Posts

Cyber Security News & Trends

This week, SonicWall partners with Etisalat Digital and appears at GITEX Technology Week 2019. Meanwhile, several governmental level warnings about cyberthreats are issued, and the Magecart group chalks up another successful month.


SonicWall Spotlight

SonicWall, Etisalat Digital Partnership Delivers Network Security in Bundle Offer to SMBs – SonicWall Press Release

  • Etisalat Digital is now offering SonicWall technology in its ‘Business Quick Start’ SMB bundle that provides businesses with telco-grade network security devices and a zero-touch feature, making installation less than one hour. SonicWall and Etisalat celebrated this news with a ceremony at GITEX Tech Week.

SonicWall at GITEX Tech Week 2019 – Tahawultech.com

  • GITEX Technology Week, the biggest tech show in the Middle East, North Africa and South Asia, took place this week at the Dubai World Trade Centre. SonicWall showcased its networking and security solutions including our powerful Capture ATP with RTDMI technology. At the show, SonicWall’s Michael Berg was kept busy with interviews at outlets like Tahawultech and ChatterBoxPRE.

5 Steps to Deploy Fast, Secure WiFi in K-12 Schools – MSSPAlert

  • Schools and school districts connecting to the internet via Wi-Fi is par for the course in 2010; SonicWall’s Srudi Dineshan lists five ways K-12 schools can protect themselves from cyber threats.

Cybersecurity News

In the Last 10 Months, 140 Local Governments, Police Stations and Hospitals Have Been Held Hostage by Ransomware Attacks – CNN

  • With ransomware increasingly recognized as much more than a niche concern, CNN has created an accessible article with video and text intended to introduce the malware method and execution to a wider audience.

White-Hat Hacks Muhstik Ransomware Gang and Releases Decryption Keys – ZDNet

  • A frustrated hacker, annoyed after being caught by a successful ransomware attack, analyzed the ransomware software and successfully infiltrated the online database connected to the database. As a result, he has now released a free decryption method for anyone else caught by the same ransomware.

Copycat Coders Create ‘Vulnerable’ Apps – BBC News

  • A new study has found that developers who take shortcuts by copying and pasting code are leaving applications with security holes. Code chunks with no purpose have been found to be riddled with obsolete commands that could be taken advantage of by a hacker who recognized the programming.

EU Warns of 5G Cybersecurity Risks, Stops Short of Singling out China – Reuters

  • The European Union had issued a warning about the risk of increased cyberattacks by state-backed entities, especially with the advent of next-gen 5G mobile and Internet of Things objects.

NIST is Hunting for Tech to Secure the Energy Sector’s Network – NextGov

  • With the thoughts of a nationwide cyberattack on the power grid growing in people’s minds, the National Institute of Standards and Technology is seeking input from tech and cyber experts on how to secure the countless internet-connected devices that could be used as a way in to the network.
And Finally:

Magecart Attack on eCommerce Platform Hits Thousands of Online Shops – SecurityWeek

  • Everyone’s least favorite online card skimming group Magecart has continued its hacking spree with another successful campaign on online retailers. In the past month the group has been found to be active on over 3 thousand online stores, including the Sesame Street Live online store.

In Case You Missed It

Cyber Security News & Trends

This week, spyware is found in the Android store, maritime cybersecurity protections are considered, and your gas pump could be the next target for a hacker.


SonicWall Spotlight

The CyberWire Daily Podcast – The CyberWire

  • SonicWall CEO Bill Conner speaks with The CyberWire for their story on the dangers of side-channel malware attacks. He details how previous big side-channel attacks like Spectre and Meltdown worked and explains that it’s only a matter of time before someone else manages to find a way of exploiting similar chipset vulnerabilities in the wild.

Rich, Smart and Sensibly Grown-Up? You’re the Hackers’ Dream – The Telegraph (UK)

  • The Telegraph builds a profile of the standard person who gets hacked and takes a look at the “hacker’s menu” – an itemized list detailing the cost of hacking personal information. To make their case they refer to the SonicWall 2019 Cyber Threat Report Mid-Year Update for information on ransomware.

