017, but still way above the $317 price of Bitcoin way back in January 2015.

Mining Bitcoin, in order to be profitable, one needs to invest in a reasonable number of powerful computers and high electricity cost. Illicit cryptocurrency mining, also known as cryptojacking, hijacks the computing power of someone else’s without their consent to mine cryptocurrency such as Bitcoin.

Cryptocurrency Mining Malware Evasion Techniques

Many organizations continue with their usual IT operations without even realizing that the organization’s computers are illicitly used by cyberattackers for cryptocurrency mining.

Based on the combined data of several Cyber Threat Alliance (CTA)members, from 2017 to September 2018, illicit cryptocurrency mining increased by 459%.

Researchers at Trend Microrecently discovered a cryptocurrency mining malware that uses multiple techniques to evade detection. The cryptocurrency mining malware discovered by researchers at Trend Micro as Coinminer.Win32.MALXMR.TIAOODAM uses the following evasion techniques to make it harder for detection tools to discover it:

First, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it arrives on the victim’s computer as Microsoft Windows Installer MSI file. Windows Installer is a software program that’s used for installing and uninstalling software. Using a real Windows component, researchers at Trend Micro said, makes the cryptocurrency mining malware looks less suspicious and potentially allows it to bypass certain security filters.

Second, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it creates copies of the kernel file ntdll.dll and the Windows USER component user32.dll in %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server\{Random Numbers}. Researchers at Trend Micro theorized that this is done to prevent detection of the cryptocurrency mining malware’s application programming interface (API) – a set of programming instructions and standards for accessing a software application.

Third, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it comes with a self-destruct mechanism, a feature that deletes every file under its installation directory and removes any trace of installation in the system.

Fourth, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it comes with WiX, which stands for Windows Installer XML, a free software toolset for building Windows Installer packages from XML. Researchers at Trend Micro said that WiX is an added layer developed by the attackers to evade detection.

Initial infection of Coinminer.Win32.MALXMR.TIAOODAM could come from emails laden with malicious attachments and malicious URLs.

Early this year, attackers used multiple techniques in their cryptocurrency mining malware to evade detection, this time, in utilizing Tesla’s computing power to mine a cryptocurrency.

In February this year, RedLockreported that Tesla’s Amazon Web Services (AWS) cloud account was compromised by attackers through Kubernetes – an open source software used to deploy and manage cloud-based applications and resources. RedLock said that Tesla's Kubernetes wasn’t password protected, enabling attackers to execute from the Kubernetes a cryptomining command.

According to RedLock, the cryptocurrency mining malware used in the Tesla cryptojacking incident wasn’t initially detected as the attackers used the following evasion techniques:

First, the attackers configured the cryptomining malware to keep the CPU usage low to evade detection. CPU, which stands for central processing unit, is the component that performs most of the processing inside a computer. Unusual high CPU usage is a sign that computers are being used for cryptocurrency mining.

Illicit Bitcoin mining is typically discovered through unusual high CPU usage. It’s, however, not enough to check the CPU usage as guage for cryptocurrency mining as other cryptocurrencies have less CPU usage.

Aside from the illicit mining of Bitcoin, attackers are also drawn in hijacking the computing power of others to mine the cryptocurrency Monero (valued $105 as of November 13, 2018 at 10 AM GMT+7) as this cryptocurrency uses less computing power and anonymous compared to Bitcoin.

Second, attackers in the Tesla cryptojacking incident didn’t use a well-known public “mining pool” – a means by which cyrptominers share their computing power over a network and split the reward equally. By using an “unlisted” or semi-public mining pool, the attackers in the Tesla cyrptojacking incident was initially unnoticed.

Third, in addition to using an unlisted mining pool, the attackers in the Tesla cyrptojacking incident hid the true IP address of their mining pool server behind CloudFlare, a free content delivery network (CDN) service, making detection even more difficult.

