main

Cloud Security

Have Crypto-Miners Infiltrated Your Public Cloud?

July 16, 2019 — by Haim Zelikovsky0

Crypto-960x641.jpg

How do you know if bad actors are siphoning off your power and racking up huge bills for your organization? These silent malware scripts could be infecting your public cloud infrastructure right now, but would you even know it? 

Crytpo Basics

The concept of crypto-jacking is fairly simple. A script (or malware) infects a host computer and silently steals CPU power for the purpose of mining crypto-currency. 

It first gained popularity in 2017 with ThePirateBay website, which infected its visitors with the malware. Its popularity surged in 2018 with companies like Coinhive, that promised ad-free web browsing in exchange for CPU power. Coinhive, and others like it, lowered the barrier to entry for criminals and was quickly exploited by ‘crypto-gangs’ that leveraged the scripts to infect multitudes of popular websites across the globe and mine for Monero. 

[You may also like: The Rise in Cryptomining]

Most individuals could not detect the malware unless it over-taxed the device. Common symptoms of crypto-jacking malware include device performance degradation, batteries overheating, device malfunction, and increases in power consumption. During its peak in December, 2017, Symantec claimed to have blocked more than 8 million cryptojacking events across its customer base.

Shifting Targets

Then, market conditions changed. Many end-point security solutions learned to identify and blacklist crypto-mining malwares running on individual endpoints. Coinhive (and many copycat companies) have been shut down. The price of crypto-currency crashed, which made smaller mining operations unprofitable. So, hackers looking for the larger payoff continued to develop more sophisticated crypto-jacking malwaresand went hunting for the bigger fish.

It is no surprise that crypto-miners have shifted the targets of their malware from individuals to enterprises. Public cloud infrastructure is an incredibly attractive target. Even an army of infected personal devices can’t deliver the kind of concentrated and unlimited CPU power of a large enterprise’s public cloud infrastructure. In the eyes of a miner, it’s like looking at a mountain of gold— and often, that gold is under-protected.

Digital transformation has pushed the migration of most enterprise networks into some form of public cloud infrastructure. In doing so, these companies have inadvertently increased their attack surface and handed the access to its developers and DevOps.

Essentially, due to the dynamic nature of public cloud environment (which makes it harder to keep a stable and hardened environment over time), as well as the ease with which permissions are granted to developers and DevOps, the attack surface is dramatically increased.

[You may also like: Excessive Permissions are Your #1 Cloud Threat]

Hackers of all types have identified and exploited these security weaknesses, and crypto-jackers are no exception. Today, there are thousands of different crypto-jacking malwares out in the wild. Crypto-jacking still generates huge profits for hackers.

In fact, crypto-jackers exploited vulnerable Jenkins servers to mine more than $3M worth of Monero currency. Jenkins continuous integration server is an open source automation server written in Java. Jenkins is widely used across the globe with a growing community of more than 1 million users, and generates massive amounts of potential unpatched Jenkins servers, which made it a desirable target for crypto-jackers.  Tesla also suffered losses and public embarrassment when crypto-jackers targeted an unprotected Kubernetes console and used it to spin up large amounts of containers to do their own mining operation on behalf of Tesla’s cloud account.

[You may also like: Managing Security Risks in the Cloud]

Protect Yourself

So what can organizations do to keep the crypto-miners out of their public clouds? 

  • Secure the public cloud credentials. If your public cloud credentials are breached, attackers can leverage them to launch numerous types of attacks against your public cloud assets, of which crypto-jacking is one.  
  • Be extra careful about public exposure of hosts. Hackers can utilized unpatched and vulnerable hosts exposed to the internet in order to install crypto mining clients to utilize cloud native infrastructure for crypto mining activity.
  • Limit excessive permissions. In the public cloud, your permissions are the attack surface. Always employ the principle of less privileges, and continuously limit excessive permissions.
  • Install public cloud workload protection services that can detect and block crypto-mining activities. These should include the automatic detection of anomalous activities in your public cloud, the correlation of such events, which is indicative of malicious activity, and scripts to automatically block such activity upon its detection.  

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Attack MitigationAttack Types & VectorsSecurity

Top Cryptomining Malware. Top Ransomware.

August 21, 2018 — by Fabio Palozza2

cryptocurrencies_malware_cryptomining_ransomware-960x640.jpg

In 2018, cryptominers have emerged as the leading attack vector used by cybercriminals to gain access into others systems. Cryptominers are getting advanced makeovers by cybercriminals doing their best to develop innovative cryptominers with ground-breaking capabilities. The recently-discovered cryptominers are not only known for their advanced features, but also for their capabilities to attack a wide range of systems including cloud-based platforms, mobile devices, industrial IT-infrastructure, and servers.

It’s not surprising that cybercriminals have started targeting cloud infrastructures which are based on rich classes of strong computing resources and companies that use cloud platforms to store confidential information. Two of the most striking data breaches that we witnessed this past year were the Monero-miner attack on Tesla’s cloud servers and the data-leak incident that affected FedEx customers.

[You Might Also Like: Malicious Cryptocurrency Mining: The Road Ahead]

Top Cryptomining Malware That Is Dominating the Cybercrime Scene in 2018

The most popular web-based Monero currency miner, Coinhive, undoubtedly occupies the first spot regionally and globally with 25 percent of the companies being affected. With the introduction of Coinhive’s JavaScript mining code in September 2017, the code has been incorporated into thousands of websites allowing cybercriminals to capitalize on visitors’ computing resources. Additionally, the code can be used as substitutes for online advertisements that cybercriminals use to lure visitors to click malicious links. In 2018, threat actors have delivered Coinhive in innovative ways through Google’s DoubleClick service and Facebook Messenger, with code embedded in websites or by hiding code inside YouTube ads. Along with Coinhive, other miners, including Jesscoin and Cryptoloot, have been dominating the malicious cryptomining landscape this year, affecting almost 40 percent of businesses and consumers across the globe.

[You Might Also Like: Raising the Bar for Ethical Cryptocurrency Mining]

RIG Exploit Kit is increasingly being used by cybercriminals to capitalize on system vulnerabilities both regionally and globally. RIG Exploit kits typically work by redirecting people to a landing page that features an embedded JavaScript, the main purpose of which is to identify security flaws in the browser. Cybercriminals use RIG kits to deliver exploits for Internet Explorer, Java, Flash, and Silverlight.  RIG Exploit kits ruled the cybercrime scene in the first half of 2018, moving payloads such as cryptominers and Smoke Loader down the ranking.

XMRig, which is an open-source application for CPU-mining, occupies the third spot across all regions in the United States. The XMrig mining code, which gained popularity in early 2018, has been widely used by a number of crypto-strains, including RubyMiner which is specifically designed to target unpatched Linus servers and Windows. According to Check Point, cybercriminals targeted 30 percent of all business networks to utilize server capacities to support their mining operations.

When it comes to ransomware, Locky, which was first introduced in 2016, occupies the first spot in regional and global lists. Wannacry, which came into the scene in 2017 and made its way to thousands of systems continues to hold a high rank this year.

Read “Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty” to learn more.

Download Now

Attack Types & VectorsSecurity

Malicious Cryptocurrency Mining: The Road Ahead

August 14, 2018 — by Fabio Palozza0

crypto-part-6-960x640.jpg

As cryptomining continues to rule the cybercrime scenario, cybercriminals are designing innovative ways to drain people’s cryptowallets. Scammers are still doing their best to make the most out of their resources to launch leading-edge scam attempts. The increase in scams is mainly attributed to the failure in implementing appropriate fraud protection measures and unfortunately, popular cryptomining platforms including Coinbase and Bitcoin lack the necessary security features that they need to prevent fraudulent cryptomining activities.

Security

Drive-By Cryptomining: Another Way Cyber-Criminals Are Trying to Evade Detection

August 1, 2018 — by Fabio Palozza0

drive-by-cryptomining-960x640.jpg

By the end of the last year, we saw a drastic rise in drive-by cryptocurrency mining activities and it is quite alarming to note that cyber-criminals are getting smarter and smarter day-by-day at avoiding detection. Interestingly, cyber-criminals can deploy drive-by cryptocurrency mining to target a much wider audience compared to what they would typically achieve by delivering malware-based miners to machines.

Attack Types & VectorsSecurity

Accessing Your Crypto Wallet Through Android Devices?

July 10, 2018 — by Fabio Palozza0

crypto-wallet-960x320.jpg

Android platforms are commonly characterized by the presence of Trojan-infected apps that have built-in cryptocurrency mining codes, which means that mobile users are highly susceptible to malicious cryptocurrency mining attacks. It is quite alarming to note that cyber criminals deploy malicious APKs that are delivered through SMS spam and cryptocurrency miners into people’s mobile devices and the modus operandi is similar to that of Windows malware. In fact, attackers find it quite easy to add miners to apps that are already malicious. For example, cyber criminals could easily add miners on apps that were infected with the Loapi Trojan, an SMS Trojan that could deliver ads. Loapi caused a high degree of strain on the processor, which caused overheating of the batteries which, in turn, shortened the lifespan of the Androids.

Security

Malicious Cryptocurrency Mining: The “Shooting Star” in the Cybercrime Domain

June 6, 2018 — by Fabio Palozza0

cryptocurrency-mining-960x640.jpg

It’s quite evident how these days, attacks assume new forms along with transformations in the types of services that are widely used by consumers in a given period of time. Needless to mention, malware or malicious activities will find their presence in new applications and services as they evolve to occupy a prominent position in people’s lives.

Security

Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and Steal Data

May 10, 2018 — by Radware114

nigelthorn-malware-crypto-mining-1-960x641.jpg

Individual research contributed by Adi Raff and Yuval Shapira.

On May 3, 2018, Radware’s cloud malware protection service detected a zero-day malware threat at one of its customers, a global manufacturing firm, by using machine-learning algorithms. This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more.

Security

The Legitimacy of Cryptocurrency Has Made It Harder for Hackers

March 22, 2018 — by David Hobbs1

cryptocurrency-960x640.jpg

Last year a few noteworthy things happened in terms of cryptocurrencies. The IRS won their case against Coinbase and over 14,000 people who traded over $20,000 USD in 2015 now have to face the IRS.   Exchanges in Asia started forcing KYC (Know Your Customer) requirements on customers as did most of the rest of the world. Bitfinex decided to block all U.S. customers in November of 2017 due to regulatory issues and uncertainty. What this means is that Bitcoin and cryptocurrency is becoming harder to trade anonymously and without paying taxes. This is what happens because of legitimacy from regulation, lawful trade and taxation. I am not saying there isn’t much debate still regarding the legality, legitimacy or utility of cryptocurrencies; I’m saying 2017 had a significant change in how it is viewed.  Today, the SEC in the U.S. has been discussing forcing cryptocurrency exchanges to register with the SEC and there is no definitive answer to what this is going to mean or if it is going to happen.