The Curse of CryptoJacking!

Since around the end of 2017 there arose a new threat to organisations and individuals alike, cryptojacking; with Ransomware starting to become less favoured as a mass-attack method, the Bad Guys n Girls were looking at new ways to make money with the least amount of work and risk as possible.

So, in 2018 we saw a huge jump in a new tactic; this was the use of scripts and malware to “mine” cryptocurrency using your or your organisations systems (usually without your knowledge, or approval). We also saw the move towards targeted Ransomware attacks, often asking for huge ransoms to be paid to get access to your data, on your systems, or hosted/cloud based servers.

So, what is CryptoJacking, what is cryptocurrency “mining”, and what does it mean to you and your systems or organisation, do you need to be worried, and what can you do to help reduce the risk from this new threat?

Let me explain:

Hopefully you all know about cryptocurrencies, at least at the basic level? If not, or for those of you that know the basics, here’s a more in-depth look at it (but not too deep), it should also help those of you that don’t yet know about cryptocurrencies.

Cryptocurrencies

When most people are asked about what they know about cryptocurrencies, they will usually reply that they know of, or have heard of Bitcoin (and possibly they may also mention Blockchain, which is not a cryptocurency at all, it is the Distributed Ledger [transaction log] used by all cryptocurrencies, and it can be used for lots of other things too, but that’s another story).

In simplest terms a cryptocurrency (like Bitcoin) is a digital currency that unlike other currencies, is decentralised (no single person or entity has control over it), unlike real “phyiscal” currencies (British Pound, US Dollar, Euro, etc.). It is also, for most purposes anonymous (that’s why the cyber criminals like to use them). It instead relies on Blockchain and what you might call a democratic method of recording and approving all transactions.

Cryptocurrency Mining

“Mining” in the world of cryptocurrencies is the act of “approving or validating a transaction and adding it to the  blockchain” each validation or approval of a transaction earns new cryptocurrency for the miner.

To do this is a case of using huge amounts of processing power; unlike “physical” mining, where you have to expend manual effort, cryptocurency mining is all done on a computer. There are many crypto-mining groups and individuals, often with dedicated “rigs” to carry out this activity. One of the real-world concerns with crypto-mining, is that because the systems used are “maxed-out”, they require lots of power and as a by-product produce lots of heat; requiring extra power to cool the room they are housed in. This, it is suggested, may also affect (increase) global warming!

Cryptojacking

Cryptojacking is when your site, server or application has been compromised (hacked), either via a vulnerability (bug), weak or default credentials (maybe re-used credentials), poor security controls such as open ports (that shouldn’t be), social engineering (phishing, vishing or smishing, etc.) Once compromised an unauthorised script, binary or other file is uploaded and executed (run); this then starts to crypto-mine using your systems processor to carry out intensive processing to validate transactions (mine cryptocurrency).

So what, I hear you say?

Well, for one thing, if it is an end point (laptop, workstation, etc.) it will slow to a crawl, now image this happening on a webserver, database server, etc. Now throw in the scenario of Cloud (where you are often charged by the CPU cycle), imagine what your next bill from them will look like. It will be between hundreds and thousands of time more than your “normal” bills! All the while the Bad Guys n Girls are making money and slowing (and possibly damaging) your business…

Now there are Worms that perform cryptojacking! Worms are automated malicious code that can move from system to system without human help.

No real surprise there, as the technique is the same as we saw with many of the Ransomware Worms in 2017 and 2018 (such as WannaCry and NotPetya). It is an obvious evolutionary step. In fact the same exploit code is being used (EternalBlue, which was stolen from the NSA by the ShadowBrokers).

What do you need to do?