RB Music Uses Spyware to Steal Sensitive Information From the Infected Device – VARINDIA

  • Following up on the SonicWall Alert detailing spyware in the RB Music player on the Android Store, VARINDIA talks to SonicWall’s Debasish Mukherjee. Mukherjee explains that it is common for malware code to be reused by different developers over time and even when an app appears to be legitimate it may contain dangerous code waiting to be activated.

Cybersecurity News

FBI Cyber Warning: Attacks on Key Employees up 100%, as 281 Are Arrested – Forbes

  • The FBI has warned that Business Email Compromise attacks have doubled between June 2018 and July 2019, even as a worldwide crackdown on the practice led to 281 arrests worldwide. Learn how you can protect yourself from Business Email Compromise with SonicWall’s Email Security Appliances.

Cyber-Security Incident at US Power Grid Entity Linked to Unpatched Firewalls – ZDNet

  • A recently released report has detailed how the “cyber-incident” reported on the US Power Grid in June of this year turned out to be a cyberattack that was able to take place because of unpatched firewalls.

Exploit for Wormable BlueKeep Windows Bug Released Into the WildArs Technica

  • A rough but workable exploit for the Bluekeep vulnerability has been coded and released into the wild. While it is highly unlikely that the exploit will be successful in infecting any users in its current form it serves as a proof-of-concept and could be the first step towards bigger problems in the future.

Swedish GDPR Fine Highlights Legal Challenges in Use of Biometrics – Security Week

  • A school in Sweden has been fined for using biometrics on its students, even though the school had obtained consent from both the students and their parents. A court ruling decided that due to the imbalance of power between students and the school, freely-given consent could not be possible. The case highlights the possibility of future problems in wider biometric implementation if, for example, it is argued that employees cannot consent to employers using biometrics in the workplace for similar reasons.

The State of Maritime Cybersecurity – WorkBoat

  • Maritime magazine WorkBoat interviews the creators of a recent survey on the current state of maritime cybersecurity. They discuss why the survey was created, why many companies are not prepared in the current threat landscape and what needs to be done to prevent another problem like the 2017 ransomware attack on global shipper Maersk.

Think Your iPhone Is Safe From Hackers? That’s What They Want You to Think… – The Guardian

  • The Guardian investigates the world of zero-day exploits that are sold on dark web marketplaces and warn that despite Apple’s iOS having a reputation of being close to unhackable, there are, in fact, vulnerabilities in it that have been exploited for years.
And Finally:

IoT Security: Now Dark Web Hackers Are Targeting Internet-Connected Gas Pumps – ZDNet

  • As hackers turn their sights on Internet of Things devices, and the number of these devices worldwide grow, hackers online have been turning their sights on web-connected Gas Pumps. It’s early days yet but researchers hypothesize that the reasons for this could range from obtaining cheap fuel to something much more explosive…

In Case You Missed It

Ransomware Infects 23 Texas Government Agencies

The Texas Department of Information Resources (DIR) announced that 20-plus state agencies have been infected by ransomware.

In an Aug. 17 update, DIR stated that “the evidence gathered indicates the attacks came from one single threat actor” and “investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time.”

“Ransomware is not going to subside anytime soon,” said SonicWall President and CEO Bill Conner. “It’s too easy to demand and receive ransom payment without the risks associated with traditional data exfiltration. Until organizations are serious about ransomware protection, these types of wide-reaching ransomware attacks will, unfortunately, continue.”

According to ZDnet, the “infection is blamed on strain of ransomware known only as the .JSE ransomware.”

Texas is hardly the first state to be the victim of coordinated attacks against municipalities. The last 12 months have seen ransomware attacks bring city services to a halt, including those in Arizona, Florida, Georgia, Indiana, Maryland, Nevada, New York and more.

Ransomware escalates again

Ransomware continues to be one of the most lucrative cyberattack options for criminals. According to the mid-year update of the 2019 SonicWall Cyber Threat Report, ransomware volume raced to 110.9 million in the first half of 2019 — 15% year-to-date increase over 2018.

