Friendly reminder to stop using minergate! : monero

     

Criminals are using ransomware-lượt thích tactics and poisoned websites khổng lồ get your employees’ computers to mine cryptocurrencies. Here’s what you can bởi to stop it.

Bạn đang xem: Friendly reminder to stop using minergate! : monero


*
Kentoh / Thaimynguyen / BlackDovFX / Getty Images

Cryptojacking definition

Cryptojacking is the unauthorized use of someone else’s computer to lớn mine cryptocurrency. Hackers vày this by either getting the victyên to clichồng on a malicious links in an gmail that loads cryptomining code on the computer, or by infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser.

< How much does a cyber attaông chồng really cost? Take a look at the numbers. | Get the latest from CSO by signing up for our newsletters. >

Either way, the cryptomining code then works in the background as unsuspecting victims use their computers normally. The only sign they might notice is slower performance or lags in execution.

How cryptojacking works

Hackers have sầu two primary ways to lớn get a victim’s computer lớn secretly mine cryptocurrencies. One is lớn triông chồng victims into lớn loading cryptomining code onlớn their computers. This is done through phishing-like tactics: Victims receive sầu a legitimate-looking tin nhắn that encourages them khổng lồ click on a link. The links runs code that places the cryptomining script on the computer. The script then runs in the background as the victyên ổn works.

The other method is to inject a script on a website or an ad that is delivered lớn multiple websites. Once victims visit the trang web or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims’ computers. Whichever method is used, the code runs complex mathematical problems on the victims’ computers & sends the results to lớn a VPS that the hacker controls.

Hackers often will use both methods to lớn maximize their return. “Attacks use old malware tricks lớn deliver more reliable & persistent software as a fall baông chồng,” says Alex Vaystikh, CTO và cofounder of SecBI. For example, of 100 devices mining cryptocurrencies for a hacker, 10% might be generating income from code on the victims’ machines, while 90% vì chưng so through their website browsers.

Some cryptomining scripts have sầu worming capabilities that allow them lớn infect other devices and servers on a network. It also makes them harder khổng lồ find & remove; maintaining persistence on a network is in the cryptojacker"s best financial interest.

To increase their ability to spread across a network, cryptomining code might include multiple versions khổng lồ account for different architectures on the network. In one example described in an AT&T Alien Labs blog post, the cryptomining code simply downloads the implants for each architecture until one works.


The scripts might also check lớn see if the device is already infected by competing cryptomining malware. If another cryptominer is detected, the script disables it. A cryptominer might also have a kill prevention mechanism that executes every few minutes, as the AT&T Alien Lab post notes.

Unlượt thích most other types of malware, cryptojacking scripts bởi vì no damage lớn computers or victims’ data. They bởi vì steal CPU processing resources. For individual users, slower computer performance might be just an annoyance. Organization with many cryptojacked systems can incur real costs in terms of help desk & IT time spent tracking down performance issues and replacing components or systems in the hope of solving the problem.

Why cryptojacking is popular

No one knows for certain how much cryptocurrency is mined through cryptojacking, but there’s no question that the practice is rampant. Browser-based cryptojacking grew fast at first, but seems khổng lồ be tapering off, likely because of cryptocurrency volatility & the closing of Coinhive, the most popular JavaScript miner that was also used for legitimate cryptomining activity, in March 2019. The 20trăng tròn SonicWall Cyber Threat Report reveals that the volume of cryptojacking attackes fell 78% in the second half of 2019 as a result of the Coinhive sầu closure.

The decline began earlier, however. Positive sầu Technology"s Cybersecurity Threatscape Q.1 2019 report shows that cryptomining now accounts for only 7% of all attacks, down from 23% in early 2018. The report suggests that cybercriminals have shifted more to ransomware, which is seen as more profitable.

“Cryptomining is in its infancy. There’s a lot of room for growth and evolution,” says Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies. 

In January 2018, researchers discovered the Smominru cryptomining botnet, which infected more than a half-million machines, mostly in Russia, India, & Taiwan. The botnet targeted Windows servers lớn mine Monero, & cybersecurity firm Proofpoint estimated that it had generated as much as $3.6 million in value as of the kết thúc of January.

Cryptojacking doesn’t even require significant technical skills. According to lớn the report, The New Gold Rush Cryptocurrencies Are the New Frontier of Fraud, from Digital Shadows, cryptojacking kits are available on the dark website for as little as $30.

The simple reason why cryptojacking is becoming more popular with hackers is more money for less risk. “Hackers see cryptojacking as a cheaper, more profitable alternative to ransomware,” says Vaystikh. WIth ransomware, a hacker might get three people to pay for every 100 computers infected, he explains. With cryptojacking, all 100 of those infected machines work for the hacker khổng lồ mine cryptocurrency. “ might make the same as those three ransomware payments, but cryptomining continuously generates money,” he says.

The risk of being caught and identified is also much less than with ransomware. The cryptomining code runs surreptitiously & can go undetected for a long time. Once discovered, it’s very hard khổng lồ trace bachồng khổng lồ the source, & the victims have sầu little incentive lớn vì chưng so since nothing was stolen or encrypted. Hackers tend to prefer anonymous cryptocurrencies like Monero & Zcash over the more popular Bitcoin because it is harder lớn traông xã the illegal activity baông xã to lớn them.

Xem thêm:

Real-world cryptojacking examples

Cryptojackers are a clever lot, và they’ve devised a number of schemes to lớn get other peoples’ computers lớn mine cryptocurrency. Most are not new; cryptomining delivery methods are often derived from those used for other types of malware such as ransomware or adware. "You’re starting lớn see a lot of the traditional things mal-authors have done in the past," says Travis Farral, director of security strategy at Anomali. "Instead of delivering ransomware or a Trojan, they are retooling that to deliver crypto-mining modules or components."

Here are some real-world examples:

Prometei cryptocurrency botnet exploits Microsoft Exchange vulnerability

The Prometei, which as been around as early as năm 2016, is a modular and multi-stage botnet designed khổng lồ mine the Monero cryptocurrency. It uses a variety of means khổng lồ infect devices and spread across networks. In early 2021, however, Cybereason discovered that Prometei was exploiting Microsoft Exchange vulnerabilities used in the Hafnium attacks to lớn deploy malware và harvest credentials. The botnet would then use the infected devices khổng lồ mine Monero.

Spear-fishing PowerGhost steals Windows credentials

The Cyber Threat Alliance"s (CTA"s) The Illicit Cryptocurrency Mining Threat report describes PowerGhost, first analyzed by Fortinet, as stealthy malware that can avoid detection in a number of ways. It first uses spear phishing to gain a foothold on a system, và it then steals Windows credentials và leverages Windows Management Instrumentation và the EternalBlue exploit to spread. It then tries khổng lồ disable antivi khuẩn software và competing cryptominers. 

Graboid, a cryptominder worm spread using containers

In October, Palo Alto Networks released a report describing a cryptojacking botnet with self-spreading capabilities. Graboid, as they named it, is the first known cryptomining worm. It spreads by finding Docker Engine deployments that are exposed to lớn the mạng internet without authentication. Palo Alto lớn Networks estimated that Graboid had infected more than 2,000 Docker deployments.

Malicious Docker Hub accounts mine Monero

In June 20đôi mươi, Palo Alkhổng lồ Networks identified a cryptojacking scheme that used Docker images on the Docker Hub network khổng lồ deliver cryptomining software lớn victims" systems. Placing the cryptomining code within a Docker image helps avoid detection. The infected images were accessed more then two million times, và Palo Allớn estimates that the cryptojackers realized $36,000 in ill-gotten gains.

MinerGate variant suspends execution when victim"s computer is in use

According to the CTA report, Palo Alto lớn Networks has analyzed a variant of the MinerGate malware family và found an interesting feature. It can detect mouse movement and suspover mining activities. This avoids tipping off the victyên, who might otherwise notice a drop in performance.