Fourth, the attackers in the Tesla cryptojacking incident configured their cryptomining malware to listen on a non-standard port, making it difficult to detect unusual activity based on port traffic.

Prevention

Protecting your organization’s computers or network from cryptocurrency mining malware is important as this malware can damage your organization’s computers, negatively impact business operations and can lead to further cyberattacks.

Here are some measures to prevent attackers from using your organization’s computing power for cryptocurrency mining:

• Use email inspection tool that can detect malicious attachments and URLs.

• Monitor configurations. By monitoring configurations, exposed or unprotected software can be identified.

• Monitor traffic. By monitoring traffic, suspicious traffic can early on be identified.

XMRig: Cryptomining Malware that Works Even Without Web Browser 

The cryptocurrency market may have lost nearly 70% of its market cap from the all-time high of $835 billion in December 2017, but this hasn’t stopped malicious individuals from getting ready for the next cryptocurrency bullrun by spreading cryptocurrency mining malware into the wild.

In the past few months, Coinhive, a cryptocurrency malware that works on web browsers, has wrecked havoc on victims’ computers. But another cryptocurrency malware called “XMRig” is starting to make ripples, entering Check Point’s March 2018 top ten most wanted malwareindex in the 8^thplace for the first time after a 70% increase in global impact.

Coinhive, ranked number one in Check Point’s March 2018 top ten most wanted malware, is a malware that utilizes scripts in taking over some of the processing power on the computers of website visitors without their permission to mine the cryptocurrency Monero.

Cryptocurrency mining is a process of verifying a transaction and a means by which a new coin is released. In order for the transactions to be verified and coins to be released, computational powers of computers are used.

In an ideal world, owners of computers used for cryptocurrency mining should give their consent and should be compensated. Malicious actors bypass this consent aspect and reap all the financial gains for themselves.

What is XMRig?

The original XMRig is an open source code used to mine the cryptocurrency Monero on computers using Windows operating system. The XMRig open source code is in itself not malicious. There are currently 3 software available to mine Monero but XMRig it seems is a choice among malicious actors. 

There’s a demand for Monero as this cryptocurrency boasts of easier mining and untraceable transactions. As of April 20, 2018 (10:30 am GMT+7) one Monero coin is worth $245.

Malicious actors, however, use the XMRig code to conduct illicit mining of Monero cryptocurrency by hijacking the computational power of the infected computers. 

XMRig, used as a cryptocurrency malware, was first seen in the wild in May 2017. As of January 2018, Palo Alto Networksestimated that XMRig victimized nearly 15 million people worldwide. The actual number of victims, Palo Alto Networks said, could be much higher.

In September 2017,security researchers Peter Kálnai and Michal Poslušnýreported that crooks made over $63,000 worth of Monero by modifying legitimate open source Monero mining software XMRig.

According to Kálnai and Poslušný, the malicious actors didn’t apply any changes to the XMRig codebase apart from adding a new wallet address, new mining pool URL and commands to “kill all previously running instances of itself so as not to compete with its new instance” – a process that takes more than just a couple of minutes.

It’s not unusual for malicious actors to reuse codes. Attackers often don’t reinvent the wheel if they don’t have to.

Means of Propagation

Unlike CoinHive, the XMRig cryptocurrency malware doesn’t need a web browser in order to hijack the computational power of the infected computers to mine the cryptocurrency Monero.

Here are 2 methods used by malicious actors to hijack computational power of the infected computers to conduct illicit mining of Monero:

1. Exploiting Known Vulnerability in Microsoft IIS 6.0

According to Kálnai and Poslušný, one of the means by which malicious actors propagate XMRig malware is by exploiting CVE-2017-7269, a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003. By exploiting the vulnerability in Microsoft IIS 6.0, an unauthenticated, remote attacker can execute arbitrary code.

The code to exploit this vulnerability is publicly available. Microsoft hasn’t confirmed this particular security vulnerability and neither has it issued a software update for this vulnerability. Technically though, Windows Server 2003 has reached the end of life (EOL) and as such Microsoft no longer issues software updates.

