I, me, mine
Cryptomining continues to surge unabated, with its cybersecurity ramifications growing in seriousness.
Just this week, Microsoft identified and interrupted a significant cryptomining malware operation, a Tesla AWS account was compromised, a new mining worm was uncovered, and Kaspersky researchers cautioned against evolving infection techniques.
While there is a legitimate aspect to this industry, malicious hackers are zealously infiltrating networks and infecting a variety of devices — PCs, IoT devices, smartphones, servers — to appropriate processing power for mining digital currencies.
Generating and verifying cryptocurrencies such as Bitcoin and Monero requires solving extensive and intricate mathematical problems that demand substantial computational power. Those participating in this “blockchain” process receive compensation, and these payments have soared as the values of these cryptocurrencies have risen sharply in recent months.
This spike has attracted interest not only from legitimate entities — individuals and companies — but unfortunately, also malicious actors exploiting malware to gain unauthorized access for mining purposes.
“Exploit kits are now delivering coin miners instead of ransomware. Scammers are integrating coin mining scripts on tech support scam sites. Additionally, certain banking trojan families have incorporated coin mining behavior,” stated Microsoft’s Windows Defender team in a blog post.
Between September and January, websites hosting cryptomining scripts saw a 725% increase, according to a recent report from Cyren Security Lab. This statistic includes domains knowingly hosting these scripts and those compromised in breaches.
Cryptomining attacks are designed to be stealthy: they aim to avoid significantly disrupting the operations of breached systems, thus remaining unnoticed. “For coin miner malware, persistence is crucial. These types of malware employ various techniques to remain undetected over extended periods to utilize stolen computing resources for mining,” according to Microsoft’s blog.
Thus, cryptomining offers hackers “all of the financial incentives” of ransomware and other attacks without the need to intervene directly with victims and while attracting less attention from law enforcement, as explained by Cisco’s Talos unit in late January.
As industry analyst Jason Bloomberg noted recently in a Forbes column, “ransomware is so last year,” as “intelligent hackers have shifted to illicit cryptomining to increase their gains” enticed by a perfect blend of “easy profits, minimal likelihood of detection, and countless unsuspecting victims who may not even realize they’ve been compromised.”
Last month, Imperva reported that cryptomining now accounts for nearly 90% of all remote code execution attacks. Kaspersky Lab estimated the number of users targeted by malicious miners to be 2.7 million in 2017, a 50% rise from 2016. Additionally, according to Check Point, 23% of organizations worldwide faced effects in January from the Coinhive crypto-mining malware.
Meanwhile, Malwarebytes Labs ranks malicious cryptomining as its leading detection since September. While noting that malicious cryptomining appears to be significantly less harmful to users than ransomware, Malwarebytes Labs cautioned that its impact should not be overlooked. “Uncontrolled miners could severely disrupt crucial business or infrastructure processes by overloading systems to the point of becoming unresponsive or shutting down,” the Malwarebytes Labs post states.
Recent breaches have impacted organizations such as the U.K.’s Information Commissioner’s Office (ICO), U.S. federal courts, Australian state governments, and the LA Times newspaper.
Attack targets have included vulnerable Jenkins servers, unsecured Docker containers, Microsoft Windows environments, and various web browsers. Attackers have employed a range of methods, including malvertising, email trickery, malware-laden apps, targeted hit tactics, and exploit kits.
For instance, the coin mining operation detected by Microsoft’s Windows Defender team recently utilized variants of the Dofoil/Smoke Loader malware, employing sophisticated trojan techniques with “advanced cross-process injection methods, persistence features, and evasion tactics.”
The Dofoil trojans targeted Explorer.exe using a “process hollowing” code injection method that launched a new instance of the “c:\windows\syswow64\explorer.exe” process and replaced the genuine code with the malware.
“The hollowed Explorer.exe process then creates a second malicious version, which drops and executes mining malware disguised as a legitimate Windows file, wuauclt.exe,” Microsoft elaborated. Dofoil employs a specialized mining application capable of mining various cryptocurrencies and modifies the system registry to evade detection, as reported by Microsoft.
And we must not overlook basic — i.e., real-world — security breaches. The Associated Press reported that criminals stole 600 servers from data centers in Iceland, which were being utilized for cryptomining. These servers, valued at $2 million, remain missing and were taken in a series of four burglaries in December and January. Thus far, 11 individuals have been arrested in connection with the ongoing investigation.
Memcached servers exploited for DDoS attacks
Last week, we examined the concerning trend of hackers using unsecured Memcached servers to significantly amplify the power of their DDoS attacks. GitHub was recently the target of such an attack, which was characterized as the largest ever.
That record was short-lived. This week, Arbor Networks identified an even larger DDoS attack against an unnamed client of a U.S.-based service provider. The attack reached a peak of 1.7Tbps and utilized the same Memcached reflection/amplification attack method as the GitHub incident, which peaked at 1.35Tbps.
The open-source Memcached software was intended for use behind firewalls in internal networks to enhance server efficiency, yet many organizations have made them accessible from the Internet, allowing hackers to vastly enhance their DDoS operations.
“As the internet community unites to restrict access to numerous exposed Memcached servers, the sheer volume of openly available servers will perpetuate this vulnerability for attackers,” states Arbor Networks’ blog post.
