Posts

What is Cryptomining and how can it affect Cybersecurity?

Despite price fluctuations of Bitcoin and other cryptocurrencies, cryptojacking remains a serious — and often hidden — threat to businesses, SMBs and everyday consumers.

The good news for cryptocurrency is that the model is an established fixture in global finances. It’s highly portable, holds value, is tradable for products and services, and is gaining popularity among mainstream consumers.

It can also be a rewarding investment tool if you’re truly adventurous. Of course, fortunes are won and lost in a wink of an eye as many cryptocurrency issues (e.g., Bitcoin, Ethereum, Cardano) are highly volatile, with values sometimes soaring to astronomical highs and plummeting into white-knuckle lows within days or weeks. However, there are other less scary ways to invest in the currency, and it is gaining enough popularity to form emergent marketplaces in the global economy. One of them is called “cryptomining.”

What is Cryptomining: An Explainer

Cryptomining is a process that validates cryptocurrency transactions in distributed public ledgers. Each transaction is linked to the previous and subsequent transactions, creating a blockchain chain of time-stamped records.

This is one way that a cryptominer may participate in cash activity without having to invest in the currency. For example, if you mine for Bitcoin, you receive Bitcoin as compensation for completing blocks of verified transactions added to the blockchain. It takes about 10 minutes to process a single block of Bitcoin with payment set around 5-7 BTC (Bitcoin) per block.

All you need is a little knowledge about connecting to the cryptocurrency network, a reliable connection to the Internet, one or two decent servers, and a steady power supply. The more server power you can enlist for your cryptomining operation, the more money you generate.

But there’s a twist to this process, and this is where the bad news comes in. Miners only earn cash when they complete the data process faster than others; and there are literally, hundreds of miners trying to process the same block simultaneously. For that reason, miners are constantly looking for ways to scale up their hashrate (a metric for computational power). The more hashes produced each second, potentially the more money you make.

The question is, how do cryptominers maximize their computational power without the heavy investment of new servers, bandwidth, and electricity? The unfortunate answer: they turn “cryptojacking.”

Why Cryptojacking is on the rise.

Cryptojacking is cryptomining, but now the miner is using someone else’s computer without permission. Victims usually have no idea that their computers have been slaved into this kind of use, often through the introduction of malware or other unauthorized access.

In April 2018, SonicWall started tracking cryptojacking trends. Back then, the company recorded nearly 60 million cryptojacking attacks, with as many as 13.1 million in September 2018. But as reported in the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, as crypto currency prices hit new highs during the first half of 2021, cryptojacking incidents soared to 51.1 million, increasing nearly 400% since 2018.

Unlike ransomware which relies on the visibility of phishing emails and messages, cryptojackers do their work invisibly in the background. The only sign you may get that one lurks in your computer is by monitoring a CPU performance graph or noticing that a device fan is running harder than usual.

Anecdotally, over the last two years, we’ve noticed that ransomware teams tend to switch to other activities like cryptojacking. One apparent reason they change is that the return on investment for a ransomware scheme and strain (that took months of development work) diminishes as soon as it ends up on public feeds like VirusTotal.

Like anyone else running a profitable business, cybercriminals tend to be agile and flexible about their work. As a result, they’re actively searching for different ways to fulfill their financial targets. Cryptojacking adds agility and is relatively easy to deploy with their other criminal activity.

The allure of cryptomining.

With such low cost and practically zero risks, cybercriminals see many strong incentives to engage cryptomining as a base business model. Much of the operation itself is automated through software. If a cryptomining team can infect ten machines, their potential net gain could be $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with many devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Stay hidden for as long as possible (unlike ransomware and more akin to traditional malware).

Cryptojackers use similar techniques as malware to sneak onto an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

Am I infected by cryptojackers?

Cryptojackers are interested in your processing power. They trade a little of their stealth for their need to make a profit. So how much of your CPU resources they take depends on their objectives. Siphoning less computing power makes it harder for unsuspecting users to notice; stealing more increases their profits. Of course, there will be a performance impact in either case, but if the threshold is low enough, it is challenging even for experienced IT managers to distinguish a jacking operation from legitimate software processes.

Enterprise administrators may look for unknown processes in their environment, and end-users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to defend against malicious cryptominers.

The first step in defending against cryptominers who turn to jacking is to stop this type of malware at the gateway through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.

