Posts

Cryptojacking Continues Crushing Records

/0 Comments/in /by

In the early 2020s, ransomware raced upward quarter after quarter, with seemingly no end in sight. But its rush to ascendence was so rapid that it caught the attention of law enforcement, governments and cybersecurity staff, who began working overtime to raise awareness and prevent attacks, and to more quickly catch attackers and bring them to justice when they did occur.

When high-profile cybercriminal arrests occur, it’s often said that one bust is unlikely to move the needle when it comes to cybercrime. But what about dozens? We’re halfway into 2023, and it looks like out of these busts, general network hardening and a growing emphasis on resiliency, something seems to be having an effect.

According to exclusive threat data published in the 2023 SonicWall Cyber Threat Report Mid-Year Update, ransomware fell a staggering 41% in the six months between New Year’s Day and the 30th of June, with every region seeing a decline. Combined with 2022 data, which shows volume falling in every quarter save Q4, lower ransomware volumes have gone from being an anomaly or part of the background ebb-and-flow to bona fide trend. But why?

We’re All Just Looking for Security. (Even Cybercriminals.)

It’s already becoming harder to believe, but there was a time when cybercriminals aspired to be household names. Ransomware groups attempted to trade on their reputation to more reliably collect huge sums of money, but in the age of greater scrutiny, notoriety has become a liability.

To be clear, ransomware isn’t going away—threat trends are cyclical, and despite being despicable, crime still pays. But based on our data, cybercriminals in 2023 seem to be favoring a much greater degree of subtlety, slinking back into the shadows to conduct their craft in secret. When the question changes from “How can we make the most money possible” to “How can we best make money without getting caught,” the answer changes, too—and so far this year, that answer has been encrypted threats, IoT malware and cryptojacking.

Attacks over HTTPs rose 22% in the first half of 2023, enough to give SonicWall the highest year to date volume of any year since SonicWall began tracking this threat type. And IoT malware jumped to 77.9 million, up 37% over this time in 2022 and higher than any other six-month period on record. But it was cryptojacking that saw the most growth.

Cryptojacking’s Climb Accelerates

Until 2022, cryptojacking hits had never surpassed the 100 million mark during any year. But the full-year total for 2022 reached 139.3 million, a record high.

In 2023, cryptojacking had surpassed even that high water mark by early April … and then continued to grow. In all, cryptojacking volume in the first half of 2023 reached 332.3 million, an increase of 399% year-to-date.

Four months out of six set new monthly volume records, and the amount of cryptojacking seen in May 2023—77.6 million hits—eclipsed the full year totals recorded in 2018 and 2019, and easily surpassed total mid-year volume for 2020, 2021 and 2022.

Who’s Being Targeted?

In short, everyone: Every region saw an increase in cryptojacking compared with the first half of 2022. With the exception of Asia, which saw just 1% more cryptojacking year-to-date, these spikes were substantial. Latin America recorded 32% more cryptojacking than in the first half of 2022, but even this was small compared with the 345% increase observed in North America. Worse, Europe saw a staggering 788% spike.

A country-by-country look also shows massive increases. The U.S. saw 340% more cryptojacking hits than in the first six months of 2022. And in Europe, Germany and the U.K. recorded increases of 139% and 479% respectively. India provided a rare counterexample—cryptojacking hits there actually fell 73% year to date.

Cryptojacking by Industry

Unfortunately, a look at cryptojacking by industry shows no such bright spots. In all the industries we studied in depth, cryptojacking was up—and not just a little bit.

To be clear, cryptojacking numbers were quite small leading up to 2023—and any time you’re dealing with fairly small numbers growing very quickly, percentage increases become a less useful way to look at this change than factor increases.

In the first six months of 2023, the number of cryptojacking hits on retail customers more than doubled, with the average percentage of customers targeted each month rising from .06% to .3%.

Finance customers saw 4.7 times the number of cryptojacking hits, with percentage targeted on a monthly basis increasing from .05% to .36%.

Those working in healthcare recorded 69 times the number of hits than in the first half of 2022, with the percentage of customers targeted spiking from .06% to .32%.

Our government customers were targeted by 89 times the amount of cryptojacking compared with this time last year—with average percentage of customers seeing an attack each month jumping from .17% to .37%.

But education customers recorded the biggest increase: Cryptojacking on education customers skyrocketed to a staggering 320 times the number of attacks recorded in the first half of 2022, with the percentage of customers being targeted monthly averaging .19% last year and .55% this year.

Where Will Cryptojacking Go from Here?