For comprehensive insights on this trend where attackers exploit the User Datagram Protocol (UDP), refer to reports from Akamai, Link11 and Cloudflare.
“An attacker can spoof the UDP address of their intended target and send a small packet of data to a Memcached server, tricking it into sending back as much as 50,000 times that amount in response,” security analyst Graham Cluley observed. “The outcome? A data tsunami.”
In a positive development, eWeek reported on Friday that patching efforts are starting to mitigate these amplified DDoS attacks, according to the most recent findings from Arbor and Cloudflare. “Although we still encounter many of these attacks, their average scale has decreased significantly due to ongoing cleanup and mitigation initiatives,” remarked Steinthor Bjarnason, senior network security analyst at Arbor’s Netscout unit, to eWeek.
Another digital forensics company claims to unlock iPhones
Following Cellebrite’s recent assertions that it can unlock and extract information from devices operating all current iOS versions, another digital forensics firm is quietly making similar claims.
Forbes reported this week that a “mysterious” organization known as GrayKey is distributing marketing materials outlining both online and offline tools that can unlock devices operating iOS 10 and iOS 11, including the latest iPhone X.
Forbes’ February report regarding Cellebrite’s assertions — which also encompass Android devices — sparked considerable concern within privacy and security circles.
Cellebrite has been informing its clientele, primarily comprising governmental, military, and corporate investigative bodies, that it can unlock and extract data from devices operating iOS 11, including the iPhone X, in addition to other iPhone, iPad, and iPod models.
Worries center around the potential for the techniques and knowledge held by Cellebrite — and now seemingly by GrayKey — to fall into the wrong hands, be replicated by malicious entities, or be misused by government authorities.
This scenario underscores the ongoing conflict between technology providers and law enforcement agencies, as the former resist diluting encryption on their products, while the latter argue for the necessity of access to devices and data for their investigations.
On the topic of law enforcement’s aversion to strong encryption
This week, FBI Director Christopher Wray reiterated his agency’s objections to “unbreakable encryption” at Boston College’s second annual cybersecurity summit, describing it as “a significant public safety concern,” according to a CSO Magazine report.
Wray remarked that in fiscal 2017, FBI investigators were unable to retrieve the contents of 7,775 devices, even with court authorization. He appealed passionately for cooperation from the tech sector and the security community, as noted by CSO.
In related news, it emerged that the FBI has formed a close partnership with Best Buy’s Geek Squad team of computer repair technicians. Per documents obtained by the Electronic Frontier Foundation (EFF), the FBI has been compensating Geek Squad members for tips about illegal materials they might encounter while fixing computers.
Data breach served with your meal, your video game, and your credit report
The Applebee’s restaurant chain recently identified malware in the POS (point of sale) systems of over 160 locations. Customer data at risk includes names, credit and debit card numbers, expiration dates, and CVVs.
These breaches occurred over several months, dating back to November of last year, but Applebee’s only discovered the problem in mid-February.
“We are noticing an uptick in such breaches… it’s an industry-wide issue as more retailers rely on a network of providers for third-party systems such as point of sale and inventory management solutions,” Fred Kneip, CEO of security firm CyberGRX stated to Threatpost. “Currently, many stores are struggling to enhance their security, and it can take months or years to realize that breaches have occurred in third-party systems.”
Moreover, customers of game developer Nippon Ichi Software (NIS) America are also at risk for credit card fraud and identity theft after two of its online stores — NIS America and SNKonlinestore — were hacked.
The breach occurred on January 23 and wasn’t detected until February 26. Compromised data included customer names, addresses, credit card numbers, expiration dates, security codes, and email addresses.
As per the email sent by NIS America to customers — as reprinted by NintendoLife.com — customers were redirected to an external page where their information was collected before returning to the company’s online store for transaction completion.
In another development related to the enormous Equifax data breach, it was recently disclosed that an additional 2.4 million Americans had their personal data stolen by hackers in last year’s monumental breach. This raises the total affected individuals to approximately 148 million. The data attackers accessed Equifax’s information systems by exploiting the Apache Struts CVE-2017-5638 vulnerability, for which a patch was readily available.
In other InfoSec updates …
- Duo Security, which offers a two-factor authentication app, has detailed a serious vulnerability it recently resolved and also addressed the root cause of the flaw — SAML vulnerabilities — which also affect third-party services. “Duo responsibly disclosed the issue late last year, and after providing vendors — including itself — time to address the bug, has now shared a comprehensive and informative account of what transpired,” writes Lisa Vaas in Sophos’ Naked Security blog.
- Facebook’s Oculus Rift VR headsets encountered issues after the company allowed its security certificate to expire.
- MoviePass CEO Mitch Lowe raised privacy concerns when he boasted this week at a keynote address that his company’s app has such capabilities to monitor its subscribers — including via GPS data — that “we know all about you.” After significant backlash, the company announced the following day it would eliminate the app’s location tracking features.
With the Qualys Cloud Platform and its suite of natively integrated, self-updating security and compliance Cloud Apps, Qualys offers automated, continuous, and scalable prevention and response. Qualys delivers clients with complete and instantaneous visibility of IT assets regardless of their location — on premises, in the cloud, or remote endpoints; comprehensive and ongoing vulnerability management; detailed assessment of secure system configurations; file integrity monitoring; web application scanning and firewall; detection of compromise; and numerous additional security and compliance solutions.