Since people like to reuse old code, catching cryptojack malware is relatively simple. However, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques as hackers develop more tools and deepen their sophistication. In addition, cryptojacking could still become a favorite method for malicious actors because of its concealment threshold; low and indirect damage to victims reduces chances of exposure and extends the useful lifespan of a successful attack.

If the malware strain is unknown (new or updated), it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

The multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical setup (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and shut down the operation. Then, an administrator can quickly quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware is executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest malware forms no matter the trend or intent.

How to Protect Your Business During a Global Health Crisis

While governments and healthcare organizations work to contain and stop the spread of the novel coronavirus pandemic (COVID-19), businesses are working to keep employees safe and operations running. Consider these best practices when challenged by disaster or unforeseen circumstances.

Expand your remote workforce, securely

Organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. Increasingly, this is becoming a mandated policy and potentially the sign of a new remote future.

Precautions like these, however, are causing unexpected increases in mobile and ‘work-from-home’ employees; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.

For this reason, security-conscious organizations should have scalable secure mobile or remote access solution in place (e.g., VPN) that can accommodate an influx of users (and the respective license requirements).

Review your business continuity plan

Disaster strikes in all forms. Whether malicious cyberattacks, inclement weather, power outages or pandemic, organizations should have built-in scenarios that help ensure business continuity in the face of uncertainty.

Organizations, SMBs and enterprises are encouraged to review their business continuity plans on a yearly basis. This should account for everything for communication channels, leadership, infrastructure, technology and more. Reference SonicWall’s ‘5 Core Practices to Ensure Business Continuity” as a helpful primer.

Defend against fear-based cyberattacks

Cybercriminals know how to successfully capitalize on trends, fears and human behavior. And the coronavirus outbreak is a prime opportunity for them to launch fear-based phishing campaigns, mobile malware, social-engineering attacks and more.

A range of phishing attacks were launched to take advantage of coronavirus fears, including phishing emails appearing to come from the World Health Organization. Organizations should ensure they have strong secure email security in place to mitigate aggressive phishing attacks.

In cases where phishing links are clicked by employees, staff, partners and contractors, cloud application security, Office 365 security and advanced endpoint protection solutions are required to mitigate malware from compromising networks or stealing credentials.

Protect your many endpoints

The new normal has waves of remote employees roaming outside the safety of the network perimeter. In some cases, this is a new experience and they may behave in the same manner as if they were protected by network security controls.

Organizations need to be prepared for an influx of attacks impacting endpoints. A single employee — either working remotely or bored from mandated quarantine — could click a phishing link that could lock data via ransomware, steal credentials or gain access to the corporate network.

A sound security strategy for remote workforces always includes proactive endpoint protection (or next-generation antivirus) that mitigates attacks before, during and after they execute. More advanced approaches include automated rollback to return infected Windows PCs to a previously clean state.


Work-from-Home VPN Solutions for Remote Workforces

To help organizations cost-effectively implement VPN technology for their rapidly expanding work-from-home employees, SonicWall is making its remote access products and services available to both new and existing customers via deeply discounted rates. We’re also bundling critical security solutions for new enterprise and SMB customers.

This special offer provides free Secure Mobile Access (SMA) virtual appliances sized for enterprises and SMBs, and also includes aggressive discounts on Cloud App Security and Capture Client endpoint protection when paired with SMA.

These packages were bundled to include everything needed to protect employees outside the network:

  • Free Secure Mobile Access (SMA) virtual appliance
  • Aggressive discounts on Capture Client endpoint protection
  • Aggressive discounts on Cloud App Security
  • Aggressive discounts on support contracts and Remote Implementation Services when you bundle a virtual appliance
  • New 30- and 60-day VPN spike licenses for existing SMA 100 and 1000 series customers

Black Friday Cyberattacks: Businesses Face Surge of Malware, Ransomware on U.S. Shopping Holiday

Cyber Monday and Black Friday are the proverbial holiday shopping seasons for cybercriminals and their strategic cyberattacks, including malware, ransomware and phishing attacks. Eager online shoppers are hurried to fill holiday dreams — often at the detriment of cybersecurity best practices and common sense.

According to Adobe Analytics, consumers spent $7.4 billion online during this year’s Black Friday event, up $1.2 billion over 2018. Those numbers jumped for Cyber Monday, where retailers collected $9.4 billion in online sales on the frantic shopping holiday.

That kind of volume — in terms of both people and dollars — makes for a lucrative target for the modern cybercriminal. In 2018, SonicWall Capture Labs threat researchers discovered a spike in ransomware attacks during the Black Friday and Cyber Monday shopping events, as well as a 45% jump in phishing attacks.