BadShell uses Windows processes lớn vì chưng its dirty work

A few months ago, Comovị Cybersecurity found malware on a client"s system that used legitimate Windows processes to mine cryptocurrency. Dubbed BadShell it used:

PowerShell to lớn exedễ thương commands--a PowerShell script injects the malware code inkhổng lồ an existing running process.Task Scheduler lớn ensure persistenceRegistry to hold the malware"s binary code

You can find more details on how BadShell works in Comodo"s Global Threat Report Q.2 2018 Edition.

Rogue employee commandeers company systems

At the EmTech Digital conference earlier this year, Darktrace told the story of a client, a European bank, that was experiencing some unusual traffic patterns on its servers. Night-time processes were running slowly, and the bank’s diagnostic tools didn’t discover anything. Darktrace discovered that new servers were coming online during that time—servers that the ngân hàng said didn’t exist. A physical inspection of the data center revealed that a rogue staffer had phối up a cryptomining system under the floorboards.

Serving cryptominers through GitHub

In March, Avast Software reported that cryptojackers were using GitHub as a host for cryptomining malware. They find legitimate projects from which they create a forked project. The malware is then hidden in the directory structure of that forked project. Using a phishing scheme, the cryptojackers lure people to tải về that malware through, for example, a warning to update their Flash player or the promise of an adult nội dung gaming site.

Exploiting an rTorrent vulnerability

Cryptojackers have discovered an rTorrent misconfiguration vulnerability that leaves some rTorrent clients accessible without authentication for XML-RPC communication. They scan the internet for exposed clients & then deploy a Monero cryptominer on them. F5 Networks reported this vulnerability in February, và advises rTorrent users khổng lồ make sure their clients vì chưng not accept outside connections.

Facexworm: Malicious Chrome extension

This malware, first discovered by Kaspersky Labs in 2017, is a Google Chrome extension that uses Facebook Messenger khổng lồ infect users’ computers. Initially Facexworm delivered adware. Earlier this year, Trend Micro found a variety of Facexworm that targeted cryptocurrency exchanges & was capabile of delivering cryptomining code. It still uses infected Facebook accounts to deliver malicious link, but can also steal website accounts và credentials, which allows it to inject cryptojacking code into lớn those website pages.

WinstarNssmMiner: Scorched earth policy

In May, 360 Total Security identified a cryptominer that spread quickly & proved effective sầu for cryptojackers. Dubbed WinstarNssmMiner, this malware also has a nasty surprise for anyone who tried to lớn remove sầu it: It crashes the victim’s computer. WinstarNssmMiner does this by first launching an svchost.exe pháo process và injecting code inlớn it và setting the spawned process’s attribute khổng lồ CriticalProcess. Since the computer sees as a critical process, it crashes once the process is removed.

CoinMiner seeks out và destroys competitors

Cryptojacking has become prevalent enough that hackers are designing their malware lớn find và kill already-running cryptominers on systems they infect. CoinMiner is one example. 

According to lớn Comovì, CoinMiner checks for the presence of an AMDDriver64 process on Windows systems. Within the CoinMiner malware are two lists, $malwares & $malwares2, which contain the names of processes known to be part of other cryptominers. It then kills those processes.

Compromised MikroTik routers spread cryptominers

Bad Packets reported in September last year that it had been monitoring over 80 cryptojacking campaigns that targeted MikroTik routers, providing evidence that hundreds of thousands of devices were compromised. The campaigns exploited a known vulnerability (CVE-2018-14847) for which MikroTik had provided a patch. Not all owners had applied it, however. Since MikroTik produces carrier-grade routers, the cryptojacking perpetrators had broad access lớn systems that could be infected.

How to lớn prevent cryptojacking

Follow these steps khổng lồ minimize the risk of your organization falling prey khổng lồ cryptojacking:

Incorporate the cryptojacking threat into lớn your security awareness training, focusing on phishing-type attempts to load scripts onkhổng lồ users’ computers. “Training will help protect you when technical solutions might fail,” says Laliberte. He believes phishing will continue khổng lồ be the primary method lớn deliver malware of all types.


Chuyên mục: Đầu tư tài chính