Exclusive SonicWall data highlights an escalation in ransomware-as-a-service (RaaS) and open-source malware kits in the first half of 2019. As more RaaS and open-source options are available, the volume and ferocity of ransomware attacks will only increase.

RaaS is no different than any legitimate cloud-hosted service used by businesses every day. Instead of buying software, criminals subscribe to a service delivery model to reduce CapEx, always have the latest ransomware offerings, gain predictable pricing and receive support. While there are only so many bona fide malware authors creating new ransomware, these services will ensure cybercriminals have plenty of variants to purchase or obtain freely on the Dark Web.

Webinar: Prep Your Business to Face 2019’s Most Advanced Cyber Threats

Cyber threat intelligence is a must-have component for any security-conscious organizations. And for those who couldn’t get enough of the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall security experts hosted an exclusive webinar to go inside the exclusive threat data, ask questions about the threat landscape and offer best practices for improving your security posture.

This edition, “Prep Your Business to Face 2019’s Most Advanced Cyber Threats,” was hosted by Brook Chelmo, a charismatic storyteller who will help you make sense of the numbers. Watch the exclusive on-demand webinar to gain a better understanding of what’s at stake. You’ll explore:

About Brook Chelmo

Brook handles all product marketing responsibilities for SonicWall security services and serves as SonicWall’s ransomware tsar.

Fascinated in the growth of consumer internet, Brook dabbled in grey-hat hacking in the mid to late ‘90s while also working and volunteering in many non-profit organizations. After spending the better part of a decade adventuring and supporting organizations around the globe, he ventured into the evolving world of storage and security. He serves humanity by teaching security best practices, promoting and developing technology.


Ransomware-as-a-Service, Open-Source Malware Fueling Attack Spikes in 2019

Ransomware is too lucrative to fade away. Its brilliance is in its simplicity. And shifting trends make it easier than ever to leverage in cybercriminal activity.

As each passing day presents us with a new ransomware victim, we can clearly see that ransomware is here to stay — and businesses and organizations should invest now to protect their brand, networks, data and customers.

According to the mid-year update of the 2019 SonicWall Cyber Threat Report, ransomware volume raced to 110.9 million in the first half of 2019 — a 15% year-to-date increase over 2018.

The most alarming ransomware data was sourced from the U.K. After enjoying a 59% decline in ransomware in 2018, the region saw ransomware volume jump 195% year-to-date for the first half of the year.

RaaS, open-source malware on the rise

But it’s not just about volume. Globally, cybercriminals continue to pivot toward new tactics. Exclusive SonicWall data highlights an escalation in ransomware-as-a-service (RaaS) and open-source malware kits in the first half of 2019.

Cerber has long been one of the most powerful and damaging ransomware families in use. This is primarily because it is available as a service offering for low monthly prices.

Other ransomware — like HiddenTear and Cryptojoker — are available via open-source kits. This means that criminals with very basic coding skills can grab an open-source malware and customize it to meet their objectives. In many cases, this changes the core of the malware and helps it evade signature-only security controls (e.g., antivirus, unsupported firewalls).

In June 2019 alone, SonicWall Capture Labs threat researchers logged more than 3 million hits by the Cerber.G_5 RaaS signature alone.

FY 2018 1H 2019
Family Volume Type Family Volume Type
Cerber 101.6 Million RaaS Cerber 39.5 Million RaaS
BadRabbit 7.8 Million Custom Gandcrab 4.0 Million RaaS
Dharma 7.3 Million Custom HiddenTear 4.0 Million Open Source
LockyCrypt 6.1 Million Custom CryptoJoker 2.4 Million Open Source
CryptoJoker 5.6 Million Open Source Locky 1.8 Million Custom
Locky 2.4 Million Custom Dharma 1.5 Million Custom
Petya 1.9 Million Custom

As more RaaS and open-source options are available, the volume and ferocity of ransomware attacks will only increase. While there are only so many bona fide malware authors creating new ransomware, these services will ensure cybercriminals have plenty of variants to purchase or obtain freely on the Dark Web.