Black Friday and Cyber Monday in 2019 resulted in much of the same. SonicWall Capture Labs threat researchers recorded* a double-digit malware spike (63%) in the U.S. between the eight-day holiday shopping window from Nov. 25 to Dec. 2.

  • 129.3 million malware attacks (63% increase over 2018)
  • 639,355 ransomware attacks (14% decrease over 2018)
  • 51% increase in phishing attacks on Black Friday (compared to the average day in 2019)

Cyber Monday attacks dips, Black Friday takes the hit

Cybercriminals weren’t waiting until Cyber Monday to launch their campaigns, either. In the U.S., both malware (130%) and ransomware attacks (69%) were up on Black Friday compared to 2018. This trend continued on Cyber Sunday with increases in malware (107%) and ransomware (9%).

Interestingly, ransomware attacks were down on Cyber Monday (-41%) and Small Business Saturday (-55%), resulting in an overall 14% decrease in U.S. ransomware attacks during the eight-day shopping window.

Malicious Android apps spotted during Black Friday

It’s no secret that much of holiday shopping is done on mobile apps. Busy online shoppers often leverage mobile apps that keep track of deals, provide discount coupons and offer the convenience of skipping long lines at shopping malls.

To diversify their attack strategies, cybercriminals and malware writers use this opportunity to spread malware under the guise of shopping and deal-related apps — particularly during this eight-day Thanksgiving holiday shopping window.

In the past few weeks alone, SonicWall Capture Labs threat researchers observed a number of malicious Android apps that use the shopping theme to trick users into downloading and installing these apps.

One of the more notable malicious apps is this Amazon Shopping Hack, which is tied to a range of survey scams that attempt to steal user data and sensitive information.

Name: Amazon Shopping Hack
Package: com.amazon.mShop.android.shopping.hack
SHA: fa87b95eead4d43b2ca4b6d8c945db082b4886b395b3c3731dee9b7c19344bfa

After execution, this app shows a human verification page to continue using this app. This “verification” essentially leads to survey-related scams that attempt to extract sensitive user information, such as email address, credit card details, address, etc.

One of the domains contacted by this app during execution is mobverify.com. A quick search about this domain revealed a number of other survey related pages:

The mobverify.com domain is associated with a number of malevolent apps, survey scam links and malicious executables. During analysis, we observed a GET request to mobverify.com, which downloads a json file containing a list of different survey scams:

For additional examples of malicious Android apps, please review the in-depth findings of the Capture Labs threat team: Malicious Android Apps Observed During Thanksgiving Season 2019.

Intelligence for this report was sourced from real-world data gathered by the SonicWall Capture Threat Network, which securely monitors and collects information from global devices and resources including more than 1 million security sensors in nearly 215 countries and territories.


* As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data cleansing, changes in data sources and consolidation of threat feeds. Figures published in previous reports may have been adjusted across different time periods, regions or industries.

Webinar: Prep Your Business to Face 2019’s Most Advanced Cyber Threats

Cyber threat intelligence is a must-have component for any security-conscious organizations. And for those who couldn’t get enough of the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall security experts hosted an exclusive webinar to go inside the exclusive threat data, ask questions about the threat landscape and offer best practices for improving your security posture.

This edition, “Prep Your Business to Face 2019’s Most Advanced Cyber Threats,” was hosted by Brook Chelmo, a charismatic storyteller who will help you make sense of the numbers. Watch the exclusive on-demand webinar to gain a better understanding of what’s at stake. You’ll explore:

About Brook Chelmo

Brook handles all product marketing responsibilities for SonicWall security services and serves as SonicWall’s ransomware tsar.

Fascinated in the growth of consumer internet, Brook dabbled in grey-hat hacking in the mid to late ‘90s while also working and volunteering in many non-profit organizations. After spending the better part of a decade adventuring and supporting organizations around the globe, he ventured into the evolving world of storage and security. He serves humanity by teaching security best practices, promoting and developing technology.


RTDMI Evolving with Machine Learning to Stop ‘Never-Before-Seen’ Cyberattacks

If I asked you, “How many new forms of malware did SonicWall discover last year?” What would be your response?

When I pose this question to audiences around the world, the most common guess is 8,000. People are often shocked when they hear that SonicWall discovered 45 million new malware variants in 2018, as reported in the 2019 SonicWall Cyber Threat Report.