2. Malvertising Campaign

Adf.ly is an advertising service that pays users when their URLs are clicked. According to Palo Alto Networks, victims were presented with these Adfly advertising URLs, clicked on the provided link, were redirected and found themselves downloading the XMRig cryptocurrency malware onto their computers.

Server Operating System (OS) Attacks

Servers are particularly attractive to attackers as these machines have more computing power, run 24/7 and connect to reliable power source. The reality is that many organizations still use outdated server OS like Windows Server 2003. These outdated server OS are susceptible to repeated exploitation and infection like the XMRig cryptocurrency malware. Cryptocurrency malware like XMRig can result in the slow performance of the servers, shorten the lifespan of these machines and more electricity consumption.

“Cryptomining malware has been quite the success story for cybercriminals, and XMRig’s rise indicates that they are actively invested in modifying and improving their methods in order to stay ahead of the curve,” Maya Horowitz, Threat Intelligence Group Manager at Check Point, said in a statement. “Besides slowing down PCs and servers, cryptomining malware can spread laterally once inside the network, posing a major security threat to its victims. It is therefore critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”

How to Prevent XMRig Cryptocurrency Malware Attacks

Here are some of the ways to prevent XMRig cryptocurrency malware attacks:

1. Use Up-to-Date Software, Server OS 

In the case of Windows Server 2003, as the vendor, Microsoft in this case, has stopped issuing security updates, attackers then have a free pass on attacking this system, for instance, attacking a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003.

It’s therefore important to keep your organization’s OS server and all other software up-to-date.

2. Use Ad Blocker

Another way to prevent XMRig cryptocurrency malware is to use an ad blocker. With an ad blocker, you and your staff won’t anymore be susceptible to malvertising link that once clicked, redirects and downloads the XMRig cryptocurrency malware onto computers. An ad block blocks pop-ups, banners, video ads and other intrusive advertising, as well as malware.

Top 5 Cybersecurity Predictions in 2018

It’s the yearend. It’s the time of the year when we look back at the salient events that made a great impact in the cybersecurity world, and make predictions of what the new year will bring.

Here are the top 5 cybersecurity predictions for 2018:

1. Cryptocurrency Mining

The growth of cryptocurrency this year is unprecedented, with the total value of close to 500 billion US dollars as of December 24, 2017. While Bitcoin is the most dominant cryptocurrency in the market, other cryptocurrencies have soared as well. Cryptocurrency Monero, for instance, has a total market cap of $5.1 billion as of December 24, 2017, with one coin of Monero valued close to $335.

“Mining” is needed for many cryptocurrency coins like Bitcoin and Monero to be processed and released. In the past, Bitcoin could be mined using ordinary computers. Today, Bitcoin can only be mined using specific and high-powered computers, leaving the mining to big companies. Other cryptocurrencies, however, can be mined using ordinary computers. Monero, in particular, can be mined using ordinary computers and even using smartphones.

The people who mine cryptocurrencies called “miners” are given a fair share of the coin value for the computer use. Unscrupulous individuals who want to earn more money from cryptocurrency mining, meanwhile, are scouring the internet looking for vulnerable computers and smartphones to install malicious software (malware) capable of mining cryptocurrency like Monero.

Adylkuzz cryptocurrency malware, which was released into the wild in May 2017, infects computers using Microsoft operating system that fail to install Microsoft’s March 14, 2017 security update. Other cryptocurrency malware that proliferated this year includes Coinhive, Digmine and Loapi. Coinhive is distributed via compromised websites, Digmine via Facebook Messenger and Loapi via online advertising campaigns.

Cryptocurrency mining malware eats up most of the computing power of servers, desktops, laptops and smartphones. This results in the slow performance of computers. The Loapi malware, in particular, is so powerful that it can even melt an Android phone.

“Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise,” Imperva Incapsula said in the article "Top Five Trends IT Security Pros Need to Think About Going into 2018”. “We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.”

