Crypto botnet

A new cyberthreat is disrupting business networks, and it’s tricky enough that you may not know it’s happening. Crypto-mining malware is used to harvest the computing power necessary to create new cryptocurrency, and new infections are on the rise.

The crypto-jacking malware has been found on PCs and servers inside business networks, websites, and Internet of Things devices. This family of malware is designed to take control of a machine’s central processing unit (or some of it). You can think of the CPU as the “heart” of a computing device. The captured CPU is then redirected to complete a variety of tasks: In this case, the goal is mining cryptocurrency units.

With the value of many cryptocurrencies rising, crypto-jacking malware provides criminals a fresh, hassle-free path to a payday, and it is inspiring the creation of new tactics and techniques.

Here are seven ways hackers are going for the digital gold:

1. Botnets. When they’re not busy blasting out email spam or spreading malware, classic botnets, like Necurs, are being dispatched to crypto-mining chores, according to messaging security vendor Proofpoint. Meanwhile, the Satori botnet, which is made up of compromised Internet of Things devices, has pioneered a way to crack into legitimate crypto mining operations and siphon off freshly-mined coins, according to researchers from China-based Qihoo Netlab 360.

2. NSA cyberweapons. Remember the stolen NSA cyberweapon code-named EternalBlue? It was used to spread the WannaCry ransomware worm. Trend Micro has been tracking one hacking group that has been using EternalBlue to get deep inside business networks to deliver crypto-mining malware. Once inside, these attackers spoof their way onto a common Microsoft Windows administration tool, called WMI, and use it to spread a resilient form of the mining code.

Meanwhile, firewall company Imperva has been tracking another hacking group that has found a way to leverage EternalBlue to distribute an attack dubbed RedisWannaMine. This is a self-spreading worm that aggressively seeks out unpatched Windows servers and turns them into crypto miners.

3. Cloud services. Like thousands of other companies, car maker Tesla relies heavily on Amazon Web Services (AWS) to execute major elements of its business operations in the internet cloud. But in doing so, Tesla left a path open for a hacker to gain control of something called Kubernetes, which is an open-source cloud-services management tool Tesla and many other companies use. Cloud security firm RedLock reports on how hackers managed to install crypto mining malware on Tesla’s Kubernetes console, turning the car maker’s AWS data storage servers into Monero crypto miners.

4. Critical infrastructure. Crypto jackers are taking aim at industrial control systems, too. Darktrace, a supplier of A.I.-based security systems, has identified more than 20 cryptocurrency miner attacks over the past six months among its customers in the energy and utilities sectors. And Kaspersky Lab reports that, from February 2017 to February 2018, miners attacked 3.3 percent of computers that are part of industrial automation systems. One recent example: Researchers at industrial controls security firm CyberXused the Shodan search engine to locate a European wastewater facility infected with cryptocurrency mining malware.

5. Government websites. Thousands of government, health, and education organizations in the U.S., the U.K., and Australia use software called Browsealoud to assist people diagnosed with dyslexia. Hackers accessed a JavaScript file in Browsealoud and injected it with coding that converts any server running the software into a crypto miner. A total of 4,275 websites were affected, including Britain’s Information Commissioner’s Office, U.S. courts, and numerous academic websites.

6. Website servers. Hackers have discovered that website hosting servers make great coin miners. The number of websites found to be diverted to crypto coin mining surged 725 percent between September 2017 and January 2018. Security vendor Cyren monitored 500,000 websites in that period and found 7,281 running coin mining scripts.

7. Google Chrome extensions. Nearly 90 malicious Google Chrome browser extensions designed to inject crypto-mining code and record browsing activities were recently discovered in the official Chrome store. More than 400,000 computers have been infected by these malicious Chrome extensions.

Sophisticated crypto-mining malware is on the rise. CPU diverted to coin mining is CPU that is unavailable for business operations–and there are associated costs. If you doubt the direction of this trend, consider the fact that many experts believe that crypto-jacking may pop the ransomware bubble this year.

“Why make the effort of getting a human being to pay a ransom when you can use their resources to generate your own?” observes Tim Erlin, vice president of strategy at Tripwire, a supplier of compliance auditing systems.

Smart organizations will get ahead of this–by doing what all companies should be doing anyway. Identify your mission-critical systems and data. Defend them and monitor them. Train your employees. Establish and promote a cyber-hygienic culture. Criminals are evolving. So should you.