The SonicWall Capture Labs threat research team was established in the mid-‘90s to catalog and build defenses for the massive volume of malware they would find each year. Because our threat researchers process more than 100,000 malware samples a day, they have to work smart, not hard. This is why SonicWall Capture Labs developed technology using machine learning to discover and identify new malware. And it continues to evolve each day.

How Automation, Machine Learning Stops New Malware

Released to the public in 2016, the SonicWall Capture Advanced Threat Protection (ATP) sandbox service was designed to mitigate millions of new forms of malware that attempt to circumvent traditional network defenses via evasion tactics. It was built as a multi-engine architecture in order to present the malicious code different environments to detonate within. In 2018, this technology found nearly 400,000 brand new forms of malware, much of which came from customer submissions.

In order to make determinations happen faster with better accuracy, the team developed Real-Time Deep Memory InspectionTM (RTDMI), a patent-pending technology that allows malware to go straight to memory and extract the payload within the 100-nanosecond window it is exposed. The 2019 SonicWall Cyber Threat Report also mapped how the engine discovered nearly 75,000 ‘never-before-seen’ threats in 2018 alone — despite being released (at no additional cost to Capture ATP customers) in February 2018.

‘Never-Before-Seen’ Attacks Discovered by RTDMI in 2018

Image source: 2019 SonicWall Cyber Threat Report

Using proprietary machine learning capabilities, RTDMI has become more and more efficient at identifying and mitigating cyberattacks never seen by anyone in the cybersecurity industry. Since July 2018, the technology’s machine learning capabilities caught more undetectable cyberattacks in every month except one. In January 2019, this figure eclipsed 17,000 and continues to rise in 2019.

Year of the Processor Vulnerability

Much like how Heartbleed and other vulnerabilities in cryptographic libraries introduced researchers and attackers to a new battleground in 2014, so were the numerous announcements of vulnerabilities affecting processors in 2018.

Since these theoretical (currently) attacks operate in memory, RTDMI is well positioned to discover and stop these attacks from happening. By applying the information on how a theoretical attack would work to the machine learning engine, RTDMI was able to identify a Spectre attack within 30 days. Shortly thereafter, it was hardened for Meltdown. With each new processor vulnerability discovered (e.g., Foreshadow, PortSmash), it took RTDMI less and less time to harden against the attack.

Then, in March 2019, while much of the security world was at RSA Conference 2019 in San Francisco, the Spoiler vulnerability was announced. With the maturity found within RTDMI, it took the engine literally no time at all to identify if the vulnerability was being exploited.

Although we have yet to see these side-channel attacks in the wild, RTDMI is primed for the fight and even if there is a new vulnerability announced tomorrow with the ability to weaponize it, this layer of defense is ready to identify and block side-channel attacks against processor vulnerabilities.

Image source: 2019 SonicWall Cyber Threat Report

Scouting for New Technology

Now, if you are not a SonicWall customer yet and are evaluating solutions to stop unknown and ‘never-before-seen’ attacks (i.e., zero-day threats), ask your prospective vendors how they do against these types of attacks. Ask how they did on Day 1 of the WannaCry crisis. As for the volume of attacks their solutions are finding, ask for evidence the solution works in a real-world situation, not just as a proof of concept (POC) in a lab.

If you are a customer, Capture ATP, which includes RTDMI, is available as an add-on purchase within many of our offerings from the firewall, to email, to the wireless access point. You read that correctly: right on the access point.

We believe in the technology so much that we place it in everything to protect your networks and endpoints, such as laptops and IoT devices. This is why large enterprises, school districts, SMBs, retail giants, carrier networks and service providers, and government offices and agencies trust this technology to safeguard their networks, data and users every day.

On-Demand Webinar: The State of the Cyber Arms Race

There are two kinds of cybersecurity enthusiasts in this world.

Person 1: I anxiously set my alarm to be the first one to download the new 2019 SonicWall Cyber Threat Report. I await its glorious arrival every spring and have already read it cover-to-cover 34 times. What else can I learn?

Person 2: I, too, value the actionable cyberattack intelligence and research from SonicWall Capture Labs threat researchers. I downloaded it (hopefully), but just haven’t had a chance to absorb all it has to offer. I need more.

SonicWall obviously supports both approaches, but we know different types of people digest content in different ways.

For this reason, we hosted an exclusive webinar that explored the key findings, discussed intricacies of the data, provided updates and answered many questions.

Watch the on-demand replay to learn about the findings, intelligence, analysis and research from the 2019 SonicWall Cyber Threat Report.

