Cryptomining via malware has become the preferred strategy of cybercriminals to quickly and effectively monetize their efforts. With the increase in prices and types of crypto currencies, as well as the difficulty of detecting these programs, ideal conditions have been created for their appearance in markets such as Latin America.
Over the past few years, threats have evolved at a considerable speed, almost in exponential terms, and it is to this very extent that organizations have an increasingly wider scope to protect.
Strategies designed to use once-functional technologies have led to a false sense of security. For example, when traditional endpoint protection tools generate a large number of reports indicating that a significant number of malicious codes have been identified and cleaned up, it suggests that one is fully protected and undermines the importance of improving the cybersecurity posture.
Unfortunately, if there is no malicious code that, when exploited, generates a visible impact on the organization, it would be almost impossible to understand the need to improve and/or develop the existing security controls.
The need for tools such as firewalls, anti-virus (anti-malware), WAF, IPS and others is in no way disputed. These are tools that are part of the layered protection in an in-depth defense model; however, those threats that are capable by means of one or another technique (obfuscation, fileless, logical bomb, wrapping among others) of avoiding the basic controls also require special attention, even worse if they are silently on the network, perhaps taking control of one or several computers, modifying files, extracting information, perhaps cryptomining or in the worst case intercepting communications.
One of the new trends in terms of improving the cybersecurity position and that is quite rightly designed to deal with those threats that have and continue to evolve is Threat Hunting.
Threat hunting can be defined as the continuous iteration within the network to search for advanced threats, their likely detection and isolation, whose outcome should be seen as a proactive analysis given the nature of the process already described.
This proactive approach covers the great gap with other types of tools that are usually more reactive, which are usually used once the attack or incident has happened.
It can be easily explained from a security incident, if you think from a reactive perspective, this incident can happen starting from the assumption of an event that generated an impact on the organization and which the different security tools would allow us to understand what happened, then fine-tune the levels of detection and control, either by creating new rules, activating some new type of feature or simply downloading an extra updated signature package; now if we think from the proactive perspective or Threat Hunting, the incident starts from the gathering and continuous analysis of the normal activity of the network and its possible deviations, understanding that perhaps possible access to system files, opening of ports, execution of powershell, reading of folders, modification of registry keys or simple connectivity with certain sites, can be new indicators of compromise and thus must be treated after an intense process of security telemetry that must profile in the most accurate way the devices, users, networks and/or the traffic of the company.
There has been ongoing discussion in the world of cybersecurity about ” cryptomining ” and its impact on corporate environments. To understand this, it is necessary to clarify the definition of cryptocurrencty:
“A cryptocurrency is a type of digital currency based on cryptography. It uses encryption techniques to generate units and verify its transactions as a substitute of a central authority”
Because it relies on cryptography, the creation of these currencies depends on highly complex calculations that require a combination of computer resources. For this reason, from home users to corporate users, all have been victims of the wave of crypto-currency mining networks, the latter being the main target of these campaigns due to the high computational power they have to offer their different services to their customers (e.g. transactional portals, ERPs, CRMs, among others). Their creation can be summarized as follows:
- The first step in cryptomining is to join a network that has its technological foundations in the use of blockchain. It is possible to join willingly or unwillingly through the deliberate download of mining software, or even through the infection by malware sent by an attacker using different means (email, USB, photos, among others). https://www.welivesecurity.com/la-es/2017/07/28/claves-potencia-del-bitcoin/
- Once inside a mining network, the role of each member is to execute certain complex mathematical operations that require considerable computing power. For the contribution and the possible success of its validations, a percentage of a crypt-currency is assigned to each member. Let’s imagine that for providing our laptop to perform mathematical operations we were paid 100 dollars a day (assuming a great success rate in the mathematical processes performed thereby).
- In order to store the earnings, it is necessary to have a pocket, or wallet, in which the percentages of cryptomonies resulting from the success of the mathematical computations will be collected.
To understand the widespread nature of these campaigns, it is important to be aware of the growth in the value of cryptomonies at the end of 2017.
Definitely this skyrocketing price of crypto currencies became a wake-up call for cybercriminals, showing that there are opportunities to make money. As a result, this generated a change in the modus-operandi of different cybercriminals.
The impact of crypto-mining may not be as well advertised in the media compared to the different types of ransomware variations (among them the most resounding “Wannacry”); however, in terms of technological operation for companies, this type of malware (CRYPTOMINERS) may have an impact greater than or equal to ransomware.
By understanding the operation of a cryptomining network, it is relatively easy to deduce why attackers are interested in executing mining campaigns on business environments. The devices used for the delivery of services to users and/or clients handle a large amount of data, for which it is necessary to have quite robust and high-performance computer systems that can be used to considerably increase the probability of obtaining crypto-currencies. It is important to take into account that these resources can be exploited by third parties with malicious intentions or by internal personnel with administration privileges on these devices, so the mitigation efforts implemented must cover the internal vector, the misuse of administrators on their devices in charge, an angle that sometimes is not supervised by the organizations.
New malware markets: from information “hijacking” to crypto-mining campaigns
Ironically, having ransomware and having it exploited provided certainty, “the system had been compromised”; however, in cryptomining it is difficult to have that level of certainty: the attacker is much more silent, the method of infection can be similar to that of any other malware (e.g WannaCry), where the connection pivot was generated from a “dropper” that executes the malware with the ability to execute activities on the target system undetected and even elevating privileges for writing and reading information. In many cases the same vulnerability used or exploited to spread ransomware can be used to spread crypto-mining (EternalBlue).
Clearly the motivations for misusing technological resources are not insignificant and this condition establishes that a wide scope of threats will grow exponentially. The malware market has evolved from “hijacking” information to generating revenue through crypto-mining.
What are the trends in the region regarding cryptomining?
The main problem of the region is ironically not a technological one, it is a cultural matter. For some reason people tend to think that these types of incidents do not have a local impact, which is a topic that only concerns countries like the United States, Russia or China. Recent events have revealed attacks of this kind in Latin American corporate environments, focusing particularly on countries such as Brazil, Colombia, Mexico, Peru and Ecuador. The most recent one is called PowerGhost.
This is a type of Trojan that has been designed to install any type of malware on a target system.
According to the research of several security vendors and confirmed by ETEK International’s cyberlab, this malware uses a combination of PowerShell and spreading via Ethernalblue (the same one used to spread ransomware in many occasions).
In the analysis carried out, it was established that this type of code is capable of hiding behind apparently legitimate software and avoiding security controls. Other identified patterns are:
- Malicious behaviour and opening of random ports.
- Use of post-exploitation techniques such as MIMIKATZ to elevate privileges and search for other propagation vectors (even compromising user credentials and information).
- Use of evasion, anti-debugging and anti-sandboxing techniques
- Other indicators of compromise are listed in the appendix of this article.
The main recommendations to be taken into consideration to mitigate or deal with these types of events are:
- Apply on a regular basis the security updates delivered by the different vendors. It sounds redundant, but it is the first preventive measure that can be applied. These attacks continue to exploit those vulnerabilities that have massively affected large companies in the past, which are still persistent (ETERNALBLUE) and make a company a target for attack due to its level of exposure.
- Prevent users from accessing sites with a low trust rating, and where the installation of some kind of software add-on is suggested.
- Keep IPS and anti-malware signatures updated, making regular campaigns.
- Deploy security intelligence models with event correlation. They can be implemented with different technological solutions or contracted as a managed security service through a Security Intelligence Center
- Modeling network traffic, identifying behavioral baselines that enable anomalies to be flagged.
- Monitor the actions executed on critical devices by administrators and other privileged users.
- Periodically evaluate new protection services to prevent, detect and contain this type of threat. Always check with your strategic information security partner for new market trends, this will allow you to have the best security guidelines related to your business.
Indicators of compromise.
AEEB46A88C9A37FA54CA2B64AE17F248 = https://threatexplorer.bluecoat.com/v2/tex#/file?q=AEEB46A88C9A37FA54CA2B64AE17F248
4FE2DE6FBB278E56C23E90432F21F6C8 = https://www.virustotal.com/#/file/f90bcf5b649ebb61d1b2a1a973c04312e3e72a71d4393ccbb12b9fa593637d62/detection
71404815F6A0171A29DE46846E78A079 = https://www.virustotal.com/#/file/a467974c13cbee341c08fd0a51c28bf7cc7e482ff078a9d0ed96371b2ced5d95/detection
81E214A4120A4017809F5E7713B7EAC8 = https://www.virustotal.com/#/file/e5d45d5dd213704a6f4a50db85717a6901cfe968eaa6cf9742480cf6c99ee51d/detection
Related containment signatures:
HTTP: Microsoft Win32k Elevation of Privilege Vulnerability (CVE-2018-8120).
NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144).
Don’t forget all those related to vulnerability MS17-010.
Mining is the new black – https://securelist.com/mining-is-the-new-black/84232/
A mining multitool – https://securelist.com/a-mining-multitool/86950/
Fileless Malware PowerGhost Targets Corporate Systems –https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fileless-malware-powerghost-targets-corporate-systems
PowerGhost: nuevo minero de criptomonedas apunta a redes corporativas de América Latina – https://latam.kaspersky.com/blog/powerghost-nuevo-minero-de-criptomonedas-apunta-a-redes-corporativas-de-america-latina/13206/
5 claves para entender la potencia del bitcoin – https://www.welivesecurity.com/la-es/2017/07/28/claves-potencia-del-bitcoin/