Hackers are opportunistic creatures. As device manufacturers continue to add more CPU cores and gigabytes of RAM to smartphones and tablets as well as enterprise-grade cloud servers, these devices will continue to be increasingly useful targets for botnets. What’s more, hackers will seek device vulnerabilities or exploit mobile applications and devices when a network is not secure.
Ransomware took the dark web by storm by creating such an easy way to monetize these vulnerabilities. As a side-effect, the cryptocurrency market exploded from the increased attention. Cryptocurrency mining—the process of confirming Bitcoin transactions and generating new units of digital currency—is perfectly legal. Developers are looking for ways to make money in a competitive mobile app market, and mining bitcoin via these apps has become an inviting venture. However, this method of monetization becomes a legal and ethical dilemma once users are not aware that their devices are being used to mine digital currency.
The recent lawsuits against Apple for throttling down older versions of iPhones may set a legal precedent for cryptocurrency mining lawsuits. If a user can successfully sue Apple for unknowingly slowing down a phone, developers who unknowingly install mining capabilities that affect performance and battery life could be liable as well.
Not only is this a threat that is here to stay, it is shaping up to become a threat as pervasive as ransomware. For instance, there are reliable indicators that show hackers use older vulnerabilities to mine cryptocurrency after initial infection attempts to generate bitcoins from victims without demanding a ransom. As that pool gets smaller, miners focus on extracting value in other ways, such as using the malware as a DDoS weapon.
While the maliciousness of these kinds of infected mobile apps and web browsers is subject to debate, we can say for sure we are witnessing a new birth of a new form of malware—perhaps with the impact as ransomware or adware. And without a robust security and monitoring strategy, along with network visibility to protect applications and computers, you should expect to become the next cryptocurrency mining victim.
Mining Malware for the Mobile Era
The mobile era has generated a malicious opportunity to make the most of cryptocurrency mining malware. Cryptocurrency mining latches onto as much CPU power to mine digital coins, consuming electricity, processing power and data as information is passed through the mining process — all of which cost money.
Research shows there is a plethora of malicious Android apps roaming the Internet right now, and some crypto-miners have managed to bypass filters to get into the Google Play Store. In fact, recent static analysis on mobile malware led researchers to a number of cryptocurrency wallets and mining pool accounts belonging to a Russian developer, who claims what he is doing is a completely legal method of making money.
We in the industry do not agree — cryptocurrency miners are a misappropriation of a user’s device. While it is technically legal if the extraction of cryptocurrencies is disclosed, these actions are purposefully misleading and frequently lack transparent disclosure.
We’ve witnessed the use of cryptocurrency miners embedded in legitimate applications available on the Android store, which are used to extract value from people’s phones during times when their devices are not in use. And, in recent months, there have been several cases of hackers mining cryptocurrencies even after a visible web browser window is closed.
Other methods that hackers are using to deploy cryptocurrency miners include using Telnet/SSH brute forcers attempting to install miners, along with SQL injection and direct installation of miners. Crypto-mining in browsers and mobile applications will continue to persist, so concerned companies should improve their security performance, bringing application-level visibility and context to their monitoring tools.
More devices, more mining
Since new security threats surface every week, there is a good chance that more devices will be infected with cryptocurrency mining malware in the near future. The increased presence of IoT devices will lead to create new targets for cryptocurrency miners. We may also see hybrid attacks that are ransomware-first and crypto-coin miners second, as they attempt to cash in twice on the same computer.
Most of these crypto-mining attacks occur at the edge of the network. One of the more common attacks that attempts to install crypto-miners are the EternalBlue vulnerability released this past summer, which was at the center of ransomware outbreaks like WannaCry and Not-Petya. Here’s the worst part: hackers are not using new tools or advanced methods to deploy these cryptocurrency miners, but they are still successful. As a result, companies need to have a responsive patch management strategy, make sure their IPS rules are up to date, test to make sure they can detect the vulnerabilities that cannot be patched immediately, and finally, monitor the network traffic for peer-to-peer mining traffic.
If organizations do not have insights into their networks, they are unable to tell if their endpoints are mining without permission, leaking data from a breach, or spreading malware across internal networks. Or, perhaps there is no malicious activity going on; they’ll want to see that too. Having a network monitoring solution in place will alert them early on into a compromise by showing a shift in network traffic patterns.
By: Steve McGregory, Senior Director of ATI Research, Ixia