What is ransomware as a service (RaaS)?

Ransomware as a service, or RaaS, is no different than any legitimate cloud-hosted service used by businesses every day. Instead of buying software, you subscribe to a service delivery model to reduce CapEx, always have the latest offerings, gain predictable pricing and receive support.

Legitimate or note not, business models always have to tackle the method of distribution. Will they sell directly to end users, through a channel of distributors or a mix of both?

The same holds true with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution — all the while collecting a cut of the prize.

BleepingComputer offered an informative breakdown on how a typical payment model would work.

“Unlike most ransomware-as-a-service offerings, in order to become an affiliate a would-be criminal has to pay to join a particular membership package,” BleepingComputer wrote. “These packages range from $90 USD, where the affiliate earns 85% of the ransom payments, to $300 and $600 packages where the affiliates keep all of the revenue and gets extra perks such as Salsa20 encryption, different ransomware variants, and different payment cryptocurrency options.”

Cyber Security News & Trends

This week, SonicWall is featured on Reuters TV, federal cybersecurity is found to be seriously out of date, and a young hacker is taking down Internet of Things botnets by bricking as many IoT objects as he can.


SonicWall Spotlight

To Pay or Not To Pay: U.S. Cities With Ransomware – Reuters

  • SonicWall’s Dmitriy Ayrapetov is featured demonstrating a ransomware attack in this Reuters video segment investigating the current increase in ransomware attacks on US cities.

HiddenTear Ransomware Variant Encrypts and Gives Files .Poop Extension – SonicAlert

  • The SonicWall Capture Labs Threat Research Team came across some childish ransomware which, after replacing your files with a “.poop” extension, updates your background with a poop emoji. It is, however, real ransomware and should be treated as such; SonicWall protects you from it.

Cyber Security News

U.S. Carried Out Cyberattacks on Iran – New York Times

  • Multiple news outlets report that the United States Cyber Command conducted online attacks against an Iranian intelligence group after physical strikes were called off. Full details on what was attacked are not known and US Cyber Command have not released any information.

Federal Cybersecurity Defenses Are Critical Failures, Senate Report Warns – CNBC

  • After a 10-month review of federal agencies, a damning 99-page report on federal cybersecurity has been released. Details include failures to apply mandatory security patches, ignoring well-known threats and weaknesses for a decade or more, and outdated systems with at least one case of a 50-year-old system still in use in 2019.

NASA Hacked Because of Unauthorized Raspberry Pi Connected to Its Network – ZDNet

  • NASA confirmed that in April 2018 a hacker breached their security using a Raspbery Pi device and accessed around 500 megabytes of data, including information on the ongoing Mars Curiosity Rover mission. The full investigation into what happened is still ongoing.

The Hotel Hackers Are Hiding in the Remote Control Curtains – Bloomberg

  • Bloomberg hitch a ride with some IT consultants who are investigating the rise of cyberattacks on hotels – seen by the hacking community to be both lacking in basic cybersecurity and as a massive database of personal information.

Hackers Strike Another Small Florida City, Demanding Hefty Ransom – Wall Street Journal

  • Lake City officials in Florida agreed to pay 42 bitcoins, around $500,000, in a ransom less than a week after another Florida City, Riviera Beach, paid a similar amount to retrieve their data.

A Firefox Update Fixes yet Another Zero-Day Vulnerability – Engadget

  • Mozilla patched two zero-day vulnerabilities over the past week, with the second coming only 48 hours after the first. Both zero-days used the same attack and they appeared to be targeting Coinbase employees directly.

Riltok Banking Trojan Begins Targeting Europe – SC Magazine

  • The Riltok banking trojan, originally intended to target Russians, has been modified to target the European market. It is spread via a link in a text message that, if clicked, directs the user to a website that prompts them to install a fake update of advertising software.

