Posts

3 Ways to Prevent Cryptominers from Stealing Your Processing Power

Visiting a website is no longer what it used to be.

Despite this hilarious Imgur post, there is a different trend you may not have noticed: cryptomining via the browser. Many news and procrastination (e.g., BuzzFeed) websites add dozens of trackers to monetize the experience.

However, some sites may also use your browser to mine cryptocurrencies (e.g., bitcoin, Ethereum or Monero) for their own financial gain. The mining stops once you leave, but there is a popular new form of malware that attempts to turn your device into a full-time cryptocurrency mining bot called a cryptojacker. Cryptojacking’s threat to your endpoint or business is based on three things:

  • The energy it consumes or wastes
  • The damage it can do to a system
  • The loss to productivity due to limited resources.

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background although your CPU performance graph or device’s fan may indicate something is not normal.

Despite our vigilance and knowledge of the warning signs, a report from the Ponemon Institute stated the average length of time for an organization to discover malware or a data breach in 2017 was 191 days.

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal. Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking may solve that.

For example, the Apple App Store briefly carried a version of a free app called ‘Calendar 2’ that mined Monero cryptocurrency while open. It reportedly made $2,000 in two days before it was pulled from the App Store.

The Lure of Cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60 percent of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Unlike ransomware, and more akin to traditional malware, stay hidden for as long as possible.

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

How to Know if You are Infected by Cryptominers

Cryptominers are interested in your processing power, and cryptojackers have to trade off stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to Defend Against Cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats. Since people like to reuse old code, catching cryptojackers like CoinHive can be a simple first step.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

In the case of SonicWall Capture ATP, the multi-engine sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

To learn more about how you can defend your organization from these threats I recommend reading this white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud.”

Cryptocurrency, Ransomware and the Future of Our Economy

History is full of people who’ve labored over missed opportunities. Like all other non-bitcoin-owning people, I am one of them.

I first heard of cryptocurrency in early 2013 and scoffed at the idea that something with no intrinsic or collectable value would trade for $20. The concept of owning a portion of a cryptographic code — and it having actual value — is still hard for many to swallow.

Now that an available bitcoin (BTC) is valued at over $19,000 (USD), I languish the fact that an investment of $1,000 in 2013 would have net me half of a million dollars today. Furthermore, had I been tuned into the movement in 2010, I would be a billionaire today. You too. Stings a little, doesn’t it?

At no point in history has it been so easy to become extremely wealthy out of thin air. And it is not just people like you and me who think about this, but criminals as well. This is not only causing major shifts in financial markets, but also in malware development.

What is Cryptocurrency?

With all of the noise about cryptocurrency, here is what we know as we near 2018:

  • There are, or have been, over 1,300 other cryptocurrencies on the market. These are called altcoins.
  • Most people have never owned a single “coin” from any blockchain.
  • Most have no basis for value, which means it’s subjective and speculative (e.g., like a baseball card or an artistic sketch). The community dictates the value.
  • Some are tied to a real currency (e.g., 1 Tether coin = $1 USD).
  • Governments struggle with regulation and don’t want to encourage the use of decentralized currencies.
  • They often function like startups. Founders get an early crack at the supply chain and hold an equitable stake in the algorithm. Instead of a stock IPO they release them as part of an Initial Coin Offering (ICO).
  • Most of the popular coins cannot be mined by your computer anymore. Today, it’s only achieved through professional-grade mining operations.
  • No one knows how high or low bitcoins and cryptocurrency will go; either they will die or become the basis for our future economy.
  • The popular coins today are desired by cybercriminals and are the main form of payment within ransomware.
  • Like a TLS digital certificate, cracking the actual encryption is nearly impossible. Bitcoins are, however, fairly easy to steal and even easier to lose or destroy.
  • Malware is used to steal coins and to also turn infected endpoints into mining bots.

Bitcoin Is the Great Ransomware Enabler

Because cryptocurrency is virtually un-trackable, holds great value and is easily traded online, they are the preferred way to get paid on the black market. Without the value of bitcoin, you wouldn’t have heard about ransomware.

Ransomware is responsible for causing billions of dollars (USD) in damage across the world. Furthermore, the actual cost of the problem isn’t the cost of bitcoin to return your files (if you ever get them back), but the fallout from an attack.

Ransomware is fun for the media because you can easily quantify the ransoms and take photos of the demand screens, but not so fun for hackers. Through the development, updates and propagation of the malware, only between five and 10 percent of people pay the demands. But there is another way.

Bitcoin Mining

Instead of having your victims pay you once, what about having your victims unknowingly work for you? Well, that is what a lot of malware is doing today. By leveraging a portion of your compute power to form a bitcoin mining pool, hackers don’t have to kill the goose that lays the golden egg.

The result? The home computer has less power to run normal processing and incurs higher energy costs. When this approach works its way into a corporate network, it could cause major productivity and service issues.

For some hackers, these two attack vectors are small-time thinking. Instead of counting on a distributed attack vector across a global landscape of endpoints with mixed vulnerabilities, what about a single targeted attack?