2. Business Disruption

In 2017, the world saw the devastation brought about by ransomware and distributed denial-of-service (DDoS) attacks.

Ransomware is a type of malware that restricts user access to the infected computer until a ransom is paid to unlock it. Two of the notable ransomware this year, WannaCry and NotPetya, are essentially not ransomware in the sense that the code of these two malware were written in such a way that even the attackers themselves can’t unlock the infected computers. Whether this was intentional or not, only the attackers know. But in this sense, these two malware are considered as “wiper” – meant to bring business disruption.

“The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage,” researchers at McAfee said.

Another malware that brought widespread business disruption in 2017 was the Mirai botnet, a malware that infected close to 100,000 IoT devices, turned them into robots and launched DDoS attack that brought down the managed DNS platform of Dyn, which in effect, temporarily brought down 80 widely used websites like Amazon, Twitter, Tumblr, Reddit, Spotify and Netflix.

According to Imperva Incapsula, attackers in the upcoming year will probably adopt new business disruption techniques. Examples of these disruptive techniques include modifying computer configuration to cause software errors, system restarts, causing software crashes, disruption of corporate email or other infrastructure and shutting down an internal network (point-of-sale systems, web app to a database, communication between endpoints, etc.).

3. Breach by Insiders

The 2017 Cost of Data Breach Study (PDF) conducted by Ponemon and commissioned by IBM showed that 47% of data breaches were caused by malicious insiders and outsiders’ criminal attacks, 25% were due to negligent employees or contractors (human factor) and 28% were due to system glitches.

According to Imperva Incapsula, illegal cryptocurrency mining operations in corporate servers are on the rise, set up by insiders or “employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.”

4. Artificial Intelligence (AI) as a Double-Edged Sword

In 2018, AI is expected to be used by cybercriminals as a means to speed up the process of finding security vulnerabilities in commercial products like operating systems and other widely used software. On the other hand, AI is expected to be used by cyberdefenders to improve cybersecurity.

“Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers,” researchers at McAfee said. “Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.”

5. GDPR

In 2018, one thing is for sure: General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.

GDPR is a European Union (EU) law that has an “extra-territorial” reach. Businesses that process personal data or monitor the online behavior of EU residents are still covered under this law even if they aren’t based in any of EU countries. Salient features of the law include consent requirement, right to be forgotten, transparency requirement, cybersecurity measures and data breach notification.

“In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come,” researchers at McAfee said.

Happy 2018, and Stay Safe!

Bitcoin Popularity Gives Rise to Cryptocurrency-Themed Malware

Amidst the surge of Bitcoin’s popularity, other cryptocurrencies have also risen along with it.

As of December 4, 2017, Bitcoin is worth near $11,000. Other cryptocurrencies have also increased their value. For example, Monero cryptocurrency is now worth $201. Bitcoin was introduced in 2009 and Monero in 2014.

Contrary to popular perception, Bitcoin transactions aren’t anonymous. All Bitcoin transactions are public records and can be tracked. Monero, meanwhile, markets itself as an anonymous cryptocurrency, claiming that a single Monero coin can’t have its entire transaction history revealed.

Both Bitcoin and Monero are cryptocurrencies that need to be mined. Cryptocurrency mining is defined as the process by which transactions are verified. It’s also a means by which a cryptocurrency or digital coin is released. For their effort and use of hardware, miners are given a small share of the cryptocurrency.

In the past, anyone with a PC could mine Bitcoin. Nowadays, only those who own computers with huge computing power can mine Bitcoin. Monero, on the other hand, can be mined by just anybody with just the use ordinary desktops, laptops and even smartphones.

Cryptocurrency-Themed Malware

Candid Wuest, security researcher at Symantec, told the BBC that malicious software (malware) connected with cryptocurrency increases "tenfold". "There's been a huge spike," said Wuest, adding that this surge had been caused by the rapid rise in Bitcoin's value.