And finally:

Thousands of IoT Devices Bricked By Silex Malware – Threat Post

  • A 14-year-old hacker has been spreading anti-Internet of Things malware because he wants to stop other hackers using the devices for botnets. At the time of writing at least 4,000 devices have been bricked by his malware.

In Case You Missed It

Cyber Security News & Trends

This week, there’s a new cybersecurity power couple as SonicWall and ADT announce a strategic partnership to protect SMBs, U.S. cities face a ransomware pandemic and the ‘invisible web’ is growing rapidly.


SonicWall Spotlight

ADT Selects SonicWall as Exclusive Provider of Managed Cybersecurity Service Offerings for SMBs – SonicWall

  • SonicWall and ADT announce a strategic partnership that provides an exclusive cybersecurity offering to better protect small- and medium-sized businesses (SMB) from the growing volume of cyberattacks.

ADT Teams Up with SonicWall for SMB Security Services – Dark Reading

  • SonicWall CEO Bill Conner explains why SonicWall was the logical choice for a new cybersecurity offering from ADT, a company best known or delivering physical security monitoring. The connection between the two companies dates back to ADT’s acquisition of Secure Designs, Inc (SDI), formerly an MSSP selling SonicWall SMB security products.

Cyber Security News

Hackers Won’t Let Up in Their Attack on U.S. Cities – The Wall Street Journal

  • As Baltimore is still recovering a month after a devastating ransomware attack crippled the city’s infrastructure, the FBI is warning that this is not an isolated incident, calling the growing levels of ransomware attacks a “pandemic in the United States”.

Cyber-Thieves Turn to ‘Invisible Net’ to Set Up Attacks – BBC News

  • Gated chat forums, invitation-only communities and encrypted apps are the new communication channels of choice for cybercriminals to evade law enforcement agencies.

Hackers Steal $9.5 Million from GateHub Cryptocurrency Wallets – ZD Net

  • GateHub has released a preliminary statement confirming a security breach that has resulted in nearly $9.5 million stolen from the users of their cryptocurrency wallet service.

Hacking Diabetes: People Break into Insulin Pumps as an Alternative to Delayed Innovations – USA Today

  • Diabetes patients are jailbreaking their own insulin pumps, using instructions found online, in order to give their pumps the ability to self-adjust and remove the need for constant blood sugar monitoring.

LabCorp Data Breach Exposes Information of 7.7 Million Consumers – USA Today

  • A day after Quest Diagnostics announced 12 million patients were affected by a data breach, another medical testing company says its patients’ data was also compromised.

Hackers Can Now Bypass Two-Factor Authentication With a New Kind of Phishing Scam – Fortune

  • Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks.

Baltimore Ransomware Attack: NSA Faces Questions – BBC

  • After a ransomware attack currently estimated to cost at least $18M Baltimore officials are questioning why the hacking vulnerability known as EternalBlue was not disclosed when discovered by the NSA years ago. The NSA are declining to comment on the issue.

New Zealand Budget Leak: ‘Hackers’ Had Simply Searched Treasury Website – The Guardian

  • After the embargoed New Zealand budget was leaked to the opposition National Party days before it was due to be released, officials were quick to call it a hack. However, it has now been found that the documents were searchable on the New Zealand treasury website.

HawkEye Malware Campaign Upticks on Business Users – SC Magazine

  • Hawkeye, a keylogger than has been around for six years, has seen a major increase in a campaign targeting business users worldwide.

Startups: Embrace Cybersecurity Priorities From Day One – Forbes

  • Forbes argues that cybersecurity in startups should not be considered an add-on or a luxury product and provide four cybersecurity priorities that a startup needs to think about from day one.

Emotet Made up 61% of Malicious Payloads in Q1 – Dark Reading

  • A new study has found that 61% of all malware payloads in the first quarter of 2019 contained the Emotet botnet.

Security Expert: Here’s How Driverless Cars Could Be Hacked – Yahoo! Finance

  • As cars modernize and driverless cars are becoming a reality it is fair to say that they are becoming more and more like a series of interconnected computers. Yahoo! Finance looks at where the security weakpoint in these computers might be found, how it could be targeted by hackers, and how the car industry is struggling to keep up with security requirements.