While any prediction is an imprecise science, based on historical data alone, we can expect cryptojacking to continue to rise as 2023 wears on. But even if it doesn’t, cryptojacking volumes for 2023 still stand an excellent chance of surpassing the combined volumes of every year before it, all the way back to 2018 when SonicWall began tracking this threat type.

Regardless of what happens, SonicWall will continue to closely monitor cryptojacking levels—and with the threat of cryptojacking on the rise, expect expanded coverage of this attack type when our next Cyber Threat Report is released at the beginning of 2024.

Until then, you can learn more about cryptojacking, ransomware and other threats—along with which locations and industries are being targeted—in the Mid-Year Update to the 2023 SonicWall Cyber Threat Report.

First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows

/0 Comments/in , /by

Over the past five years, cybercriminal groups have become increasingly corporatized. The early 2020s even saw them starting to market themselves as they endeavored to become widely known — both to be taken more seriously and to build a reputation for “fair” dealings with their victims. Lesser-known groups were even known to borrow the branding of larger groups, hoping to cash in on the brand recognition surrounding them.

But while the paychecks kept pouring in, cybercriminal groups seemed to lose sight of one thing: they weren’t legal entities in the way the corporations they emulated were. In fact, there was nothing legal about them at all, as many were reminded when politicians and law enforcement ramped up enforcement efforts and they found the long arm of the law pointed squarely in their direction.

After every cybercriminal arrest, the same refrain is repeated: “We applaud the efforts of law enforcement, but we don’t expect the bust to bring about lasting change.” But a look at data from the first half of 2023, as reported in the just-released Mid-Year Update to the 2023 SonicWall Cyber Threat Report brings this accepted notion into question, as we’ve seen threat actors begin to shun the spotlight and focus more on lower-risk activities such as cryptojacking, IoT malware and encrypted threats.

A graph depicting the rise of cryptojacking hits in 2023.

Malware Continues its Migration

Malware remained essentially flat year-to-date, falling just two percent compared with the first half of 2022. But that doesn’t mean there isn’t a great deal of change going on below the surface. With 1.3 billion hits (out of a global total of 2.7 billion), North America still sees the lion’s share of malware, but it was also the only region to record a decrease. In contrast, Europe and LATAM saw double-digit growth, suggesting that cybercriminals are shifting their attention to new shores.

Customers working in education and finance saw particularly large increases in malware, though none of the industries we examined showed a decrease.

Ransomware is Down, but Poised for a Turnaround

If cybercriminals are showing a greater interest in remaining under the radar, then a decrease in ransomware — a form of cybercrime that relies on the threat actors announcing and introducing themselves — should be expected. Still, with attack volumes down 41% over the first six months of 2022, many might wonder whether cybercriminals are giving up on ransomware for good.

There are a number of reasons we don’t think so, one of which is the trend line for ransomware as we moved through 2023. While the year-to-year trend line still points downward, on a month-by-month basis, we’ve actually seen ransomware rise, with a second quarter 74% higher than the first.

Cryptojacking’s Record Surge Continues

But if ransomware is down, what’s rising to take its place? We’ve seen an increase in several attack types, but perhaps the most pronounced has been in cryptojacking.  The number of cryptojacking hits reached 332 million hits in the first half of 2023, up a staggering 399% year-to-date. This not only represents a new record high — it also puts 2023 on track to see more cryptojacking hits than all other years on record combined.

IoT Malware Jumps by More Than a Third

SonicWall Capture Labs threat researchers noted a continued increase in the amount of IoT malware in the first half of 2023, jumping 37% to 77.9 million. At this rate, the number of IoT malware attacks will easily eclipse last year’s total, itself a record high.

As we’ve seen with other threat types, North America saw a decrease in attacks. At a modest 3%, however, this dip was more than made up for by triple-digit jumps in Asia and Latin America. India, in particular, saw an outsized number of these attacks: IoT malware there skyrocketed 311%.

Malicious PDF and Office Files Fall by Double Digits

The number of attacks involving malicious PDFs dropped 10% in the first six months of 2023, but there was an even bigger decrease in the use of malicious Microsoft Office files: Those attacks fell a staggering 75% compared with the same time period in 2022. Some of this drop may be due to Microsoft’s recent efforts to increase security, but time will tell whether this is a sustained downturn or whether cybercriminals make inroads around these new restrictions.

