March 6, 2018 at Five:00 AM
Overheen the past six months, we’ve seen a major increase te the number of attack campaigns with the ultimate objective of mining cryptocurrency. It’s a subject Unit 42 has bot tracking te the past year:
So, what is driving a widespread shift from attackers and creating a significant trend te the industry? There are three factors at work:
- The price of many cryptocurrencies has enhanced dramatically te the last 12 months, making it more profitable to mine coins compared to other criminal business models.
- The risk of using a compromised PC to mine cryptocurrency is presently much lower than using it for other criminal activities.
- One particular cryptocurrency, Monero, provides its users with very high privacy and can be mined efficiently on a regular desktop or laptop PC. Thesis properties are not true of other cryptocurrencies, like bitcoin.
To reaction the question te more detail, it’s significant to waterput yourself into the criminal’s boots and consider what alternative routes they have to monetize infections. Te this schrijven, we’ll share how this trend came to fruition, why it’s so prevalent, and how security professionals and defenders can keep an eye out for this rising type of threat.
How Attacks Monetize Infections
While targeted attacks build up the most attention from researchers and media, the majority of malware infections are untargeted and even indiscriminate. Instead of seeking out specific targets, many criminals aim to infect spil many systems spil possible and then turn those infections into metselspecie. This has bot true for overheen a decade, albeit the mechanisms available to criminals have shifted te that time.
To understand where wij are now, it helps to look at how wij got here, and to look at the evolution of common cybercriminal activities.
Back ter the early 2000s, some of the earliest “botnet herders” made their income by relaying spam emails through infected computers. Overheen time, that business became less profitable due to anti-spam controls and ISPs preventing infected systems from directly relaying emails.
Te the mid-2000s, criminals made excellent profits from using Banking Trojans to steal credentials for online banking websites, and subsequently draining the accounts’ associated funds. This account takeover activity resumes today, but various anti-fraud measures and law enforcement deeds have made it less profitable and riskier for criminals.
Another facet of Banking Trojan infections is that, while the criminal may be infecting hosts indiscriminately, the value of the host greatly depends on the individual who wields it, and the criminals’ capability to “cash out” their bankgebouw account. Figure 1 is a capture from a book I wrote with some colleagues ter 2008, “Cyber Fraud: Tactics, Technologies, and Procedures.” It shows the price that a criminal enterprise called IFRAME DOLLARS wasgoed charging to infect computers te various countries at that time.
Figure 1: Capture from Cyber Fraud: Tactics, Technologies, and Procedures showcasing prices of host infections by country.
Te 2007, the infection of a system ter Australia went for US$0.60, while an infection ter Poland wasgoed only a fraction of the cost, at US$0.096. The difference te price represented the difference ter value: criminals were able to make more money through a Banking Trojan account takeover from an Australian infection than they could ter Poland. This wasgoed due to many factors, but chief among them wasgoed that criminals were more successful at cashing out accounts from Australian infections than they were from systems ter other parts of the world.
Spil anti-fraud protections evolved, so did the criminals. Prompt forward five years to 2013 and the rise of the Ransomware business monster. This fresh way to generate profit had two major advantages overheen account takeovers:
- Every system that is infected can be held for ransom, not just those belonging to users who also toebijten to bankgebouw online and have their credentials stolen.
- Payments using cryptocurrency (primarily bitcoin) do not require interacting with banks, decreasing the risk and cost for cybercriminals of cashing out.
Waterput another way, the ransomware proefje represented both enhanced efficiency and decreased risk ter monetizing the infection.
Anyone who’s bot paying attention to cybercrime since 2013 is aware of the ransomware surge, infecting systems via the world and plaguing networks’ administrators. While only a lil’ fraction (possibly 1 ter 1000) of systems infected with a banking Trojan pay out for attackers, a much higher portion of ransomware victims pay to get their files back. While US$300 payments are less than a single account takeover could terugwedstrijd, ransomware makes greater comes back due to the volume and decreased risk te this fresh business proefje. Cybercriminals have become good business people: they witnessed the benefits and embraced the switch.