Nation-State Security: Private Sector Necessity – SecurityWeek

  • Attackers with the funding and technical support of nation-states are now targeting commercial entities and the obvious split between commercial and political cyberattacks is disappearing. SecurityWeek examine the current threat landscape, including the increasing number of organizations embracing “Zero Trust” security models where all environments are considered untrusted until proven otherwise. They then offer some advice on how to ensure your organization is ready for cyberattacks.

Microsoft Issues Second Warning About Patching BlueKeep as PoC Code Goes Public – ZDNet

  • Microsoft again warned users to ensure their patches are up to date to protect against the Bluekeep vulnerability – described as similar to the EternalBlue exploit – after a proof-of-concept attack appeared online. SonicWall provides protection against this threat.

In Case You Missed It

Cyber Security News & Trends

This week, Baltimore battles ransomware, IoT attacks are increasing, and the potential vulnerabilities in a driverless car are investigated.


SonicWall Spotlight

5 Steps to Robust Network Security – Business World (India)

  • IT security teams around the world are dealing with an ever-increasing level of complexity in the threat landscape. SonicWall’s Debasish Mukherjee argues that the best way to overcome these challenges is with a comprehensive approach to cybersecurity, he then recommends five steps to take in order to get there.

How to Mitigate the IoT Attacks That Are Increasing at 217.5% – IoT Agenda

  • Internet of Things (IoT) devices are expected to increase in number to 75.44 billion worldwide by 2025. Using the 2019 SonicWall Cyber Threat Report IoT Agenda explains why preventative measures need to be developed sooner rather than later.

Cyber Security News

Baltimore Ransomware Attack: NSA Faces Questions – BBC

  • After a ransomware attack currently estimated to cost at least $18M Baltimore officials are questioning why the hacking vulnerability known as EternalBlue was not disclosed when discovered by the NSA years ago. The NSA are declining to comment on the issue.

New Zealand Budget Leak: ‘Hackers’ Had Simply Searched Treasury Website – The Guardian

  • After the embargoed New Zealand budget was leaked to the opposition National Party days before it was due to be released, officials were quick to call it a hack. However, it has now been found that the documents were searchable on the New Zealand treasury website.

HawkEye Malware Campaign Upticks on Business Users – SC Magazine

  • Hawkeye, a keylogger than has been around for six years, has seen a major increase in a campaign targeting business users worldwide.

Startups: Embrace Cybersecurity Priorities From Day One – Forbes

  • Forbes argues that cybersecurity in startups should not be considered an add-on or a luxury product and provide four cybersecurity priorities that a startup needs to think about from day one.

Emotet Made up 61% of Malicious Payloads in Q1 – Dark Reading

  • A new study has found that 61% of all malware payloads in the first quarter of 2019 contained the Emotet botnet.

Security Expert: Here’s How Driverless Cars Could Be Hacked – Yahoo! Finance

  • As cars modernize and driverless cars are becoming a reality it is fair to say that they are becoming more and more like a series of interconnected computers. Yahoo! Finance looks at where the security weakpoint in these computers might be found, how it could be targeted by hackers, and how the car industry is struggling to keep up with security requirements.

Nation-State Security: Private Sector Necessity – SecurityWeek

  • Attackers with the funding and technical support of nation-states are now targeting commercial entities and the obvious split between commercial and political cyberattacks is disappearing. SecurityWeek examine the current threat landscape, including the increasing number of organizations embracing “Zero Trust” security models where all environments are considered untrusted until proven otherwise. They then offer some advice on how to ensure your organization is ready for cyberattacks.

Microsoft Issues Second Warning About Patching BlueKeep as PoC Code Goes Public – ZDNet

  • Microsoft again warned users to ensure their patches are up to date to protect against the Bluekeep vulnerability – described as similar to the EternalBlue exploit – after a proof-of-concept attack appeared online. SonicWall provides protection against this threat.