  • Harden and patch all systems, applications and cloud infrastructure.
  • Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
  • Regularly check you systems for high or unusual CPU usage (beyond the normal range).
  • Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
  • Remove all default accounts and sample content on web and database servers, etc.
  • Close off ports for remote administration, or put them behind a VPN.
  • Stay aware of new threats and countermeasures, both specific and generic.
  • Train and test your staff; they are often the first and last line of defence.
  • If you have cyber or crime insurance, check that cryptojacking is covered by the policy (most cyber insurance policies currently do NOT cover this)…

Until next time, stay safe out there!

What Cyber Threats and Trends Might We See in 2019?

‘Tis the season to get out the crystal ball and play at being the cyber equivalent of “Mystic Meg” (no that’s not me in the picture).

For 2018 I predicted a number of things that were spot on, these included the following:

  • The change from mass ransomware campaigns to more targeted ones asking for higher ransom payments.
  • The move from ransomware to cryptomining/cryptojacking as the primary monetisation payload/method.
  • GDPR being used for extortion/blackmail attempts.
  • Organisations still not focussing on the basics and best practice for their industry/vertical and wondering why they suffered security breaches/incidents.

So what will 2019 bring, according to OMG?

  • More targeted extortion attempts; Ransomware, GDPR, DDoS, etc. All with higher ransom being demanded.
  • Organisations will still be mainly focussed on the latest, must have “shiny toys/technologies” rather than dealing with the basics and best practice for their industry/vertical.
  • A mainstream move towards two or multi-factor authentication, as password theft is increasingly seen as the main way that bad guys and girls get in; other than social engineering (phishing) or via the supply-chain/business-partner. This move will be required due to massive Credential Stuffing attacks in 2018 fuelled by the many data breaches where user ids and passwords were stolen.
  • More supply-chain breaches as a method to gain access to the intended victim organisation.
  • Cloud service breaches and/or take-downs and mis-use by the Bad Guys n Girls.
  • The skills-gap and staff shortage will increase, again. And those of us in the industry will be in demand and frequently head-hunted or just pestered by desperate recruiters that don’t read your LinkedIn profile and still approach you with roles that you are not interested in or have the skills/background for.
  • More Business Email Compromise attacks (aka Fake CEO/CFO, etc.); these will rake in far more money in 2019
  • Artificial Intelligence and Machine Learning will continue be touted as “The” solution to deal with cyber threats and breaches; they are useful but generally too prone to false positives (detect things that are not an issue) and more worryingly false negatives (don’t detect what they should do).
  • The Internet of Things will start to “grow-up” as manufactures start to bake in security and offer it as a differentiator to competing products/services.
  • However, despite this we will continue to see IoT devices/infrastructure used as an attack platform and I suspect that we will start to see volumetric DDoS attacks exceed 2Tbps (largest so far was 1.35Tbps against Github in 2018). 
  • We may well see some critical infrastructure attacks (outside of Ukraine) that are successful, and that cause major outages and/or physical damage/loss of life.
  • Too many organisation thinking that using a single Cloud provider will give them a fully resilient infrastructure; it won’t. Just like having multiple data-centers, you need multiple Cloud providers (this should be part of your Business Continuity and Disaster Recovery Plan), no single-points of failure!
  • GDPR will finally start to bite (hard) and organisations that should have already been following industry best practice for data/privacy will finally do something about it (well, most of them)!
  • Blockchain will be finally recognised as not being the solution to everything!
  • Increase in use of Sextortion, Bomb and other extortion/blackmail emails/calls, despite the fact that most Sextortion campaigns did not net piles of bitcoin as those behind them expected.
  • More social-media scams mainly focussed around crypto-currency giveaways; like the many Elon Musk themed ones we saw in 2018.
  • People will still mainly fail to learn from history; we will see yet more old techniques/technologies dusted off and re-used by the Bad Guys n Girls, for victims that weren’t around (or paying attention) the last time it was successfully used…

Don’t have nightmares, remember that 80-90% of all security breaches/incident I have dealt with could have been avoided by just following best practice and doing the basics… This includes taking (and testing) backups, educating (and testing) your staff, patching your systems, applications and writing secure code, good Identity and Access Management, and so on…