Every day, your web servers are increasingly being scanned—and likely attacked—by adversaries attempting to gain access to your infrastructure. Between 2015 and 2017, our data partner, Loryka, observed these types of scans grow from 200 per minute to as much as 2,000 per minute. These kinds of attackers are professionals; they do this for a living. Their goal is to make a profit in any way possible, usually by stealing data—credit card information, social security numbers, confidential business documents, user login credentials, to name a few—that they can sell on one or more Darknet trading markets. In other cases, attackers are paid by a third party to inflict damage to your website or disrupt service. Either way, the majority of exploitative attacks are designed to produce revenue for attackers.
The popularity of cryptocurrency mining gives attackers a new reason to target and exploit your applications and the platforms that support them. They’ve ramped up their attacks against web servers and applications across the Internet, exploiting both new and old remote code execution vulnerabilities. The intent is to compromise servers and then install software designed to perform cryptocurrency mining on behalf of the attackers. This practice of taking over servers, enslaving system resources, and forcing them to mine for the attackers is known as cryptojacking, and it can be very profitable, given enough compute resources.
In late 2017, F5 threat researchers discovered Zealot, a Monero crypto miner that installed itself on vulnerable Apache Struts servers by making use of NSA-attributed EternalBlue and EternalSynergy exploits. Shortly thereafter, F5 threat researchers also discovered a Linux-based variant called PyCryptoMiner that spreads via the SSH protocol. Another variant called RubyMiner recently ran rampant on the Internet. In a 24-hour period, attackers reportedly attempted to compromise 30 percent of networks worldwide looking for vulnerable web servers and applications to recruit into their mining pools. To date, one of the most profitable cryptojacking botnets is Smominru, which has reportedly made its attackers $2.3 million.
When people think of cryptocurrency, they immediately think of Bitcoin, as this was the first and is still the most popular. However, Bitcoin mining has become so challenging because of the sheer number of resources being used to mine it that is it is no longer profitable to mine with standard components in servers and desktop computers. Today, it requires the use of graphic cards or, ideally, application-specific integrated circuit (ASIC) chips. This is why many attackers are now mining newer, alternative cryptocurrencies. An example is Monero, which can be successfully mined with any CPU—it doesn’t require ASICs.
Since attackers are not paying for their own resources and electricity, cryptojacking is one hundred percent profitable for them. The more resources they can force to mine in their pools, the more money they generate. Even weak processors can be woven into mining pools to share their processing power. IoT devices are a ripe target because they are always on and are typically unmanaged systems, so the likelihood of these devices being discovered and then remediated is low.
Another risk is that attackers might modify a web application by injecting JavaScript miners, like Coinhive or another web-miner, into visitors’ browsers. The attackers are then able to leverage the compute resources of all website visitors for their own benefit. Within the last week, there has been an aggressive text message-based campaign attempting to rope smartphones into crypto mining operations by luring users to click on a link that promises them free Bitcoins.
As data theft becomes less profitable for attackers (credit card data has recently sold on the black market for as little as $0.0003 per record), cryptocurrencies become a more attractive target for cyber-criminals. And that makes every application a potential target. The Internet is a great equalizer in that no application, no matter where it might be located, is immune. Attackers don’t discriminate by industry, either. Whether you’re a manufacturer in the American Midwest or a large financial services organization on the east or west coast, you’re not safe from these attacks.
The best way to protect your environment from cryptojacking is by placing a web application firewall in front of all your applications. Then, look for the classic symptom of poor performance and dig in deeper from there.
Since cryptocurrencies are such a hot topic right now, threat intelligence teams around the world are actively looking for cryptocurrency mining bots and publishing everything they find, typically including Indicators of Compromise (IOCs). Security teams should be looking for those publications and making sure their networks are not communicating with any of the cryptocurrency mining command and control servers published in the IOCs.
