Business & Technology

Cyber Threat Alliance Members Issue First Collaborative Report on Cryptomining

By Anthony Giandomenico | September 19, 2018

Competition between security vendors is a critical component of staying ahead of cybercriminals. While the bottom line is undoubtedly essential, competing for market share and customers also forces security vendors to continually improve their technologies. Someone makes a breakthrough, such as the invention of the Next-Gen Firewall or sandboxing, or the addition of machine learning and AI, and soon everyone is offering a version of that technology, and each iteration is an improvement over the last.

Most of the major security vendors have also invested heavily in teams and technologies that collect, correlate, deconstruct, and build responses to threats. These teams often gather live threat intelligence from thousands, or even millions of their own devices distributed around the world. These threat research engineers also develop and use advanced technologies, combined with the sometimes tedious work of hands-on reverse engineering and analysis, to understand threat trends and tactics of the cybercriminal community. That information is then loaded directly into the devices of their customers to keep them safe from live threats.

The Cyber Threat Alliance

That's the part of the security market everyone can see. It's what fuels things like third-party analysis and ratings, and it's what drives vendors and end users alike to security conventions and trade shows. But there is a part of the security community that most people don't see, and it is just as crucial in the fight against cybercrime.

What most people don’t know is that, in spite of the time and effort being expended by these teams, they cannot do all of this alone. There are never enough resources or staff or time to collect and respond to all the threats being launched into the wild every single day. So these teams also subscribe to each other's threat intelligence feeds to augment their data. But even that only solves part of the problem.

This is why, several years ago, Fortinet sat down with several of our key competitors and established the Cyber Threat Alliance (CTA), which was designed as a forum for the sharing of technical resources to address many of the more challenging threats our global society faces. Just recently, the CTA was formally established up as an independent organization to create an even better and more neutral space for cross-organizational collaboration, with several more of the major security vendors joining as founding members.

The Rising Threat of Cryptomining

The CTA has just released a new joint analysis report on the growing threat of cryptomining, an activity that poses both short and long-term threats to individuals and enterprises. In spite of some claims by cybercriminals, this threat is neither victimless nor harmless, and individuals and organizations need to take steps to protect their systems. This report, entitled “The Illicit Cryptocurrency Mining Threat,” is critical because it lays out the risk, its potential impacts, and the best practices organizations can employ to counter this rising menace.

Cryptocurrencies have become an integral part of our new digital economy. As their value and use increases, they are also an increasingly valuable target for cybercriminals, which means that the pervasiveness of this threat is dependent on the volatile nature of cryptocurrency. Fortinet’s second quarter 2018 Threat Landscape Report notes that there is a "moderate positive correlation between the market price of cryptocurrencies and malware designed to mine those currencies illicitly." Fortinet pointed out that a similar pattern was found for Monero in the same report. 

As the potential value of cryptomining activities continues to increase, we have even seen some cybercrime efforts transition away from ransomware. In Q4 of 2017, for example, nine different ransomware variants had impacted more than 10% of all organizations. However, by the end of Q1 of 2018, that number had dropped to three. This isn't merely a coincidence.

Cybercriminals are now leveraging NotPetya's use of Mimikatz (a favorite credential-stealing tool) in cryptojacking campaigns. And vulnerabilities such as Apache Struts and Drupal that cybercriminals exploited for ransomware have now been weaponized for cryptojacking.

Most striking, however, is that the EternalBlue vulnerability initially used in the WannaCry ransomware exploit has now been repurposed for a cryptojacking campaign called WannaMine. Likewise, another mining malware known as PowerGhost uses spearphishing to gain initial access into a network, leverages Windows Management Instrumentation (WMI) to steal Window credentials, and also uses EternalBlue to spread. PowerGhost then goes a step further than its predecessors. Once it has infected a system, it attempts to disable antivirus programs such as Windows Defender, disables competing cryptocurrency miners to maximize CPU usage, and disables the computer’s sleep and hibernation modes to maximize its mining time.