In Case You Missed It

Cryptojacking Apocalypse: Defeating the Four Horsemen of Cryptomining

Despite price fluctuations of bitcoin and other cryptocurrencies, cryptojacking remains a serious — and often hidden — threat to businesses, SMBs and everyday consumers.

And the most covert of these threats is cryptomining via the browser, where popular forms of malware attempt to turn your device into a full-time cryptocurrency mining bot called a cryptojacker.

To help you creatively understand this trend, let me summon my classical training and be a little hyperbolic. If you see the cryptojacking wave as an apocalypse like some of their victims do, the Four Horsemen would be the four threats to your endpoint or business:

  • The White Horse: The energy it consumes or wastes
  • The Red Horse: The loss to productivity due to limited resources
  • The Black Horse: The damage it can do to a system
  • The Pale Horse: Security implications due to created vulnerabilities

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background (although your CPU performance graph or device’s fan may indicate something is not normal).

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal.

Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking is being used to solve that challenge.

In April 2018, SonicWall started tracking cryptojacking trends, namely the use of Coinhive in malware. Over the course of the year, we saw cryptojacking ebb and flow. In that time, SonicWall recorded nearly 60 million cryptojacking attacks, with as many as 13.1 million in September 2018. As published in the 2019 SonicWall Cyber Threat Report, volume dipped across the final quarter of 2018.

Global Cryptojacking Attacks | April-September 2018

The lure of cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60% of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Stay hidden for as long as possible (unlike ransomware and more akin to traditional malware).

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

Am I infected by cryptominers?

Cryptominers are interested in your processing power and cryptojackers have to trade stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to defend against cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.

Since people like to reuse old code, catching cryptojackers like Coinhive was also a simple first step. But in February 2019, Coinhive publicly announced it was ceasing operations March 8. The service stated that it wasn’t “economically viable anymore” and that the “crash” impacted the business severely.

Despite this news, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques to fill the void. Cryptojacking could still become a favorite method for malicious actors because of its concealment; low and indirect damage to victims reduces chances of exposure and extends the valuable lifespan of a successful attack.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

The multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

On-Demand Webinar: The State of the Cyber Arms Race

There are two kinds of cybersecurity enthusiasts in this world.

Person 1: I anxiously set my alarm to be the first one to download the new 2019 SonicWall Cyber Threat Report. I await its glorious arrival every spring and have already read it cover-to-cover 34 times. What else can I learn?

Person 2: I, too, value the actionable cyberattack intelligence and research from SonicWall Capture Labs threat researchers. I downloaded it (hopefully), but just haven’t had a chance to absorb all it has to offer. I need more.

SonicWall obviously supports both approaches, but we know different types of people digest content in different ways.

For this reason, we hosted an exclusive webinar that explored the key findings, discussed intricacies of the data, provided updates and answered many questions.

Watch the on-demand replay to learn about the findings, intelligence, analysis and research from the 2019 SonicWall Cyber Threat Report.

The exclusive session, The State of Cyber Arms Race: Unmasking the Threats Coming in 2019,” will help you improve your security preparations and posture through 2019 and beyond. Pro tip: Download the full report now so you’re primed for the webinar.

Hosted by SonicWall’s John Gordineer, the convenient 60-minute webinar explored the complete report, which covers key trends and findings from 2018, such as:

  • Global Malware Volume
  • UK, India Harden Against Ransomware
  • Dangerous Memory Threats & Side-Channel Attacks
  • Malicious PDF & Office Files Beating Legacy Security Controls
  • Attacks Against Non-Standard Ports
  • IoT Attacks Escalating
  • Encrypted Attacks Growing Steady
  • Rise & Fall of Cryptojacking
  • Global Phishing Volume Down, Attacks More Targeted

About the Presenter

John Gordineer
Director, Product Marketing

John is responsible for technical messaging, positioning and evangelization of SonicWall network security, email security, and secure remote access solutions to customers, partners, the press and industry analysts. John has more than 20 years of experience in product marketing, product management, product development and manufacturing engineering. He earned a bachelor’s degree in Industrial Engineering from Montana State University.