Protecting against crypto-mining deserialisation attacks
Protecting against crypto-mining deserialisation attacks
Financially motivated cyber-criminals are constantly evolving their attack techniques in a bid to make more money. They are always on the lookout for new vulnerabilities to take advantage of and never seem to run out of tricks to get people to hand over their confidential information.

One of the latest trends to hit the hacking landscape is the technique of illegally mining for cryptocurrency. Mining for cryptocurrency is a computationally intensive process that requires powerful hardware and processing resources and incurs very expensive electricity costs. As a result, only people with specialised machinery can cost-effectively mine for cryptocurrency. However, not wanting to miss out, the cyber-crime industry has taken a different approach where they can still reap the financial benefits digital currency has to offer, without incurring the hefty expenses or having to purchase the costly machinery. 

Cyber-criminals take control of other peoples' machines to use their computational resources to illegally mine for cryptocurrency. 

To carry out the attack, hackers will first look for a vulnerability on the target machine. Once the vulnerability is found, they will install a piece of malware on the computer which will turn it into botnet and allow the attacker to use its power to mine for cryptocurrency. 

One of the vulnerabilities that hackers have recently taken advantage of is insecure deserialisation. While insecure deserialisation is not the only method hackers use to install crypto mining malware, its use has significantly increased.

What is insecure deserialisation?

In the last three months, security researchers from Imperva have discovered that the number of deserialisation attacks has grown by 300 percent. Hackers have been taking advantage of insecure deserialisation vulnerabilities with the intent of installing crypto-mining malware on vulnerable web servers. This has turned deserialisation attacks into a serious security risk for web applications and has and they have been added to the OWASP top 10 security risks of 2017 where they came in at eighth place. 

The process of serialisation converts a “live” object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialisation converts the format back into a “live” object. The purpose of serialisation is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created. 

There are many types of serialisation available, depending on the object which is being serialised and on its purpose. Almost all modern programming languages support serialisation. For example, In Java an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.

Web applications will serialise and deserialise data on a regular basis. However, the trouble begins when attackers infiltrate this process and inject malicious content into the serialised data while it is in transit. 

With insecure deserialisation attacks, web applications do not realise the data or objects are malicious and supplied by hackers and will deserialise the information. The data can sometimes come in unexpectedly. However, once it is deserialised and enters the computer memory, the attacker can use this as an entry point to carry out further attacks, for instance illegal crypto-mining. 

Protecting against insecure deserialisation attacks

Given that many new vulnerabilities related to insecure deserialisation were discovered recently, and its appearance in the updated OWASP top 10 security risks, it is likely that new, similar vulnerabilities will continue to surface in 2018. 

As a result, organisations should be vigilant of these attacks and ensure all their web applications are up to date with the latest patches. Organisations should also look at the option of virtual patching as an alternative to manual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles. Virtual patching can also significantly reduce organisational risk and brings an added benefit of minimal impact on staff resources as patches applied automatically. 

Contributed by Nadav Avital, security researcher at Imperva 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.