To use these tools, malicious cyber actors target the CPU cycles of computers, web browsers, IoT and end user mobile devices, and network infrastructure. Fortinet has noted that media devices such as smart TVs, cable boxes, and DVRs are an increasing target of illicit mining power. Cybercriminals exploit known vulnerabilities to steal the processing power of these devices to mine for cryptocurrencies. While the theft of computing cycles to mine for cryptocurrencies may sound relatively benign in the face of cyber attacks that ransom data, steal intellectual property, or disrupt critical infrastructure, it is a threat that we must address to improve our overall cybersecurity. At a minimum, illicit cybermining is a drain on enterprise resources, resulting in increased computing workload, the theft of expensive cloud computing resources, and even the risk of physical damage to your IT and OT infrastructures.

Cryptomining is A Symptom of a Growing Problem

Cryptomining continues to impact a growing number of organizations. Here are a few examples of the rise of cryptojacking from several CTA member organizations:

  • Cryptocurrency mining malware grew from affecting 13% of all Fortinet customer companies in Q4 of 2017 to 28% of customer companies in Q1 of 2018, more than doubling its footprint.
  • In May 2018, Check Point's Global Threat Index revealed that the CoinHive browser-based cryptocurrency miner was impacting 22% of their corporate customers, an increase of nearly 50 %.
  • A June 2018 report released by Palo Alto Networks identified roughly 470,000 unique binary-based samples that ultimately deliver cryptocurrency miners.
  • McAfee’s June 2018 Threats Report noted a 629% increase in total coin mining malware in the first quarter of 2018 to more than 2.9 million samples.

In many ways, the presence of cryptomining activities on your network is also a symptom of the more significant issue of an increasingly lax attitude towards cyber hygiene. This steadily growing problem is a critical component of the increasing success of cyber attacks. Poor cyber health is consistently responsible for security posture flaws that enable cybercriminals to gain a foothold and spread within a network.

According to this latest CTA report, “If miners can gain access to use the processing power of your networks, then you can be assured that more sophisticated actors may already have access. Illicit cryptocurrency mining is the figurative canary in the coal mine, warning you of much larger problems ahead. CTA members recount case after case of being called into an incident response for a mining infection and finding signs of multiple threat actors in the network.”

How Cryptojacking Malware Moves Across the Network

In general, there are three steps that nearly all malicious actors take to install and spread malware, and cryptojacking follows this same line of attack. First, they have to gain the access. Initial insertion points can include compromised websites, spam emails, and malvertising, etc. This is then often followed by conducting credential attacks such as stealing hashes, tokens, cached credentials, or tickets. Mining malware also often uses Mimikatz for this purpose.

Next, according to research conducted by the FortiGuard threat research team, they leverage this access to copy their malware from system to system by either merely copying the malware through scripts, or by using PSEXEC Windows admin shares such as C$, ADMIN$, and IPC$, which are usually available on many networks today. These hidden network shares, generally only accessible by administrators, provides attackers with the ability to perform remote file copy along with other administrative functions.

Finally, the actors use a variety of tools to begin mining operations. This can happen through Remote Management Tools, such as SC, AT, WinRS and Schtasks that can schedule tasks to run at certain times of the day to avoid detection, and PowerShell, WMI, and PSEXEC, which are legitimate Windows processes that malicious actors use to remotely execute malware. In addition, malware can spread laterally across the network through worm propagation using known vulnerabilities such as EternalBlue.

What Can You Do?

There are a number of things your organization can do to protect itself from the risks of cryptojacking. Start by downloading CTA’s “THE ILLICIT CRYPTOCURRENCY MINING THREAT” report to better understand the issues related to illicit cryptomining and how they impact your organization. Next, enact a “get healthy” strategy that emphasizes cyber hygiene best practices, such as:

·      Maintaining a comprehensive inventory of devices attached to your network

·      Baselining the behavior of those devices, along with related applications and workflows

·      Patching or replacing vulnerable systems

·      Segmenting potentially vulnerable devices and data (such as IoT) from the rest of the network

·      Monitoring the usage of Remote Management Tools and other administrative processes

·      Collect and analyze log files

Finally, subscribe to active threat intelligence feeds from a variety of sources to ensure your systems are always tuned to the latest threats.

The hard truth is that your organization may already be infected with cryptomining malware. Following these steps will not only help you identify and remove those threats, or secure your organization from future risks of cryptomining but also close any gaps in your current security strategy that expose you to the growing number of sophisticated and malicious cyber threats that threaten your ability to participate in today's digital economy successfully.


Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief.