Thought leadership. threat analysis, news and alerts.
Cryptocurrency Mining Malware: A Credible Threat
Over the course of three months this year, cyber criminals pocketed over $63,000 by secretly infecting the computers of strangers with a cryptocurrency mining malware.
According to ESET, attackers were able to infect strangers’ computers with cryptocurrency mining malware by exploiting a known vulnerability code-named “CVE-2017-7269” in Windows Server 2003 – a server operating system released by Microsoft in 2003.
This particular cryptocurrency mining malware was seen in the wild on May 26, 2017. “Since then, it has been appearing in waves, on a weekly or less frequent basis, which implies that the attacker scans the internet for vulnerable machines,” ESET said.
The attackers were able to earn such significant amount in just 3 months by creating a botnet – a network of several hundred of unpatched computers infected with the crypto mining malware and remotely controlled by cyber criminals to mine the cryptocurrency Monero.
Microsoft ended its regular update support for Windows Server 2003 in July 2015. Since May 12 of this year, to prevent another cyber attack – the scale of WannaCry ransomware, the company has since released security updates for Windows Server 2003. On June 13, 2017, Microsoft issued a patch or security update to fix the CVE-2017-7269 vulnerability.
What is Cryptocurrency Mining?
Cryptocurrency is the alternative currency in the digital world. In July of this year, the Australian Government recognized cryptocurrency as a legal payment method. In April of this year, Japan legitimized Bitcoin as a legal payment method. Bitcoin isn’t the only cryptocurrency. According to Trend Micro, as of July 2017, there were over 700 cryptocurrencies used and traded online, Monero being one of them.
Cyber criminals have turned to Monero as this cryptocurrency markets itself as an anonymous and untraceable cryptocurrency. Aside from anonymity, cyber criminals turned to Monero as this cryptocurrency can be mined using ordinary CPUs, unlike Bitcoin which requires a specialized hardware.
“Cryptocurrencies are created (and secured) through cryptographic algorithms that are maintained and confirmed in a process called mining, where a network of computers or specialized hardware such as application-specific integrated circuits (ASICs) process and validate the transactions,” Trend Micro describes cryptocurrency mining. “The process incentivizes the miners who run the network with the cryptocurrency.”
The actual process of cryptocurrency mining is legal. One just needs to use one’s own computer. One can use another computer to mine cryptocurrency, provided that the computer owner consents that his or her computer will be used for mining cryptocurrency.
Illicit Cryptocurrency Mining
The growth of cryptocurrency market has also led to the growth in cases where cryptocurrency mining malware are installed without the knowledge or consent of the computer owners.
According to Kaspersky Lab, in 2013, its products were able to deter 205,000 cryptocurrency mining malware infections; 701,000 infections in 2014; and in the first eight months of 2017, a total of 1.65 million infections.
According to IBM, unauthorized embedding of cryptocurrency mining tools grew sixfold in the eight-month period between January and August 2017.
In 2014, Harvard’s supercomputer cluster called “Odyssey” was used to illegally mine Dogecoins, another digital currency. Also, in 2014, the National Science Foundation (NSF), a US government-backed organization, revealed that NSF-funded computers were used to illegally mine Bitcoins. In February of this year, one of the US Federal Reserve’s servers was used to illegally mine Bitcoins.
Crypto mining malware is propagated or spread by exploiting the vulnerabilities of unpatched Microsoft operating system, as reported by ESET. Kaspersky Lab, for its part, observed the spread of this malware via adware installers that are spread using social engineering. Other attack methods include:
“Virtually any attack vector that involves injecting executable code could turn a targeted system into a virtual coin miner for the attacker,” IBM said.
In 2014, advertisements on Yahoo's homepage were infected with malware aimed at mining Bitcoins.
The following are this year’s notable cryptocurrency mining malware, in addition to the one reported by ESET:
This malware exploited EternalBlue, the same security flaw that WannaCry ransomware exploited.
This malware exploited the security flaw in the interoperability software suite Samba.
This malware, a Linux Trojan, targets Raspberry Pi devices.
All these malware infected devices and machines and turned them into Monero-mining botnets. Aside from Monero, another cryptocurrency Zcash is also being used by cyber criminals in concealed crypto mining for its anonymity promise.
Dangers of Crypto Mining Malware
Crypto mining malware impacts the performance of an infected computer. Mining activity eats the resources of infected computers. It reduces the performance of the infected computer. It increases the wear and tear. It also increases power consumption.
Crypto mining malware’s ill-effects go beyond the performance and power cost. It could also trigger web and network-based attacks.
“These malware can threaten the availability, integrity, and security of a network or system, which can potentially result in disruptions to an enterprise’s mission-critical operations,” Trend Micro said. “Information theft and system hijacking are also daunting repercussions. These attacks can also be the conduit from which additional malware are delivered.”
How to Prevent Cryptocurrency Mining Malware Intrusion
There’s no one-stop solution to prevent cryptocurrency mining malware intrusion into your organization’s computers as there are so many intrusion possibilities.
Here are some of the ways to prevent cryptocurrency mining malware intrusion:
1. Keep all software up-to-date
Timely apply patches or security updates. A timely security update, for instance, of Windows Server 2003 could have prevented the cryptocurrency mining malware as reported by ESET.
2. Change default login and password
Over the first three quarters of 2016, Trend Micro reported, that it detected a Bitcoin-mining zombie army from home routers and IP cameras. These IoT devices were compromised for the simple reason that owners didn’t change the default login and password.
3. Enable the firewall of IoT devices (home routers, IP cameras)
4. Take precaution against unsolicited emails, links, attachments or files from websites, questionable third-party software or applications
5. Build a cyber security-conscious staff through education and role-based training
Steve E. Driz, I.S.P., ITCP