Reflecting on 2017 and peering into our crystal ball for the year ahead, we predicted that ransomware — which ran riot in 2017 — would be unseated by sophisticated new cyberthreats in the form of cryptocurrency miners. Our latest study showed that miners have not only lived up to expectations, they’ve exceeded them.
Over the past six months, cybercriminals have raked in more than $7 million through injecting cryptominers. Here we explain how miners work on users’ computers, why they’ve become a major cyberthreat (especially for businesses), and how to protect your infrastructure against them.
The rise of the miners
In 2017, when the Bitcoin and altcoin (alternative cryptocurrencies) exchange rates hit the stratosphere, it became clear that owning tokens (which can be converted into real money) is a lucrative business. An especially attractive feature of cryptocurrency economics is that, unlike with real money, anyone can create digital currency by building on the blockchain by performing mathematical calculations and getting rewarded for it (see here for details of how the blockchain works).
A general rule of mining pools (organisations that unite miners) is that the more calculations you make, the more tokens you receive. The only problem is that the more calculations you want to perform, the more computing power you need — and the more electricity you’ll consume.
So it wasn’t long before cybercriminals hit upon the idea of using other people’s computers to mine cryptocurrency — after all, it’s in their DNA to exploit Internet technologies to make a fast buck. Ideally, of course, it’s done so that victims’ computers perform the calculations without the knowledge of their owners or administrators. For obvious reasons, cybercriminals are particularly fond of large corporate networks with hundreds of machines.
And they are getting very adept at putting their schemes into practice. As we speak, more than 2.7 million users worldwide have been attacked by “malicious miners” — that’s 1.5 times more than in 2016 — and the number continues to climb. Let’s talk a bit more about what technologies the attackers use.
A hidden threat
The first method bears all the hallmarks of technologies used to carry out advanced persistent threats (APT), which have been featured heavily in recent large-scale ransomware campaigns. These same methods — for example, attacks using the infamous EternalBlue exploit — are now being used to distribute hidden miners.
Another way to install a hidden miner on a victim’s computer is to convince the user to download a dropper, which then downloads a miner. Typically, cybercriminals lure users into downloading a dropper by masking it as an ad or a free version of a product, or through some phishing technique.
After being downloaded, the dropper runs on the computer and installs the actual miner along with a special utility that hides the miner in the system. The package can include autostart and autoconfig tools that might, for example, configure how much processing power the miner is allowed to use depending on what other programs are running, so as not to cause system slowdown and arouse the user’s suspicion.
These tools might also prevent the user from stopping the miner. If the user detects the miner and tries to disable it, the computer will simply reboot, after which the miner will continue as before. Interestingly, most hidden miners reuse the code of their legit counterparts, which further complicates detection.
There is another way to mine tokens illegally: Web mining, or mining from the browser. This is made possible by a site administrator embedding a mining script that runs in the browser when a victim visits the site. It can also be done by an attacker who has gained site administration access. While the user is on the site, their computer builds blocks (from which the criminal behind the script profits).
How can businesses protect devices from miners?
Today’s sophisticated attack technologies and complexities of detection have enabled cybercriminals to create entire botnets from victims’ computers and use them for hidden mining. Needless to say, a business infrastructure with large processing capacity is a juicy target for cybercrooks. Your company’s devices might be at risk as well. Therefore, we recommend implementing the following measures to protect your business:
- Install security solutions on all computers and servers in use to keep your infrastructure an attack-free zone;
- Carry out regular security audits of your corporate network for anomalies;
- Keep a periodic eye on the Task Scheduler, which can be used by intruders to start malicious processes;
- Don’t overlook less obvious targets, such as queue management systems, POS terminals, and even vending machines. As the miner that relied on the EternalBlue exploit shows, such equipment can also be hijacked to mine cryptocurrency;
- Use specialized devices in Default Deny mode — this will protect them from miners and many other threats, too. For example, Default Deny mode can be configured using Kaspersky Endpoint Security for Business.