Intelligent CIO Europe Issue 08 | Page 99

//////////////////////////////////////////////////////////////////// t cht lk without the user even being aware that they are being exploited. Even better, this technique can also operate on web browsers using cryptojacking, JavaScript-based miners on site viewers, so the attacker doesn’t even need to infect a user’s machine directly; they earn a profit every time someone visits the infected website. Understanding the ‘crypto mind’ Roughly every 10 minutes, an amount of 12.5 bitcoin (~US$120,000) is mined and added to the blockchain ledger to the winning miner’s wallet. This shapes the economy behind the mining attack. The miner which claims this reward is the one that has the Proof of Work that they solved the current block and this is then broadcast to all fellow miners to continue with mining the next block. The cost of electricity sets the cost for normal cryptomining operations and of course, this changes when you use mining malware as the attacker doesn’t pay the electricity bill. For these malicious actors, the costs are different. They are set by the price of getting an infected machine, divided by the number of CPU cycles that can be performed on it before the infection is removed. The current evolutionary stage of mining malware is quick, dirty and very noisy. Each infection communicates rapidly with the CDC as it needs to be updated with the current block calculations which it needs to make. This was the case with the first wave of ransomware attacks, where there was a need for a CNC connection for creating keys and each attack was individual. Ransomware quickly adapted to be more successful and bypass this limitation. The first evolution was that ransomware came with a pre-infection encryption key so there was no more need for a live communication to a command and control centre. The next wave was the SamSam campaign type (which recently caused major problems in Atlanta, Georgia). SamSam operators first infected a bridgehead in an organisation and then moved laterally inside the network and shut it down once it got enough machines. Extortion of this type is much more www.intelligentcio.com “ WE EXPECT THIS WAVE OF MINING MALWARE TO KEEP GROWING AND BE A MAJOR SOURCE OF INNOVATION AND REVENUE FOR ATTACKERS IN THE COMING YEARS – AND A GROWING PROBLEM THAT THE SECURITY INDUSTRY NEEDS TO ADDRESS. destructive and more likely to result in a ransom being paid – and similar tactics will be adopted by developers of cryptominers. The future of mining malware As bitcoin becomes a mainstream payment technology, there will be more roadmap items in development for the blockchain technology. Vitalik Buterin, the name behind Ethereum, ignites ideas about his decentralised app platform to allow different use cases for apps over blockchain. Vitalik also refers to BitTorrent as the first decentralised application. Similarly to BitTorrent, a current project named Sia develops a decentralised storage platform and creates a cloud data storage marketplace using the Siacoin blockchain. This will allow attackers to monetise not just CPU usage to mine cryptocurrency, but also from idle storage on the attacked servers, or even worse, overwriting existing data by Sia storage. The Golem project ‘creates a decentralised sharing economy of computing power and supplies software developers with a flexible, reliable and cheap source of computing power’, according to the project site. This aim will allow sharing of infected machines’ computing power to monetise not by mining a cryptocoin directly, but rather by selling resources that enable others to mine currency. Another ‘innovation’ from criminals has already been witnessed in the wild, where instead of mining cryptocurrency, cybercriminals are breaking into wallets. In his talk series in DefCon, Ryan Castellucci mentions a test he did with baiting attackers by transmitting small bitcoin transactions with weak ‘brainwallet’ produced keys. These keys are created from a passphrase that a human can remember but are much less secure against brute force attacks, or guessing the passphrase. Castellucci reports that such transactions were hijacked instantly when using random five-character passphrases. Such efforts by cybercriminals can lead to massive botnets moving into the field of key-breaking and utilising mass computing resources for stealing funds directly from the wallets of those that have already mined or bought them, instead of going to the trouble of mining the currency themselves. It seems digital wallets are just as vulnerable as their physical equivalents. In conclusion, cybercriminals have yet again been quick to innovate in the use of emerging technologies. We expect this wave of mining malware to keep growing and be a major source of innovation and revenue for attackers in the coming years – and a growing problem that the security industry needs to address. n INTELLIGENTCIO 99