News, insights and resources for data protection, privacy and cyber security leaders

Cyber Criminals Profit from Crypto Mining Malware

The latest malware threat involves hackers using remote code execution (RCE) attacks to insert malicious malware into computers that can later be used to mine for cryptocurrency. In fact, the crypto mining malware attacks have become so common and so prevalent that they even have a new name: cryptojacking. The two latest victims of these cryptojacking attacks were the UK government and Tesla.

According to a new report from security firm Imperva, cryptojacking has become the method of choice for hackers looking to make quick money. These attacks enable them to mine cryptocurrency. At one time, cryptojacking accounted for a very small proportion of all remote code execution attacks. Now, however, 88 percent of all remote code attacks involve cryptojacking. And that figure has been growing very rapidly in just a short amount of time.

For example, back in September 2017, crypto mining malware accounted for less than 50 percent of all remote code execution attacks. DDos botnet attacks were far more prevalent. But remote code execution payloads have been rapidly evolving as a way to infect computers, and crypto mining malware is now the weapon of choice for hackers worldwide. Hackers can choose these payloads to execute arbitrary code, and the code of choice now involves illicit mining.

Attacks using crypto mining malware can be very lucrative

So what is behind this significant spike in remote code execution attacks involving cryptojacking? The easiest answer is perhaps the most obvious: cryptocurrencies have spiked in value, and the past six months have seen the emergence of many new cryptocurrencies beyond just Bitcoin. The one that holds the most allure for hackers, in fact, is not Bitcoin, but Monero. And that has to do with how immensely profitable it can be to mine for Monero using crypto mining malware.

According to our findings,” says Imperva security researcher Gilad Yehudai, “Profit is directly related to the time of discovery and the number of infections. As long as the malware is running, either in the browser or in the web server, it increases the attacker’s profits. From our findings, the profit from generic attacks against web servers ranges from several hundreds of dollars to twenty thousand dollars per month. Targeted attacks may yield much greater profit, as it is easier for attackers to find masses of potential victims using a targeted search.”

According to Yehudai, there are two different kinds of mining: client and server based mining. And the choice of either client or server based mining will impact exactly how profitable the operation can be. With Monero, it is possible to carry out client-based mining directly within a browser.

In a classic remote code execution attack involving crypto mining malware, the hacker inserts a bit of malicious code into a host computer. This code enables the hacker to take over the CPU of the computer so that it can focus on the task at hand: solving all the different mathematical puzzles that are at the heart of any crypto mining operation. Even better, remote code execution vulnerabilities enable this code to link up several different computers into a massive mining pool. In just a short amount of time after the remote code execution attack, the crypto mining malware can go to work.

Recent cryptojacking attacks on the UK government and Tesla

From the perspective of the hackers carrying out these remote code execution attacks, the more computing power, the better. It’s perhaps no big surprise, then, that some of the biggest targets of these crypto mining malware attacks have involved huge companies with lots of available computing power. The latest attack involves Tesla, which saw its Amazon Web Services cloud account hacked. The goal of the hackers was to tap into the Tesla cloud in an effort to mine as much cryptocurrency as possible before being detected. Tesla, however, has a bug bounty program in place and soon discovered this cryptojacking attack. The company claims that the attacks had no impact on customer data, and hackers gaining access to its computers and executing code posed no risk to the safety and security of its vehicles.

Leave A Reply

Your email address will not be published.

Pin It on Pinterest

Share This