The exclusive session, The State of Cyber Arms Race: Unmasking the Threats Coming in 2019,” will help you improve your security preparations and posture through 2019 and beyond. Pro tip: Download the full report now so you’re primed for the webinar.

Hosted by SonicWall’s John Gordineer, the convenient 60-minute webinar explored the complete report, which covers key trends and findings from 2018, such as:

  • Global Malware Volume
  • UK, India Harden Against Ransomware
  • Dangerous Memory Threats & Side-Channel Attacks
  • Malicious PDF & Office Files Beating Legacy Security Controls
  • Attacks Against Non-Standard Ports
  • IoT Attacks Escalating
  • Encrypted Attacks Growing Steady
  • Rise & Fall of Cryptojacking
  • Global Phishing Volume Down, Attacks More Targeted

About the Presenter

John Gordineer
Director, Product Marketing

John is responsible for technical messaging, positioning and evangelization of SonicWall network security, email security, and secure remote access solutions to customers, partners, the press and industry analysts. John has more than 20 years of experience in product marketing, product management, product development and manufacturing engineering. He earned a bachelor’s degree in Industrial Engineering from Montana State University.

2019 SonicWall Cyber Threat Report: Unmasking Threats That Target Enterprises, Governments & SMBs

The launch of the annual SonicWall Cyber Threat Report always reminds us why we’re in this business.

Our engineers and threat researchers dedicate months to the project in order to shed light on how people, businesses and organizations online are affected by cybercrime.

What they found is telling. Across the board, cyberattacks are up. Criminals aren’t relenting. Hackers and nefarious groups are pushing attacks to greater levels of volume and sophistication. And the 2019 SonicWall Cyber Threat Report outlines how they’re doing it and at what scale.

To understand the fast-changing cyber arms race, download the complimentary 2019 SonicWall Cyber Threat Report. The unification, analysis and visualization of cyber threats will empower you and your organization to fight back with more authority, determination and veracity than ever before. So, let’s take a look at what’s included.

Malware Volume Still Climbing

In 2016, the industry witnessed a decline in malware volume. Since then, malware attacks have increased 33.4 percent. Globally, SonicWall recorded 10.52 billion malware attacks in 2018 — the most ever logged by the company.

UK, India Harden Against Ransomware

SonicWall Capture Lab threat researchers found that ransomware was up in just about every geographic region but two: the U.K. and India. The report outlines where ransomware volume shifted, and which regions were impacted most by the change.

Dangerous Memory Threats, Side-Channel Attacks Identified Early

The report explores how SonicWall Real-Time Deep Memory InspectionTM (RTDMI) mitigates dangerous side-channel attacks utilizing patent-pending technology. Side-channels are the fundamental vehicle used to exploit and exfiltrate data from processor vulnerabilities, such as Foreshadow, PortSmash, Meltdown, Spectre and Spoiler.

Malicious PDFs & Office Files Beating Legacy Security Controls

Cybercriminals are weaponizing PDFs and Office documents to help malware circumvent traditional firewalls and even some modern day network defenses. SonicWall reports how this change is affecting traditional malware delivery.

Attacks Against Non-Standard Ports

Ports 80 and 443 are standard ports for web traffic, so they are where many firewalls focus their protection. In response, cybercriminals are targeting a range of non-standard ports to ensure their payloads can be deployed undetected in a target environment. The problem? Organizations aren’t safeguarding this vector, leaving attacks unchecked.

IoT Attacks Escalating

There’s a deluge of Internet of Things (IOT) devices rushed to market without proper security controls. In fact, SonicWall found a 217.5 percent year-over-year increase in the number of IoT attacks.

Encrypted Attacks Growing Steady

The growth in encrypted traffic is coinciding with more attacks being cloaked by TLS/SSL encryption. More than 2.8 million attacks were encrypted in 2018, a 27 percent increase over 2017.

The Rise & Fall of Cryptojacking

In 2018, cryptojacking diminished nearly as fast is it appeared. SonicWall recorded tens of millions of cryptojacking attacks globally between April and December. The volume peaked in September, but has been on a steady decline since. Was cryptojacking a fad or is more on the way?

Global Phishing Volume Down, Attacks More Targeted

As businesses get better at blocking email attacks and ensuring employees can spot and delete suspicious emails, attackers are shifting tactics. They’re reducing overall attack volume and launching more targeted phishing campaigns. In 2018, SonicWall recorded 26 million phishing attacks worldwide, a 4.1 percent drop from 2017.

