David Hobbs, director of security solutions at Radware, highlights what government organisation’s need to know as crypto mining becomes back in favour with hackers
In 2016 the hype of bitcoin and cryptocurrency was high, and so were the profits to be made if you knew what you were doing. Millionaires were made.
But in 2018 views changed when the market crash showed that cryptocurrency was just as fallible as real coins. Only the die-hard fans stuck with the currency and the persistent few hackers who still saw the opportunity to use the currency for ransom attacks. The bubble burst and mining machines were switched off around the world. There really was no point in running them all the time the electricity costs were higher than the bitcoin value.
However, in recent months we’ve seen a turnaround in market perception and the value return to stock, fuelled by the news Facebook is to launch a currency next year. As a result, hackers who have dabbled or switched off are starting to exploit the coin more and more.
There are some attractive reasons for using the coin for malicious purposes:
- It’s easy – There’s no need to develop a crypto mining tool or even buy one. An attacker can just download a free tool into the victim’s machine and run it with a simple configuration that instructs it to do its worst.
- Computing power – While Bitcoin requires a graphic processing unit (GPU) to perform effective mining, other cryptocurrency, such as Monero, require only a Computer Processing Unit to effectively mine a machine. Since every machine has a CPU, including web cameras, smartphones, smart TVs and computers, there many potential targets.
- Minimal footprint — Other attack types require the hackers to market their “goods” or to actively use the information they acquired for malicious purposes. In crypto mining, the money moves directly to the attacker.
- Multipurpose hack — After successfully infecting a machine, hackers can leverage the installation of the malware program for multiple activities such as stealing credentials or selling on data mined to other criminals.
In the last few months, we’ve been reminded of the damage that can be done, in particular from the use of Malspam, a form of hacking that is using malicious robots called Trickbot and Emotet. In the US a number of state departments have been hit by the attacks and hefty ransom requests, which have been paid. The most notable ransom payment made was reportedly for over $500,000 in Lake City, where, as a result, an IT employee lost his job.
In this instance, the attack was initiated via a phishing email that contained a malicious document, which when opened launched something called PowerShell scripts that start to download the malicious code ‘Emotet Trojan’ and then a malicious bot called Trickbot. Trickbot then spreads across the network compromising applications and gathering data and spreading ransomware.
It shows how easy it is for hackers to lay a trap and how quickly an employee can fall into it and a network can be jammed and operations can come to a halt. Paying the ransom seemed the only way out. However, when you’ve paid once, you’ve shown your hand and hackers don’t stop. Instead, the attacks just go on until you are haemorrhaging cash.
This time around it’s not just the value of the coin that is making the stealth attacks attractive, it’s also the expanse of the network. The public cloud has opened up a new door – even an army of infected personal devices can’t deliver the kind of concentrated and unlimited CPU power of a large enterprise’s public cloud infrastructure. In the eyes of a miner, it’s like looking at a mountain of gold— and often, that gold is under-protected.
Essentially, due to the dynamic nature of public cloud environment (which makes it harder to keep a stable and hardened environment over time), as well as the ease with which permissions are granted to developers and DevOps, the attack surface is dramatically increased. It’s easy and rich pickings.
So where does it all end? All the time there is money to be made there is a threat that this form of hacking will persist. There are therefore several things to consider:
The first is to look at how prepared your people are. No amount of technology can help you if your people are not vigilant. They really can be the weak link so all you can do to build bridges between IT and the employees the better. This also should include limiting the amount of permissions people have, especially in devops, to the cloud. It’s proven that lapse management of permissions is a hacker’s dream
Secondly, match skill to technology. Security technology is evolving all the time and the use of artificial intelligence in detection and mitigation is well worth the investment. There are now tools designed to detect certain types of attacks, including crypto coin.
However, as is so often the case, investment is only as good as the technical skill implementing and managing it. If you don’t have a sound strategy, developed by experts, the technology decisions you take may not be the right ones.
Thirdly, consider the technology roadmap your organisation has. Digital transformation will be dictating the move to the cloud, the use of mobile technology, the introduction of apps. This is a complex web to manage, but more so when everything centres around managing money and sensitive data – be that of a taxpayer or a patient. That has to be a priority so make decisions based on what must be secure at all cost – you may find that your investment on the ‘must-have’ will cover the ‘not essential’ at no extra cost.
Above all make sure you secure the public cloud credentials and upgrade any device attached to the network as a matter of course. Don’t delay on patch roll-out. If your public cloud credentials are breached, attackers can leverage them to launch numerous types of attacks against your public cloud assets, of which crypto-jacking is one.
Finally, allow time and be brave. So much technology – cloud, ERP, detection and mitigation – is bought with the intention of radically changing the world you operate. However, actually implementing it and halting operations so you can make a large technology change, is not easy. It may be disruptive top public services, it may cause the organisation to go ‘offline’, but the longer you delay putting in place new technology the more risk you introduce. In the long-term that interruption will be worth it to keep public data and money safe.
Director of security solutions