Cryptomining Malware Fuels Most Remote Code Execution Attacks: Study
Malware attacks continue to garner a great deal of attention in the tech world. Short for “malicious software,” its intent is to damage or disable computers and computer systems. Now researchers from the cyber security firm Imperva say they have found the source of 90 percent of remote code execution attacks in December 2017: cryptomining malware. In a blog post dated February 20, 2018, Imperva assesses the recent spike in cryptomining malware attacks. They specifically examine the amount of money the brazen attackers are walking away with, while providing risk management advice to organizations seeking to steer clear of them. Below are some of the key findings: Varun Badhwar, a security expert and CEO and co-founder of cloud threat defense company RedLock, noted in an emailed statement to Bitcoin Magazine that the skyrocketing value of cryptocurrencies has captured the attention of audiences around the world, including hackers. He believes that it is becoming far more lucrative for hackers to steal computing power for mining cryptocurrencies than to steal data. Badhwar also notes that we are seeing cryptojacking attacks on organizations to leverage the computational power within their networks. This is a much stealthier tactic since the activity often goes unnoticed at large organizations where there is remnant or underutilized computing resources. He cites a number of cryptomining incidents that the RedLock research team has already uncovered within AWS and Azure environments belonging to large multinational organizations such as Gemalto and Aviva. He sees all of this is just the tip of the iceberg and believes that this type of cybercrime will increase in scale and velocity in the near future. “The primary attack vector for these attacks is compromised credentials which are used to infiltrate environments, spin up compute instances and perform mining operations. As a result, organizations should institute stringent user access policies and vigilantly monitor user activities for anomalous behavior,” says Badhwar. Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks, added in an email response to Bitcoin Magazine: “The story with cryptomining malware and cryptojacking is really about Monero and Electroneum. Bitcoin mining difficulty is already too high and it cannot be mined effectively on CPUs, only on special purpose hardware.” Bilogorskiy says that the price of these cryptos has more than doubled in the last three months, which makes mining it even more profitable. It also helps, he says, that Monero, like Dash and ZCash, are private coins, making them practically untraceable and "safe" for criminals to use. Laments Bilogorskiy: “Cryptomining malware allows attackers to monetize the power of computers that they have compromised. Cryptojacking allows them to reach an even larger scale by taking over the browsers of website visitors.” He concludes: “Increasingly, the energy and the CPU processing power is becoming the new currency of the dark side of the internet. These new crypto attacks are like leeches, sucking the power out of our homes and businesses, crashing computers and melting our phone batteries.”
Cryptomining malware results in denial of service to the infected server. When most of the server’s computational power is directed to cryptomining, the server can be rendered unavailable.
Removing the malware is not simple due to its persistence nature, one where it adds a scheduled task to download and runs it again after a certain period of time.
While bitcoin is arguably the most popular cryptocurrency that exists, there is no evidence that a single attack has occurred through the use of Bitcoin mining malware.
Other cryptocurrencies, like Monero, are more at risk because they are newer and can be mined using a regular CPU. Therefore, it has become the hackers’ preferred choice for executing a server infection.
In the downloaded configuration files that Imperva identified, there were active Monero wallets that belonged to the attackers. By tracing the wallets and the mining pools, Imperva was able to view the amount of money made using cryptomining — an estimated 41 monero or around $10,000. Imperva could also see that the attacker was earning around 1.5 monero a day which translates to around $375 a day.
Electroneum, a relatively new U.K.-based cryptocurrency published specifically for mobile users in September 2017, has also been subject to attacks. Imperva’s review yielded the following results: The attacker had more than 220,000 Electroneum valued (in current Electroneum to USD rates) at around $15,500.
Another cryptocurrency impacted was Ukraine-based Karbowanec or Karbo for short. A Karbo wallet found in Imperva’s data had been siphoned for around 275 Karbo, which at the time it was taken was worth $379.
This article originally appeared on Bitcoin Magazine.
