//////////////////////////////////////////////////////////////////// t cht lk
without the user even being aware that
they are being exploited. Even better, this
technique can also operate on web browsers
using cryptojacking, JavaScript-based miners
on site viewers, so the attacker doesn’t even
need to infect a user’s machine directly; they
earn a profit every time someone visits the
infected website.
Understanding the ‘crypto mind’
Roughly every 10 minutes, an amount
of 12.5 bitcoin (~US$120,000) is mined
and added to the blockchain ledger to the
winning miner’s wallet. This shapes the
economy behind the mining attack. The
miner which claims this reward is the one
that has the Proof of Work that they solved
the current block and this is then broadcast
to all fellow miners to continue with mining
the next block.
The cost of electricity sets the cost for
normal cryptomining operations and of
course, this changes when you use mining
malware as the attacker doesn’t pay the
electricity bill. For these malicious actors,
the costs are different. They are set by
the price of getting an infected machine,
divided by the number of CPU cycles that
can be performed on it before the infection
is removed.
The current evolutionary stage of mining
malware is quick, dirty and very noisy. Each
infection communicates rapidly with the CDC
as it needs to be updated with the current
block calculations which it needs to make.
This was the case with the first wave of
ransomware attacks, where there was a need
for a CNC connection for creating keys and
each attack was individual. Ransomware
quickly adapted to be more successful and
bypass this limitation.
The first evolution was that ransomware
came with a pre-infection encryption
key so there was no more need for a live
communication to a command and control
centre. The next wave was the SamSam
campaign type (which recently caused
major problems in Atlanta, Georgia).
SamSam operators first infected a
bridgehead in an organisation and then
moved laterally inside the network and
shut it down once it got enough machines.
Extortion of this type is much more
www.intelligentcio.com
“
WE EXPECT THIS WAVE
OF MINING MALWARE TO KEEP
GROWING AND BE A MAJOR SOURCE
OF INNOVATION AND REVENUE FOR
ATTACKERS IN THE COMING YEARS
– AND A GROWING PROBLEM THAT
THE SECURITY INDUSTRY NEEDS
TO ADDRESS.
destructive and more likely to result in a
ransom being paid – and similar tactics will
be adopted by developers of cryptominers.
The future of mining malware
As bitcoin becomes a mainstream payment
technology, there will be more roadmap
items in development for the blockchain
technology. Vitalik Buterin, the name
behind Ethereum, ignites ideas about
his decentralised app platform to allow
different use cases for apps over blockchain.
Vitalik also refers to BitTorrent as the
first decentralised application. Similarly
to BitTorrent, a current project named
Sia develops a decentralised storage
platform and creates a cloud data storage
marketplace using the Siacoin blockchain.
This will allow attackers to monetise not
just CPU usage to mine cryptocurrency,
but also from idle storage on the attacked
servers, or even worse, overwriting existing
data by Sia storage. The Golem project
‘creates a decentralised sharing economy
of computing power and supplies software
developers with a flexible, reliable and cheap
source of computing power’, according to
the project site. This aim will allow sharing
of infected machines’ computing power to
monetise not by mining a cryptocoin directly,
but rather by selling resources that enable
others to mine currency.
Another ‘innovation’ from criminals
has already been witnessed in the wild,
where instead of mining cryptocurrency,
cybercriminals are breaking into wallets. In
his talk series in DefCon, Ryan Castellucci
mentions a test he did with baiting attackers
by transmitting small bitcoin transactions
with weak ‘brainwallet’ produced keys.
These keys are created from a passphrase
that a human can remember but are much
less secure against brute force attacks, or
guessing the passphrase.
Castellucci reports that such transactions
were hijacked instantly when using random
five-character passphrases. Such efforts by
cybercriminals can lead to massive botnets
moving into the field of key-breaking and
utilising mass computing resources for
stealing funds directly from the wallets of
those that have already mined or bought
them, instead of going to the trouble of
mining the currency themselves. It seems
digital wallets are just as vulnerable as their
physical equivalents.
In conclusion, cybercriminals have yet
again been quick to innovate in the use of
emerging technologies. We expect this wave
of mining malware to keep growing and be
a major source of innovation and revenue
for attackers in the coming years – and a
growing problem that the security industry
needs to address. n
INTELLIGENTCIO
99