“The seemingly endless digital assault on the enterprise, governments and global citizens is intensifying and the threat landscape continues to expand,” said SonicWall President and CEO Bob VanKirk. “Threat actors are relentless, and as our data indicates, more opportunistic than ever before, targeting schools, federal governments and retail organizations at unprecedented rates. The 2023 SonicWall Mid-Year Cyber Threat Report helps us understand both the criminal mindset and behavior, which will in turn help organizations protect themselves and build stronger defenses against malicious activities.”

Read the full report here.

Latest Threat Intelligence Reveals Rising Tide of Cryptojacking

/0 Comments/in /by

Threat actors looking for a steadier (and stealthier) income stream pushed cryptojacking to record highs in 2022.

Late February was a wakeup call for anyone who still thought it was a good idea to illegally download software: Researchers identified a new version of cryptojacking malware hiding within cracked versions of Apple’s Final Cut Pro video editing app. This macOS-targeting malware was designed to turn the tables on pirates by hijacking their computers and using them to illegally mine Monero.

While this isn’t the first time XMRig, a perfectly legal cryptominer, has been identified in pirated Final Cut Pro software, this version is particularly stealthy. If a user happens to notice their machine’s performance is suffering and opens Activity Monitor to find the source of the trouble, XMRig shuts down to avoid detection, then relaunches once Activity Monitor is closed.

What is Cryptojacking?

Cryptojacking refers to the act of using a computer or other device to mine cryptocurrency without the knowledge or consent of the device’s owner. This process is often very resource-intensive, and can cause the device’s performance to suffer or result in higher electric bills for the target.

Cryptojacking Reached Record High in 2022

While companies such as Apple are working to bolster their defenses against cryptojacking campaigns, recent data suggests this may continue to be an uphill battle.

In the 2023 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers reported a 43% year-over-year increase in cryptojacking attempts in 2022. This spike pushed attack volume past the 100-million mark for the first time ever and set a new record high of 139.3 million attacks by year’s end.

SonicWall also observed a shift in the locations being targeted. While North America experienced a 36% year-over-year increase, Asia and Europe both saw triple-digit increases, with the latter recording 6.5 times the number of attacks in 2022 as in 2021.

As noted in the report, some of this growth may be due to threat actors supplementing or shifting from ransomware to more low-profile revenue streams. At least one ransomware gang has publicly announced they were shutting down their ransomware operation in favor of cryptojacking. And based on the 21% year-over-year decrease in ransomware attacks observed by SonicWall in 2022, others have likely followed suit.

Attacks Becoming More Prevalent, Stealthy and Sophisticated

As cryptojacking becomes more widely adopted, it’s also expanding its territory, with threat actors continuing to broaden their scope beyond traditional Windows-based attacks. In addition to the recently discovered Final Cut Pro campaign, cryptominers have also been identified hitching a ride on other apps designed for Macs, such as Adobe Photoshop and Apple Logic Pro.

Linux servers and even internal Redis servers were also popular targets for cryptojacking campaigns in 2022. While we reported on the growth in Redis attacks in our 2023 Cyber Threat Report, in just the week since its launch, another cryptojacking campaign targeting Redis has been identified — this one leveraging the legitimate tool transfer[.]sh.

And as cryptojacking continues to pick up steam, cybercriminals are becoming increasingly innovative. For example, in January 2023, threat actors used automation to create 130,000 free trial accounts on cloud platform services, with the end goal of exploiting GitHub Actions workflows for illicit cryptomining.

With cryptojacking attacks on the rise and the cyber landscape continuing to evolve, staying up to date on the latest threat intelligence has never been more important.

“It is crucial for organizations to understand attackers’ tactics, techniques and procedures (TTPs), and commit to threat-informed cybersecurity strategies to defend and recover successfully from business-disrupting events,” said SonicWall Threat Detection and Response Strategist Immanuel Chavoya. “This includes stopping sophisticated ransomware attacks as well defending emerging threat vectors, including IoT and cryptojacking.”

What is Cryptojacking, and how does it affect your Cybersecurity?

/0 Comments/in /by

How do you know if cryptojacking is impacting your business? Learn how to spot infections and how to deploy solutions to protect your network and endpoints.

The good news for cryptocurrency is that the model is an established fixture in global finances. It’s highly portable, holds value, is tradable for products and services, and is gaining popularity among mainstream consumers.

It can also be a rewarding investment tool if you’re truly adventurous. Of course, fortunes are won and lost in a wink as many cryptocurrency issues (e.g., Bitcoin, Ethereum, Cardano) are highly volatile, with values sometimes soaring to astronomical highs and plummeting into white-knuckle lows within days or weeks. However, there are other less scary ways to make money from cryptocurrencies, and one of them is through “cryptomining.”