Hackers don’t attack the algorithm behind the coins, they attack where they are stored. Cryptocurrency banks and exchanges are ripe targets for attacks. If you factor in the price of a bitcoin (at the time of I started writing it was $8,160 and after editing its $16,000) — the second Mt. Gox attack emptied bitcoin wallets to the tune of over $11 billion USD. Wow! At the time, the bitcoin haul was nearly 744,000 coins worth $436 million USD and caused the value of bitcoin to fall to a three-month low.

Cryptocurrency: Is it the Future?

Like most dual-sided arguments, those inside a social ecosystem are bullishly optimistic. Those outside remain pessimistic. I’m in between. I see the opportunity to capitalize on the attention, but recognize the many limitations behind cryptocurrencies that cap their viability into the future.

I’ve never owned a bitcoin coin but have entered into a few key platforms for the short-term. As mentioned, the value is purely subjective, much like an arbitrary piece of art, which can be a good investment as long as there is a large pool of people with the financial ability to support and bloat its value.

What is the difference in value between this rare Honus Wagner T206 card ($3.12 million USD) and the common Dusty Baker’s 1987 Topps card ($0.70 USD)? The answer lies in the availability of the item and the demand from the consumer.

Bitcoin, Ethereum and Monero all have value because a community of people feels it does. The more people who enter this pool, the greater the potential value. Some are investors and others are victims buying a ransom. But what truly drives the cost of bitcoin is attention — just like a piece of sports memorabilia. When you mirror Google’s search trend data to the historical price of BTC, you see a direct correlation.

What does this tell me? Once the attention fades, people will lose interest. At that point, the price will come down, similar to a Derek Jeter autographed baseball. Additionally, as ransomware becomes less effective, fewer people will buy bitcoin for the sake of digital freedom. And that freedom is the primary thing cryptocurrency can buy.

In the past year, every time the price of bitcoin dropped the Chicken Littles of the world wanted to be the first to cry out, “The sky is falling!” I do believe there will come a time when bitcoins will have the value the 1986 Topps Traded Pete Ladd sitting in the back of your closet (less than $1), but its value won’t crumble in a day.
With the remaining 1,000-odd altcoin cryptocurrencies (that currently hold value) out there with a collective market cap of over $400 billion (at the time of writing), it would take a lot for crypto-investors to create the needed fire sale that would cause the market’s topple. Instead, I see it like the Ice Age; built in stages and then a slow recession.

The altcoins wouldn’t exist today if bitcoin wasn’t popular and a goldmine for the early investors. The creators of these algorithms are like the leaders of pyramid scams. They created the rules and the ecosystem to make money and only exist if their supporters exist, much like an Amway Double-Dutch Triple-Black Platinum Diamond Founder’s Crown Elite Wizard. These will be the first to die. The beginning of their end is when bitcoin hits a plateau lasting more than two months.

In the Ice Age analogy, bitcoin is much like a large glacier that icicles attach to. As the sun shines, they will melt, leaving only the strongest cryptocurrencies to linger. I see bitcoin and Ethereum lasting for years, but only at a small price point. The coins in active circulation will be mostly in the possession of cyber criminals (if they aren’t already) and will be sold to the victims of cybercrimes to pay ransoms until the practice to buy cryptocurrency is outlawed country by country.

And, with that, the official death of ransomware.

Death in a Cathedral

Thirty years from now when we look back at cryptocurrency, we will reminisce about the second coming of the roaring ‘20s. Without the presence of Babe Ruth and the Charleston, we’ll have great unregulated wealth that comes to a crash.

In my conservative outsider-ish advice, I recommend minor, short-term cryptocurrency investments that you are not afraid to lose. Watch the price of bitcoin. When you see a plateau lasting a month, sell. (However, I’m not a financial advisor and I have no fiduciary duties to you. Please do your own research.)

Remember the old adage: movements are built in caves and die in cathedrals. Bitcoin is in the cathedral phase of its life. And if you understand the politics and history of cathedrals, you would be wary of entry. If not, read The Gothic Enterprise: A Guide to Understanding the Medieval Cathedral. Pay attention to fallout surrounding the bankrupt Bishop Milo de Nanteuil.

The Marriage Between Malware & Cryptocurrency

Another adage I was raised with, “make hay when the sun shines,” is what hackers are doing today. As the flames of bitcoin flare, more moths will be drawn to its light. The illicit creation, extortion and theft of digital coins will drive the price to an all-time high.

Because of the outrageous volume of ransomware infections of 2016, and the infamous attacks in 2017, malware defense is at an all-time high too, but it is not enough. Network and end-point security needs to be a serious topic of discussion.

At SonicWall, we’ve made great strides to get ahead of the cryptocurrency attacks; far before a hunk of digital code was valued at dollar volumes higher than what your grandfather paid for his first home.

Before the public release of Zcash, we released the SonicWall Capture Advanced Threat Protection service, which is a cloud-based network sandbox that works in line with SonicWall next-gen firewalls to run and test suspicious code in an isolated environment to prevent newly developed ransomware attacks (and other forms of malware too).

To bolster endpoint protection, we created an alliance with SentinelOne to provide an enhanced endpoint security client framework to provide next-generation anti-virus capabilities to our current endpoint offerings.

To learn more on how SonicWall can prevent malicious attacks, please read our solution brief, Five Best Practices for Advanced Threat Protection. If you’d like to discuss this blog, the marriage between malware and cryptocurrency, and to send your potentially future-worthless digital collectibles, reach out to me on Twitter.