Toward the end of December 2017, we saw a sharp decline in the number of ransomware variants being produced by cybercriminals. At the same time there was a massive spike in cryptomining attacks.
Over the past year, we have seen these cryptomining-based attacks continue to grow. The attacks are often reasonably “silent”—there is no data exfiltration or locking up of files. Instead, cybercriminals simply steal some processing power in the background. In many cases, businesses won’t immediately recognize these attacks or even know that they’ve been compromised. However, this doesn’t mean they are any less dangerous. Today, we’ll cover why businesses should be very concerned about cryptomining attacks, and what steps they can take to fight back.
But first, we need to look at why these types of attacks even exist, and how cybercriminals are making money. It begins with understanding cryptocurrencies.
Cryptocurrencies are digital currencies that allow people to buy and sell products without needing to go through a central authority like a bank, or to hold a physical currency like dollars, pounds, or euros. The most common cryptocurrencies are Bitcoin, Ethyreum, and Monero.
For any currency to exist—whether a cryptocurrency or nation-state sponsored—it must have systems in place for generating new cash, tracking transactions, and ensuring exchanges are fair (in other words not fraudulent). For traditional currencies, these problems are solved by banking systems.
Cryptocurrencies don’t have central banks to handle these problems. Instead, they use peer-to-peer computing, digital wallets, and blockchain technology.
How does that work? Let’s take Bitcoin as an example. Two people have a certain amount of Bitcoin in their digital wallet. Coin-holder A can send money to coin-holder B. As long as both people have the money and the transaction is valid, it will be recorded in Bitcoin’s blockchain, which acts as a public ledger of transactions.
Cryptocurrency networks and their blockchains are powered by a decentralized, peer-to-peer (p2p) network of computers. These networks keep track of who owns portions of their currencies in their digital wallets. However, they also process and keep a record of the currency’s blockchain. When a transaction occurs, people can compete to add to the next block in the blockchain. This is a complex process involving generating SHA256 cryptographic hashes and you must meet the rules set by the cryptocurrency network (find out more here).
This is where it gets interesting. When someone successfully adds to the blockchain, they’re rewarded with new currency. In Bitcoin’s case, people are estimated to receive 12.5 Bitcoins per block added in 2019. At the moment I’m writing this, one Bitcoin equals $3,770 USD, which would net a total of $47,125 USD for adding a new block in the chain.
If you want to increase your odds of adding a new block in the chain, it requires quite a bit of processing power. Many people mine Bitcoin (and other cryptocurrencies) legitimately, but this can be expensive as it requires a lot of computing power and a lot of electrical power—all of which cost money. Cybercriminals have learned that they can also mine for cryptocurrencies simply by stealing other peoples’ processing power—thus, the birth of cryptomining-based attacks.
Please note that Bitcoin here is used as an example. Cybercriminals often use other cryptocurrencies like Monero (which allows for in-browser mining) and Zcash (which is more private than Bitcoin).
So, cybercriminals might steal some of your processing power. It’s not a huge deal, right? Your systems may run a little slow, but beyond that, should you care? It’s not ransomware that locks up your data and requires you to shell out money to get business-critical data back. They’re not stealing financial data like credit card numbers. They’re not exfiltrating critical business data and selling it on the black market. In fact, cybercriminals love the fact that these attacks fly under the radar in many cases. So what’s the big deal if they get a little processing power?
The big issue is that the cryptominer is just the payload, while cybercriminals continue to have a foothold in your network. If cryptocurrencies become less profitable (say from a price crash), they could just as soon decide to put ransomware or a financial Trojan on the system or even steal corporate secrets. Don’t shrug this off—the attack may seem silent, but it’s just as dangerous as any other intrusion.
Cryptomining software may be relatively new still, but it is still delivered using the same attack vectors as ransomware and other malware.
One common method of delivery involves phishing. The cybercriminal simply sends an email with a link that downloads a cryptomining script. This script can then run in the background on a computer, often undetected for quite some time. A strong email security solution can help reduce the risk of falling victim to this kind of phishing attack. Additionally, if the attack involves malware, as many do, then a good antivirus solution, particularly with behavioral and heuristic scans, should be employed.
Also, you need to keep on top of your basic cyberhygiene practices. Some criminals have used the WannaCry exploits to launch cryptomining attacks. Keeping up to date with patches can potentially help you avoid getting hit by one of these attacks. Additionally, make sure to use a strong antivirus solution to detect malware-based cryptomining attacks. SolarWinds® RMM offers integrated web protection, mail protection, patch management, and antivirus designed to help you fight back against cybercriminals.
Finally, you may want to consider adding intrusion detection. This is particularly important for attacks that other cyberdefenses may miss. For example, an anomaly based intrusion detection system could look for changes to network patterns—like spikes in processing power—to help you find these potential issues. SolarWinds Threat Monitor can potentially help in this situation—it’s a cloud-based security information and event management (SIEM) tool designed to detect potential threats and intrusions.
Businesses may be tempted to gloss over the cryptomining-attack trend. At best, these attacks reduce processing power and harm productivity for the business. However, these attacks give cybercriminals a backdoor into a network that could let them cause even more damage at any time. If cybercriminals find it more lucrative to switch to stealing data, they can do so whenever they choose. So don’t take these attacks for granted—they could be far deadlier than you think.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the U.S. government on security initiatives, and holds 18 patents on security-related topics.
© 2019 SolarWinds MSP UK Ltd. All rights reserved.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.