Bill Conner: How the UK Is Taking Malware Seriously

Bill Conner sat down with Information Age editor Nick Ismail to discuss global malware attack statistics, cross-border cybersecurity collaboration, the increasing need to inspect PDFs and Microsoft Office documents, and how all impact the dynamic U.K. political landscape.

Though malware attack data shows an increase in global attacks, the U.K. has experienced a decrease in these attacks following the WannaCry ransomware strain in previous years.

Conner sees this as a positive change for the U.K. and stated via Information Age, “you guys were all over it” following the WannaCry attack and “most of the vendors in the U.K. and their customers put solutions in place to protect against multiple family variants of ransomware.”

While this is a positive change for the U.K., there is still work to be done globally and Conner says regardless of the often divided political climate, “there’s a good foundation for cyber collaboration across borders.”

“Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day, because they can be exploited for IP and monetary gain. And you can’t even see it.”

Bill Conner
SonicWall President & CEO

In addition to urging governments to look toward political collaboration to tighten cybersecurity globally, Conner explained the majority of this change will come through the dedication of law enforcement.

“Law enforcement sharing is better than political sharing at the moment,” Conner told Information Age. “Public institutions, private organizations and different governments have got to collaborate. But, above all, we’ve got to have dedicated cyber law enforcement.”

While a global cybersecurity strategy may be down the road, Conner says there are places to focus on now to best secure governments, enterprises and SMBs.

What does Conner recommend an organization focus their cybersecurity strategy on?

“What I’m telling governments and enterprises is to forget side-channel exploits for the moment,” he said. “Right now, we need to focus on those PDFs and Office (files), the things you run in your business every day.”

One of the ways to mitigate these specific malware threats requires advanced technology, like SonicWall Capture Advanced Threat Protection (ATP) with SonicWall Real-Time Deep Memory Inspection (RTDMI™), to inspect and mitigate attacks in memory.

Read the rest of Conner’s recommendations and predictions in his interview with Information Age.

Video: Why Layered Security Matters

Understanding the benefits of certain security technology is always important. But hearing innovation explained by two cybersecurity industry icons provides the context to appreciate how it works and the importance of implementing sound defenses to survive in an ever-changing cyber war.

In this exclusive video, SonicWall President and CEO Bill Conner and CTO John Gmuender walk you through the current cyber threat landscape, explore the importance of automated real-time breach detection and prevention, and address how to mitigate today’s most modern cyberattacks. The video provides:

  • Exclusive cyberattack data for ransomware, malware, encrypted threats, web app attacks, malware attacks on non-standard ports and more
  • In-depth view into the key security layers that power automated real-time detection and prevention
  • Real-world use cases, including remote and mobile security, web application protection, traditional network security, cloud sandboxing and more
  • Detailed breakdown of the SonicWall Capture Cloud Platform

3 Ways to Prevent Cryptominers from Stealing Your Processing Power

Visiting a website is no longer what it used to be.

Despite this hilarious Imgur post, there is a different trend you may not have noticed: cryptomining via the browser. Many news and procrastination (e.g., BuzzFeed) websites add dozens of trackers to monetize the experience.

However, some sites may also use your browser to mine cryptocurrencies (e.g., bitcoin, Ethereum or Monero) for their own financial gain. The mining stops once you leave, but there is a popular new form of malware that attempts to turn your device into a full-time cryptocurrency mining bot called a cryptojacker. Cryptojacking’s threat to your endpoint or business is based on three things:

  • The energy it consumes or wastes
  • The damage it can do to a system
  • The loss to productivity due to limited resources.

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background although your CPU performance graph or device’s fan may indicate something is not normal.

Despite our vigilance and knowledge of the warning signs, a report from the Ponemon Institute stated the average length of time for an organization to discover malware or a data breach in 2017 was 191 days.

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal. Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking may solve that.

For example, the Apple App Store briefly carried a version of a free app called ‘Calendar 2’ that mined Monero cryptocurrency while open. It reportedly made $2,000 in two days before it was pulled from the App Store.

The Lure of Cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60 percent of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Unlike ransomware, and more akin to traditional malware, stay hidden for as long as possible.

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

How to Know if You are Infected by Cryptominers

Cryptominers are interested in your processing power, and cryptojackers have to trade off stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to Defend Against Cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats. Since people like to reuse old code, catching cryptojackers like CoinHive can be a simple first step.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

In the case of SonicWall Capture ATP, the multi-engine sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

To learn more about how you can defend your organization from these threats I recommend reading this white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud.”