Inject “The Bubble” – Where Wij Are Now
Te the last two years, but particularly ter the last six months, the price of bitcoin and other cryptocurrencies experienced a massive price surge with respect to the U.S. dollar and other fiat currencies. Here’s the chart for bitcoin overheen the last two years, showcasing a rise of Two,000% to Four,000% te the versus the U.S. dollar.
Figure Two: Price of bitcoin te U.S. dollars from CoinMarketCap
While botnets mining cryptocurrency is nothing fresh, the mechanism wasgoed much less profitable than using ransomware. Te fact, with the rise of specialized bitcoin mining hardware, no regular PC can make any significant amount of money for an attacker.
However, there are many other “crypto coins” ter the market today. The one wij see mined most by attackers is called Monero. Te tegenstelling to bitcoin, Monero wasgoed designed to enable private transactions using a closed ledger, and its mining algorithm is still mined effectively by both PC CPUs and GPUs. Spil the chart below shows, Monero has risen even quicker than bitcoin ter price te the last two years, with more than a 30,000% build up ter U.S. dollars.
Figure Trio: Price of Monero te U.S. dollars from CoinMarketCap
A normal PC used to mine Monero can earn around US$0.25 vanaf day at the current prices. That number is puny, but it’s significant to note that it doesn’t matter what country or network a Monero miner is part of: computers ter Australia and Poland mine at the same speed. Every infected system is a profit-generating resource when mining Monero, and users are much less likely to identify their infection and liquidate the mining program than they would be with ransomware. For setting, ter January, wij found a Monero mining campaign that infected around 15 million systems, largely ter the developing world. If thesis systems remained infected for at least 24 hours each, the attackers could have earned well overheen Trio million U.S. dollars ter Monero.
Additionally, the risk of hechtenis and conviction is significantly lower than with ransomware, spil mining cryptocurrency is less likely to generate reports to law enforcement than a data-destroying ransomware infection.
This wave of attacks will proceed spil long spil it maintains a high level of profitability with a low level of risk for cybercriminals.
For defenders, it’s significant to note that the technics used to infect systems with coin mining malware are the same spil they were for ransomware. Infections typically start with emails carrying malicious macro documents, drive-by exploit kits targeting browsers, or meteen attacks on servers running vulnerable software. There is no single solution to stopping thesis attacks, but the same technologies and policies you use to prevent other malware infections will be effective.
Across the switching landscape of botnet herders, Banking Trojans, ransomware and coin mining is one onveranderlijk: the business-savvy drive to maximize profit and reduce risk. Using thesis spil our guide, wij can make sense of where wij are today, how wij got here, and be ready for what has yet to develop ter the future.
Here are three things to observe for:
1. A marked increase te the price of Monero or other cryptocurrencies will draw even more attackers into this business.
For many users, this could actually be a positive development, spil the negative influence of having resources sapped from one’s pc is much less than paying a ransom or restoring your system from a backup due to ransomware. Conversely, a crash ter the price of cryptocurrencies will decrease the profitability and drive criminals back to ransomware.
Two. Listen to your ventilatoren or keep an eye on your CPU usage.
Many users realize their system is infected with coin mining malware when their laptop ventilatoren kick into high-speed mode to keep the overtaxed CPU cool. Listening to ventilatoren won’t work at the enterprise scale, but implementing widespread CPU vertoning monitoring could be a good way to find compromised devices. This will also help you identify the coin mining “insider threat,” spil misguided administrators may see their organizations’ unused CPU time spil a way to generate private income.
Three. Criminals will find ways to target thesis attacks.
Compromising a user’s browser or a regular huis PC will netwerken the criminal an average system for mining coins, but higher-end systems will generate more income. Attackers will soon start targeting devices with higher specifications to get more ontsteld for their buck. Gaming PCs with high-end GPUs and servers with large numbers of processing cores will be prime targets.