The latest malware threat involves hackers using remote code execution (RCE) attacks to insert malicious malware into computers that can later be used to mine for cryptocurrency. In fact, the crypto mining malware attacks have become so common and so prevalent that they even have a new name: cryptojacking. The two latest victims of these cryptojacking attacks were the UK government and Tesla.
According to a new report from security firm Imperva, cryptojacking has become the method of choice for hackers looking to make quick money. These attacks enable them to mine cryptocurrency. At one time, cryptojacking accounted for a very small proportion of all remote code execution attacks. Now, however, 88 percent of all remote code attacks involve cryptojacking. And that figure has been growing very rapidly in just a short amount of time.
For example, back in September 2017, crypto mining malware accounted for less than 50 percent of all remote code execution attacks. DDos botnet attacks were far more prevalent. But remote code execution payloads have been rapidly evolving as a way to infect computers, and crypto mining malware is now the weapon of choice for hackers worldwide. Hackers can choose these payloads to execute arbitrary code, and the code of choice now involves illicit mining.
Attacks using crypto mining malware can be very lucrative
So what is behind this significant spike in remote code execution attacks involving cryptojacking? The easiest answer is perhaps the most obvious: cryptocurrencies have spiked in value, and the past six months have seen the emergence of many new cryptocurrencies beyond just Bitcoin. The one that holds the most allure for hackers, in fact, is not Bitcoin, but Monero. And that has to do with how immensely profitable it can be to mine for Monero using crypto mining malware.
According to our findings,” says Imperva security researcher Gilad Yehudai, “Profit is directly related to the time of discovery and the number of infections. As long as the malware is running, either in the browser or in the web server, it increases the attacker’s profits. From our findings, the profit from generic attacks against web servers ranges from several hundreds of dollars to twenty thousand dollars per month. Targeted attacks may yield much greater profit, as it is easier for attackers to find masses of potential victims using a targeted search.”
According to Yehudai, there are two different kinds of mining: client and server based mining. And the choice of either client or server based mining will impact exactly how profitable the operation can be. With Monero, it is possible to carry out client-based mining directly within a browser.
In a classic remote code execution attack involving crypto mining malware, the hacker inserts a bit of malicious code into a host computer. This code enables the hacker to take over the CPU of the computer so that it can focus on the task at hand: solving all the different mathematical puzzles that are at the heart of any crypto mining operation. Even better, remote code execution vulnerabilities enable this code to link up several different computers into a massive mining pool. In just a short amount of time after the remote code execution attack, the crypto mining malware can go to work.
Recent cryptojacking attacks on the UK government and Tesla
From the perspective of the hackers carrying out these remote code execution attacks, the more computing power, the better. It’s perhaps no big surprise, then, that some of the biggest targets of these crypto mining malware attacks have involved huge companies with lots of available computing power. The latest attack involves Tesla, which saw its Amazon Web Services cloud account hacked. The goal of the hackers was to tap into the Tesla cloud in an effort to mine as much cryptocurrency as possible before being detected. Tesla, however, has a bug bounty program in place and soon discovered this cryptojacking attack. The company claims that the attacks had no impact on customer data, and hackers gaining access to its computers and executing code posed no risk to the safety and security of its vehicles.
And Tesla has been far from the only victim of these crypto mining malware attacks. Another victim was the UK government, which saw several of its websites, including NHS Services, the Student Loans Company and several English councils – hacked. Adding insult to injury, the attacks even included the website of the UK’s data protection watchdog, the ICO. Apparently, hackers exploited a known weakness in the open source BrowseAloud plug-in (which enables blind and partially sighted Britons to access the web) to insert the malicious crypto mining malware. The UK government, as might be expected, said that no members of the public were at risk when using UK government websites.
Key defensive measures against crypto hackers and remote code execution attacks
But obviously, despite the claims of Tesla and the UK government that no customer data has been placed at risk by code execution vulnerabilities, the scale and scope of these attacks is getting more brazen. This is not just the case of carrying out remote code execution attacks against single, individual users – it is a case of targeting some of the world’s largest companies, organizations and governmental agencies. In some cases, these attacks have rendered some companies unable to operate. For crypto miners, all that matters is the computing power available, and the fact remains that the biggest companies will likely have the greatest CPU power available to mine cryptocurrencies.
So what defensive measures are possible? Better anti-virus programs are a necessary first step. And, according to Imperva, organizations should be using the latest vendor patches to mitigate any vulnerabilities. That will help to prevent any infections in the first place.
As Yehudai of Imperva points out, “It is advised to stop attacks containing crypto mining malware before the infection happens. For client based mining attacks, the attack can be prevented by stopping malicious JavaScript code from running. This can be achieved via several popular add-ons like, NoScript or NoCoin. For server based mining attacks, it is necessary to mitigate web applications vulnerabilities, like remote code execution, that attackers use to launch their malware. One way to mitigate these vulnerabilities is to use the latest vendor patch. Another way is to use virtual patching through Web Application Firewall (WAF).”
Organizations should also be doing a better job of educating employees about these remote code execution attacks. At the very least, employees should be aware that a significant loss of computing power could be the sign of a larger attack. Remember – these cryptocurrency mining malware attacks typically drain 90 percent or more of the CPU, so they will slow down any activities that don’t involve crypto mining.
What’s next for cryptojacking?
What’s important to keep in mind is that there is a direct correlation between the skyrocketing prices of the world’s cryptocurrencies and the scale and scope of these crypto mining malware attacks. As long as the price of cryptocurrencies like Monero are seemingly headed to the moon, there will be a desire by attackers to execute and carry out cryptojacking attempts. And the data from Imperva bears this out – over the past six months, hackers have changed the focus of their remote code execution attacks entirely in order to make more money.
According to Imperva, it is possible to track very accurately how much money hackers are making with crypto mining malware. By tracing the wallets and the mining pools, Imperva saw the amount of money made using crypto mining. In one case, the attacker made around 41 Monero, which translates (in current Monero to dollar conversion rates) to around $10,000. Imperva could also see the attacker was earning around one-and-a-half Monero a day, which translates to around $375 each day. Numbers can be even higher for newer cryptocurrencies such as Electroneum, a UK-based cryptocurrency designed specifically for mobile users.
With that much money at stake, it’s now clear: DDoS botnet attacks are so 2017. What’s trendy now is the cryptojacking attack. It’s time for the world’s largest organizations and government agencies to realize that we’ve entered a brave new era of cryptojacking, and more measures need to be taken to protect consumer data that might be at risk during any of these attacks.