Malwarebytes' security researcher Jerome Segura, meanwhile, told the BBC that Malwarebytes blocked nearly 250 million attempts to place cryptocurrency malware on to PCs.

Adylkuzz Cryptocurrency Malware

Adylkuzz is a malware that installs the code used to mine the cryptocurrency Monero without the knowledge and consent of the computer owner.

The Monero mining code is maliciously installed by Adylkuzz into a computer by exploiting a Windows operating system vulnerability called “EternalBlue”. The ransomware WannaCry also exploited the same vulnerability in Windows operating system. Unlike WannaCry which can self-propagate on its own to infect others, Adylkuzz has no self-propagation capacity.

Monero mining – courtesy by Adylkuzz malware – operates in the background and users of compromised computers are unlikely to notice this unauthorized activity.

Cryptojacking

Cryptojacking refers to the malicious installation of crypto mining software in a website without the knowledge and consent of the owner as well as lack of knowledge and consent of website visitors.

Coinhive is a software that enables cryptocurrency miners to install Monero cryptocurrency mining code on a website using JavaScript. Coinhive operates on the premise that cryptocurrency mining can be a means for website owners to earn revenue, in lieu of advertising.

Once CoinHive is installed in a website, the CPU power of every site visitor is used for cryptocurrency mining. CoinHive requires a unique ID to which the crypto mining income is delivered. The more computers are compromised for crypto mining, the more Monero coins the attackers get. Earned Monero coins can easily be converted to Bitcoins by selling it to a number of trading exchanges that also allow anonymity.

There’s nothing wrong with utilizing cryptocurrency mining instead of the traditional advertising in websites. What’s unacceptable is when cryptocurrency mining code is installed without the authorization of the site owner as well as without the authorization of site visitors.

Early this month, one security researcher found Coinhive mining code on 2,496 online stores. It’s presumed that the installation of this crypto mining code on these online stores were done maliciously as these store owners are less likely to earn few extra money through crypto mining.

The researcher found that 85% of the 2,496 compromised stores are linked to only 2 CoinHive accounts, while the remaining 15% of the infected stores are linked to several unique CoinHive accounts.

In September of this year, Showtime websites – showtime.com and showtimeanytime.com – were found to be running Coinhive mining code. Following public exposure, the code has since been removed.

Malwarebytes' security researcher Segura, meanwhile, discovered a technique that allows attackers to use the CPU power of every site visitor for cryptocurrency mining even if the visitor closes his or her browser.

Malwarebytes tested this discovery using the latest version of Google Chrome browser. The researchers at Malwarebytes observed the following process:

1. Once a user visits a compromised website, the crypto mining code is then silently loaded.
2. CPU power of the site visitor is used for cryptocurrency mining activity.
3. Even when the user leaves the site and closes the Chrome browser, the CPU activity of the user still remains higher than normal as crypto mining continues.

Attackers fool users into believing that the browser is closed by hiding the browser under the taskbar's clock. Resizing the taskbar will reveal this still operational browser. Below is the screencap of the hidden browser.

“Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons,” Malwarebytes said. “Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement.”

Coinhive, in a statement, said, “We're a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users what's going on, let alone asking for their permission.”

How to Prevent Cryptocurrency Mining Attacks

Cryptocurrency mining is perfect for computers specifically meant for this purpose. Mining cryptocurrency, however, on desktop, laptops or smartphones on top of everyday usage has negative effects.

Crypto mining involves enormous calculations that ordinary computers aren’t meant to do. On smartphones, crypto mining can quickly deplete batteries. And across computing devices used for ordinary usage, crypto mining can decrease speed, efficiency and even damage the hardware.

Here are some tips on how to prevent cryptocurrency mining attacks:

Keep your Windows operating system up-to-date, to block, in particular, Adylkuzz malware as Microsoft already patched the vulnerability exploited by this malware.

To ensure that your browser stays close even after clicking the “x” button, run Task Manager and terminate running browser.