What is Cryptomining: An Explainer

Cryptomining is a process that validates cryptocurrency transactions in distributed public ledgers. Each transaction is linked to the previous and subsequent transaction, creating a chain of time-stamped records. This is essentially what a “blockchain” is all about.

One of the advantages of cryptomining is that just about anyone can participate without investing in the currency. For example, if you mine for Bitcoin, you receive Bitcoin as compensation for completing blocks of verified transactions added to the blockchain. It takes about 10 minutes to process a single block of currency.

All you need is a little knowledge about connecting to the cryptocurrency network, a reliable connection to the internet, one or two decent servers, and a steady power supply. The more server power you can enlist for your legitimate cryptomining operation, the more blocks you can process and the more money you make.

But there’s a twist to this process, and this is where the bad news comes in. Miners only earn cash when they complete the data process faster than others, and there are literally hundreds of miners trying to process the same block simultaneously. For that reason, miners are constantly looking for ways to scale up their hashrate (a metric for computational power to process blocks). The more hashes produced each second, potentially the more money you make.

Some people dodge the legitimate process entirely and turn to “cryptojacking.”

Why Cryptojacking is a rising threat.

It’s pretty simple: cryptojacking is cryptomining, but now the miner is using someone else’s computer without permission. Victims usually have no idea that their computers have been pressed into this kind of use, often through malware introduced by phishing or other hack.

In April 2018, SonicWall started tracking cryptojacking trends. Back then, the company recorded nearly 60 million cryptojacking attacks in one year. But as reported in the 2022 SonicWall Cyber Threat Report, cryptocurrency prices hit new highs in 2021, and with it, hacking incidents soared to 97 million, increasing nearly 62% since 2018.

Cryptojacking is on the rise

Unlike ransomware which relies on the visibility of phishing emails and messages, cryptojackers do their work invisibly in the background. The only sign your network or devices are affected is by monitoring a CPU performance graph or noticing that a device fan is running harder than usual.

Over the last two years, we’ve noticed that ransomware teams tend to switch to other activities like cryptojacking. One apparent reason they change is that the return on investment for a ransomware scheme and strain (that took months of development work) diminishes when it ends up on public feeds like VirusTotal.

Like anyone else running a profitable business, cybercriminals tend to be agile and flexible about their work. As a result, they’re actively searching for different ways to fulfill their financial targets. Cryptojacking offers agility thanks to the relative ease operators can deploy it with other criminal activity.

The allure of cryptomining.

With such low cost and practically zero risks, cybercriminals see many strong incentives to engage in cryptomining as a base business model. Much of the operation itself is automated through software. However, volatility in cryptocurrency plus rising energy costs is putting a lot of pressure on miners. In 2018, legitimate crypto miners could earn $100/day, but that profit has been halved nowadays, and staying “legit” is more complicated and harder to do.

Consequently, according to SonicWall’s threat report, illegal cryptojacking is again on the rise. The first quarter of 2021 saw 34.2 million hits in cryptojacking, making it the highest quarter since SonicWall began tracking this data point. But more worryingly, the worst month for cryptojacking in 2021 was, by far, December, with 13.6 million recorded. While December 2021 doesn’t eclipse the 15.5 million hits observed in March 2020, it makes for an easy second place, which was, by any comparison, a suboptimal starting point for 2022.

Am I infected by cryptojacking malware?

Cryptominers are interested in your processing power, and cryptojackers must trade stealth against profit. So how much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice; stealing more increases their profits. Of course, there will be a performance impact in either case, but if the threshold is low enough, it could be challenging to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end-users of Windows software should start a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to defend against malicious cryptojackers.

The first step in defending against cryptominers is to stop this type of malware at the gateway through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.

Since people like to reuse old code, catching cryptojackers is relatively simple. However, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques as cryptojackers have time to develop more tools. In addition, cryptojacking could still become a favorite method for malicious actors because of its concealment; low and indirect damage to victims reduces chances of exposure and extends the useful lifespan of a successful attack.

If the malware strain is unknown (new or updated), it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

The multi-engine SonicWall Capture Advanced Threat Protection (ATP) equipped with Real-Time (RTDMI)™ is proven to be highly effective in preventing evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical setup (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

Behavioral-based cybersecurity solutions like Capture Client ATP can detect malware that allows cryptomining and shut down the operation. Then, an administrator can quickly quarantine and delete the malware or, in the case of hacks that have done damage to system files, roll the system back to the last known good state before the malware was executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest malware forms no matter the trend or intent.