As cryptocurrency values tank, threat actors take cryptomining malware to the bank

News by Davey Winder

Despite the plunging value of cryptocurrencies, cyber-criminals are still distributing cryptomining malware and many analysts expect the problem to only worsen in 2019.

Bitcoin traders have made, and lost, fortunes – and most of those losses have been during the past year. In December 2017 a bitcoin was worth $20,000 (£15,750) yet today sits at just $3,850 (£3,030). So, does this mean that the cryptomining malware boom is over?

The latest research from eSentire would seem to suggest not: infections such as CoinMiner and Coinhive contributed to an increase in coin mining malware infections of some 1,500 percent compared to last year.

McAfee has also seen increases, as revealed in its December 2018 Threat Report (pdf) which found that new coin mining malware has grown by nearly 55 percent in this quarter alone.

Interestingly, it's not just the more traditional infection vector of servers and browser clients that have grabbed the cryptomining threat actors’ attention. While IoT devices might not seem an obvious choice for CPU-intensive threats such as cryptomining, McAfee points to the "growing volume and lax security of many IoT devices" as reason enough for this particular crime sector to start roping them in by the thousand in order to "create a mining supercomputer."

Meanwhile, Cisco Talos researchers have been investigating enterprise-focused cryptocurrency mining campaigns across the year and have concluded that campaigns thought to be attributed to lone shark actors were actually carried out by specific criminal groups that "have netted hundreds of thousands of US dollars combined".

These groups include Rocke, which targets Apache Struts2, Jenkins and JBoss servers, as well as the 8220 Mining Group targeting Drupal, Hadoop YARN and Apache Struts2. Then there's the Tor2Mine group which Cisco Talos says provides anonymous communication and control services in cryptomining campaigns.

Check Point’s Global Threat Index for November 2018 revealed that Coinhive alone managed to impact 24 percent of organisations worldwide, while cryptomining malware in general had an overall global impact of 38 percent, over the previous twelve months.

"Because crypto-miners are designed to be stealthy, it’s possible for them to go completely under the radar," says Check Point’s director of threat intelligence and research, Maya Horowitz. "I don’t see this threat going away anytime soon: if it ain’t broke, don’t fix it, and for the moment it’s definitely working for the threat actors."

SC Media UK sought to garner opinion from the infosecurity industry as to whether it agreed and how the cryptomining threatscape might change in the year to come. Opinions were divided.

There were those, like Dr Klaus Gheri, VP of network security at Barracuda Networks, who don't see much changing. "Despite money still being made through stealing someone else’s computer resources, the bitcoin bubble is not as hyped anymore as it was earlier in 2018," Dr Gheir reckons, but he adds, "I don’t expect the threat landscape to change very much in 2019."

Some, like Alex Hinchliffe, threat intelligence analyst with Unit 42 at Palo Alto Networks, think the trend will likely be a declining one. "Our own research found that a smaller percentage of organisations were experiencing cryptojacking in their business environments in December (11 percent) than in May (25 percent)," Hinchliffe says. "It appears that the diminishing value of cryptocurrencies, along with better detection capabilities, is helping decrease cryptojacking attacks but it will still be a key concern for businesses as we go into 2019."

The majority, however, tended to think that not only will the threat remain across 2019 but could get worse. Danny Pickens, director of the threat research team at Fidelis Cybersecurity, told SC Media UK that "we will see a clear uptick of cryptomining in 2019 coinciding with a continued decline of ransomware, as it is a method which is much easier to introduce to a victim’s environment, and much less costly to manage."

Ed Williams, EMEA director of SpiderLabs at Trustwave, reckons that "without doubt the crypto malware landscape will broaden in both scope and sophistication" as "threat actors are always looking for new ways to monetise their crypto malware and this, in my opinion, will see an increase in 2019."

Steve Giguere, global solution architect at Synopsys, argues that "the economy of scaling crypto-mining malware across the enterprise is still serving as a carrot for Dark Web discussions on the subject".

Giguere expects attackers to innovate, not only taking advantage of misconfiguration in cloud services and traditional phishing threats "but also the growing number of vulnerable IoT devices" as mentioned earlier.

So, how can the enterprise best mitigate against the cryptomining threat? According to Danny Pickens, director of the threat research team at Fidelis Cybersecurity, a proactive 'threat hunting' strategy is key.

"It’s an approach that is being adopted by larger, more mature organisations and the right tools and the right data is needed to make it possible," he told SC Media UK. "To effectively hunt for cryptomining threats, an organisation needs granular visibility of metadata, not just logs, across their endpoints, network and cloud environments and have this information available for retroactive analysis."

Bromium co-founder and president Ian Pratt warns that it is unacceptable to put the onus of security on employees, because it isn’t their job to be the last line of defence. "Organisations must adopt layered cyber-security defences that can isolate cryptomining malware, ensuring it can’t spread through the enterprise, and making its presence on the machine easier to detect," he says.

And he adds, "This approach doesn’t impede employees and allows them to get on with their job, without the spectre of cryptojacking hanging over them..."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike